From 252283f2aaf139df7912a6dcb242b346268c4787 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 27 Sep 2022 07:54:16 -0400 Subject: [PATCH 01/58] Fix missing cipher mode dependencies Signed-off-by: Andrzej Kurek --- library/aes.c | 3 ++- tests/suites/test_suite_aes.function | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/library/aes.c b/library/aes.c index 289890dbe1..7d035246f7 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1690,7 +1690,8 @@ int mbedtls_aes_self_test( int verbose ) unsigned char key[32]; unsigned char buf[64]; const unsigned char *aes_tests; -#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) +#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_OFB) unsigned char iv[16]; #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function index 10e53c2a4c..6a87d4294f 100644 --- a/tests/suites/test_suite_aes.function +++ b/tests/suites/test_suite_aes.function @@ -403,10 +403,14 @@ void aes_misc_params( ) defined(MBEDTLS_CIPHER_MODE_XTS) || \ defined(MBEDTLS_CIPHER_MODE_CFB) || \ defined(MBEDTLS_CIPHER_MODE_OFB) - mbedtls_aes_context aes_ctx; const unsigned char in[16] = { 0 }; unsigned char out[16]; #endif +#if defined(MBEDTLS_CIPHER_MODE_CBC) || \ + defined(MBEDTLS_CIPHER_MODE_CFB) || \ + defined(MBEDTLS_CIPHER_MODE_OFB) +mbedtls_aes_context aes_ctx; +#endif #if defined(MBEDTLS_CIPHER_MODE_XTS) mbedtls_aes_xts_context xts_ctx; #endif From e40b92178d140f55e6e1a7292d337a107492d255 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 27 Sep 2022 09:21:39 -0400 Subject: [PATCH 02/58] Fix missing padding dependencies Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_cipher.aria.data | 2 +- tests/suites/test_suite_cipher.camellia.data | 90 +++++++------- tests/suites/test_suite_cipher.des.data | 120 +++++++++---------- tests/suites/test_suite_pkcs5.data | 4 +- 4 files changed, 108 insertions(+), 108 deletions(-) diff --git a/tests/suites/test_suite_cipher.aria.data b/tests/suites/test_suite_cipher.aria.data index c1e19909bc..3f011e889b 100644 --- a/tests/suites/test_suite_cipher.aria.data +++ b/tests/suites/test_suite_cipher.aria.data @@ -1,5 +1,5 @@ Aria CBC Decrypt empty buffer -depends_on:MBEDTLS_ARIA_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 dec_empty_buf:MBEDTLS_CIPHER_ARIA_128_CBC:0:0 ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes diff --git a/tests/suites/test_suite_cipher.camellia.data b/tests/suites/test_suite_cipher.camellia.data index 31fe92286f..df4ebcc1b6 100644 --- a/tests/suites/test_suite_cipher.camellia.data +++ b/tests/suites/test_suite_cipher.camellia.data @@ -67,183 +67,183 @@ depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKC enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:49:-1 CAMELLIA Encrypt and decrypt 0 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:0:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 1 byte with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:1:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 2 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:2:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 7 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:7:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 8 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:8:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 9 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:9:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 15 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:15:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 16 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:16:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 17 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:17:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 31 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:31:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 32 bytes with one and zeros padding [#1] -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:32:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 32 bytes with one and zeros padding [#2] -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:33:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 47 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:47:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 48 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:48:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 49 bytes with one and zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:49:MBEDTLS_PADDING_ONE_AND_ZEROS CAMELLIA Encrypt and decrypt 0 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:0:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 1 byte with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:1:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 2 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:2:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 7 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:7:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 8 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:8:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 9 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:9:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 15 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:15:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 16 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:16:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 17 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:17:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 31 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:31:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 32 bytes with zeros and len padding [#1] -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:32:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 32 bytes with zeros and len padding [#2] -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:33:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 47 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:47:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 48 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:48:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 49 bytes with zeros and len padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:49:MBEDTLS_PADDING_ZEROS_AND_LEN CAMELLIA Encrypt and decrypt 0 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:0:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 1 byte with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:1:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 2 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:2:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 7 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:7:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 8 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:8:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 9 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:9:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 15 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:15:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 16 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:16:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 17 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:17:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 31 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:31:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 32 bytes with zeros padding [#1] -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:32:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 32 bytes with zeros padding [#2] -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:33:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 47 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:47:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 48 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:48:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 49 bytes with zeros padding -depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CBC:"CAMELLIA-128-CBC":128:49:MBEDTLS_PADDING_ZEROS CAMELLIA Encrypt and decrypt 0 bytes with no padding diff --git a/tests/suites/test_suite_cipher.des.data b/tests/suites/test_suite_cipher.des.data index 9410262e68..77f7515b94 100644 --- a/tests/suites/test_suite_cipher.des.data +++ b/tests/suites/test_suite_cipher.des.data @@ -71,243 +71,243 @@ depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:49:-1 DES Encrypt and decrypt 0 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:0:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 1 byte with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:1:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 2 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:2:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 7 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:7:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 8 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:8:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 9 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:9:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 15 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:15:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 16 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:16:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 17 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:17:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 31 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:31:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 32 bytes with one and zeros padding [#1] -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:32:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 32 bytes with one and zeros padding [#2] -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:33:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 47 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:47:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 48 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:48:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 49 bytes with one and zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:49:MBEDTLS_PADDING_ONE_AND_ZEROS DES Encrypt and decrypt 0 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:0:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 1 byte with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:1:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 2 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:2:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 7 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:7:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 8 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:8:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 9 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:9:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 15 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:15:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 16 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:16:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 17 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:17:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 31 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:31:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 32 bytes with zeros and len padding [#1] -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:32:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 32 bytes with zeros and len padding [#2] -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:33:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 47 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:47:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 48 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:48:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 49 bytes with zeros and len padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:49:MBEDTLS_PADDING_ZEROS_AND_LEN DES Encrypt and decrypt 0 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:0:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 1 byte with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:1:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 2 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:2:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 7 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:7:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 8 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:8:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 9 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:9:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 15 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:15:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 16 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:16:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 17 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:17:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 31 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:31:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 32 bytes with zeros padding [#1] -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:32:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 32 bytes with zeros padding [#2] -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:33:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 47 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:47:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 48 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:48:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 49 bytes with zeros padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_ZEROS enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:49:MBEDTLS_PADDING_ZEROS DES Encrypt and decrypt 0 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:0:MBEDTLS_PADDING_NONE DES Encrypt and decrypt 8 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:8:MBEDTLS_PADDING_NONE DES Encrypt and decrypt 16 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:16:MBEDTLS_PADDING_NONE DES Encrypt and decrypt 32 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:32:MBEDTLS_PADDING_NONE DES Encrypt and decrypt 48 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_dec_buf:MBEDTLS_CIPHER_DES_CBC:"DES-CBC":64:48:MBEDTLS_PADDING_NONE DES Try encrypting 1 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:1:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 2 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:2:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 7 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:7:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 9 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:9:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 15 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:15:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 17 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:17:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 31 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:31:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 33 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:33:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 47 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:47:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Try encrypting 49 bytes with no padding -depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC enc_fail:MBEDTLS_CIPHER_DES_CBC:MBEDTLS_PADDING_NONE:64:49:MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED DES Encrypt and decrypt 0 bytes in multiple parts diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 3f78b886c1..5c6df7ce5d 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -203,11 +203,11 @@ depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301306082A864886F70D030704078A4FCC9DCC3949":"":"":MBEDTLS_ERR_PKCS5_INVALID_FORMAT:"" PBES2 Decrypt (bad password) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"F0617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" PBES2 Decrypt (bad iter value) -depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 mbedtls_pkcs5_pbes2:MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020801301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" PKCS#5 Selftest From b39e3ecee6ea06f3bf3b9751c93add1788541cbe Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 08:50:20 +0100 Subject: [PATCH 03/58] New script to exercise compilation options Unify curves.pl, key-exchanges.pl, depends-pkalgs.pl and depends-hashes.pl into a single, newly-written script. For curves, key exchanges and hashes, in addition to testing all-but-one settings in the group like the old scripts, also run the tests with a single option in the group. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 346 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 346 insertions(+) create mode 100755 tests/scripts/depends.py diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py new file mode 100755 index 0000000000..521bbc5641 --- /dev/null +++ b/tests/scripts/depends.py @@ -0,0 +1,346 @@ +#!/usr/bin/env python3 + +# Copyright (c) 2018, Arm Limited, All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + +"""Test Mbed TLS with a subset of algorithms. +""" + +import argparse +import os +import re +import shutil +import subprocess +import sys +import traceback + +def log_line(text, prefix='depends.py'): + """Print a status message.""" + sys.stderr.write(prefix + ' ' + text + '\n') + +def backup_config(options): + """Back up the library configuration file (config.h).""" + shutil.copy(options.config, options.config_backup) + +def restore_config(options, done=False): + """Restore the library configuration file (config.h). +If done is true, remove the backup file.""" + if done: + shutil.move(options.config_backup, options.config) + else: + shutil.copy(options.config_backup, options.config) + +class Job: + """A job builds the library in a specific configuration and runs some tests.""" + def __init__(self, name, config_settings, commands): + """Build a job object. +The job uses the configuration described by config_settings. This is a +dictionary where the keys are preprocessor symbols and the values are +booleans or strings. A boolean indicates whether or not to #define the +symbol. With a string, the symbol is #define'd to that value. +After setting the configuration, the job runs the programs specified by +commands. This is a list of lists of strings; each list of string is a +command name and its arguments and is passed to subprocess.call with +shell=False.""" + self.name = name + self.config_settings = config_settings + self.commands = commands + + def announce(self, what): + '''Announce the start or completion of a job. +If what is None, announce the start of the job. +If what is True, announce that the job has passed. +If what is False, announce that the job has failed.''' + if what is True: + log_line(self.name + ' PASSED') + elif what is False: + log_line(self.name + ' FAILED') + else: + log_line('starting ' + self.name) + + def trace_command(self, cmd): + '''Print a trace of the specified command. +cmd is a list of strings: a command name and its arguments.''' + log_line(' '.join(cmd), prefix='+') + + def configure(self, config_file_name): + '''Set library configuration options as required for the job. +config_file_name indicates which file to modify.''' + for key, value in sorted(self.config_settings.items()): + if value is True: + args = ['set', key] + elif value is False: + args = ['unset', key] + else: + args = ['set', key, value] + cmd = ['scripts/config.pl'] + if config_file_name != 'include/mbedtls/config.h': + cmd += ['--file', config_file_name] + cmd += args + self.trace_command(cmd) + subprocess.check_call(cmd) + + def test(self, options): + '''Run the job's build and test commands. +Return True if all the commands succeed and False otherwise. +If options.keep_going is false, stop as soon as one command fails. Otherwise +run all the commands, except that if the first command fails, none of the +other commands are run (typically, the first command is a build command +and subsequent commands are tests that cannot run if the build failed).''' + built = False + success = True + for command in self.commands: + self.trace_command(command) + ret = subprocess.call(command) + if ret != 0: + if command[0] not in ['make', options.make_command]: + log_line('*** [{}] Error {}'.format(' '.join(command), ret)) + if not options.keep_going or not built: + return False + success = False + built = True + return success + +# SSL/TLS versions up to 1.1 and corresponding options. These require +# both MD5 and SHA-1. +ssl_pre_1_2_dependencies = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', + 'MBEDTLS_SSL_PROTO_SSL3', + 'MBEDTLS_SSL_PROTO_TLS1', + 'MBEDTLS_SSL_PROTO_TLS1_1'] + +# If the configuration option A requires B, make sure that +# B in reverse_dependencies[A]. +reverse_dependencies = { + 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], + 'MBEDTLS_ECP_C': ['MBEDTLS_ECDSA_C', + 'MBEDTLS_ECDH_C', + 'MBEDTLS_ECJPAKE_C', + 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], + 'MBEDTLS_MD5_C': ssl_pre_1_2_dependencies, + 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], + 'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'], + 'MBEDTLS_RSA_C': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT', + 'MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'], + 'MBEDTLS_SHA1_C': ssl_pre_1_2_dependencies, + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [], +} + +def turn_off_dependencies(config_settings): + """For every option turned off config_settings, also turn off what depends on it. +An option O is turned off if config_settings[O] is False.""" + for key, value in sorted(config_settings.items()): + if value is not False: + continue + for dep in reverse_dependencies.get(key, []): + config_settings[dep] = False + +class Domain: + """A domain is a set of jobs that all relate to a particular configuration aspect.""" + pass + +class ExclusiveDomain(Domain): + """A domain consisting of a set of conceptually-equivalent settings. +Establish a list of configuration symbols. For each symbol, run a test job +with this symbol set and the others unset, and a test job with this symbol +unset and the others set.""" + def __init__(self, symbols, commands): + self.jobs = [] + for invert in [False, True]: + base_config_settings = {} + for symbol in symbols: + base_config_settings[symbol] = invert + for symbol in symbols: + description = '!' + symbol if invert else symbol + config_settings = base_config_settings.copy() + config_settings[symbol] = not invert + turn_off_dependencies(config_settings) + job = Job(description, config_settings, commands) + self.jobs.append(job) + +class ComplementaryDomain: + """A domain consisting of a set of loosely-related settings. +Establish a list of configuration symbols. For each symbol, run a test job +with this symbol unset.""" + def __init__(self, symbols, commands): + self.jobs = [] + for symbol in symbols: + description = '!' + symbol + config_settings = {symbol: False} + turn_off_dependencies(config_settings) + job = Job(description, config_settings, commands) + self.jobs.append(job) + +class DomainData: + """Collect data about the library.""" + def collect_config_symbols(self, options): + """Read the list of settings from config.h. +Return them in a generator.""" + with open(options.config) as config_file: + rx = re.compile(r'\s*(?://\s*)?#define\s+(\w+)\s*(?:$|/[/*])') + for line in config_file: + m = re.match(rx, line) + if m: + yield m.group(1) + + def config_symbols_matching(self, regexp): + """List the config.h settings matching regexp.""" + return [symbol for symbol in self.all_config_symbols + if re.match(regexp, symbol)] + + def __init__(self, options): + """Gather data about the library and establish a list of domains to test.""" + build_command = [options.make_command, 'CFLAGS=-Werror'] + build_and_test = [build_command, [options.make_command, 'test']] + self.all_config_symbols = set(self.collect_config_symbols(options)) + # Find hash modules by name. + hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z') + # Find elliptic curve enabling macros by name. + curve_symbols = self.config_symbols_matching(r'MBEDTLS_ECP_DP_\w+_ENABLED\Z') + # Find key exchange enabling macros by name. + key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') + self.domains = { + # Elliptic curves. Run the test suites. + 'curves': ExclusiveDomain(curve_symbols, build_and_test), + # Hash algorithms. Exclude configurations with only one + # hash which is obsolete. Run the test suites. + 'hashes': ExclusiveDomain(hash_symbols, build_and_test), + # Key exchange types. Just check the build. + 'kex': ExclusiveDomain(key_exchange_symbols, [build_command]), + # Public-key algorithms. Run the test suites. + 'pkalgs': ComplementaryDomain(['MBEDTLS_ECDSA_C', + 'MBEDTLS_ECP_C', + 'MBEDTLS_PKCS1_V21', + 'MBEDTLS_PKCS1_V15', + 'MBEDTLS_RSA_C', + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT'], + build_and_test), + } + self.jobs = {} + for domain in self.domains.values(): + for job in domain.jobs: + self.jobs[job.name] = job + + def get_jobs(self, name): + """Return the list of jobs identified by the given name. +A name can either be the name of a domain or the name of one specific job.""" + if name in self.domains: + return sorted(self.domains[name].jobs, key=lambda job: job.name) + else: + return [self.jobs[name]] + +def run(options, job): + """Run the specified job (a Job instance).""" + subprocess.check_call([options.make_command, 'clean']) + job.announce(None) + job.configure(options.config) + success = job.test(options) + job.announce(success) + return success + +def main(options, domain_data): + """Run the desired jobs. +domain_data should be a DomainData instance that describes the available +domains and jobs. +Run the jobs listed in options.domains.""" + if not hasattr(options, 'config_backup'): + options.config_backup = options.config + '.bak' + jobs = [] + failures = [] + successes = [] + for name in options.domains: + jobs += domain_data.get_jobs(name) + backup_config(options) + try: + for job in jobs: + success = run(options, job) + if not success: + if options.keep_going: + failures.append(job.name) + else: + return False + else: + successes.append(job.name) + restore_config(options) + finally: + if options.keep_going: + restore_config(options, True) + if failures: + if successes: + log_line('{} passed; {} FAILED'.format(' '.join(successes), + ' '.join(failures))) + else: + log_line('{} FAILED'.format(' '.join(failures))) + return False + else: + log_line('{} passed'.format(' '.join(successes))) + return True + + +if __name__ == '__main__': + try: + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument('-c', '--config', metavar='FILE', + help='Configuration file to modify', + default='include/mbedtls/config.h') + parser.add_argument('-C', '--directory', metavar='DIR', + help='Change to this directory before anything else', + default='.') + parser.add_argument('-k', '--keep-going', + help='Try all configurations even if some fail (default)', + action='store_true', dest='keep_going', default=True) + parser.add_argument('-e', '--no-keep-going', + help='Stop as soon as a configuration fails', + action='store_false', dest='keep_going') + parser.add_argument('--list-jobs', + help='List supported jobs and exit', + action='append_const', dest='list', const='jobs') + parser.add_argument('--list-domains', + help='List supported domains and exit', + action='append_const', dest='list', const='domains') + parser.add_argument('--make-command', metavar='CMD', + help='Command to run instead of make (e.g. gmake)', + action='store', default='make') + parser.add_argument('domains', metavar='DOMAIN', nargs='*', + help='The domain(s) to test (default: all)', + default=True) + options = parser.parse_args() + os.chdir(options.directory) + domain_data = DomainData(options) + if options.domains == True: + options.domains = sorted(domain_data.domains.keys()) + if options.list: + for what in options.list: + for key in sorted(getattr(domain_data, what).keys()): + print(key) + exit(0) + else: + sys.exit(0 if main(options, domain_data) else 1) + except SystemExit: + raise + except: + traceback.print_exc() + exit(3) From 46c8256547086b8516688a46a98c106f99975b11 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 18:42:55 +0100 Subject: [PATCH 04/58] Flush log output after each line Otherwise the output can be out of order when redirected. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 521bbc5641..f18b94be42 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -31,6 +31,7 @@ import traceback def log_line(text, prefix='depends.py'): """Print a status message.""" sys.stderr.write(prefix + ' ' + text + '\n') + sys.stderr.flush() def backup_config(options): """Back up the library configuration file (config.h).""" From 54aa5c695793c8b9f9cf76bed9c7dcdcf7d37edd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 18:46:34 +0100 Subject: [PATCH 05/58] Factor running config.pl into its own function Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index f18b94be42..6c55676c7f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -33,6 +33,11 @@ def log_line(text, prefix='depends.py'): sys.stderr.write(prefix + ' ' + text + '\n') sys.stderr.flush() +def log_command(cmd): + """Print a trace of the specified command. +cmd is a list of strings: a command name and its arguments.""" + log_line(' '.join(cmd), prefix='+') + def backup_config(options): """Back up the library configuration file (config.h).""" shutil.copy(options.config, options.config_backup) @@ -44,6 +49,14 @@ If done is true, remove the backup file.""" shutil.move(options.config_backup, options.config) else: shutil.copy(options.config_backup, options.config) +def run_config_pl(options, args): + """Run scripts/config.pl with the specified arguments.""" + cmd = ['scripts/config.pl'] + if options.config != 'include/mbedtls/config.h': + cmd += ['--file', options.config] + cmd += args + log_command(cmd) + subprocess.check_call(cmd) class Job: """A job builds the library in a specific configuration and runs some tests.""" @@ -73,12 +86,8 @@ If what is False, announce that the job has failed.''' else: log_line('starting ' + self.name) - def trace_command(self, cmd): - '''Print a trace of the specified command. -cmd is a list of strings: a command name and its arguments.''' - log_line(' '.join(cmd), prefix='+') - def configure(self, config_file_name): + def configure(self, options): '''Set library configuration options as required for the job. config_file_name indicates which file to modify.''' for key, value in sorted(self.config_settings.items()): @@ -88,12 +97,7 @@ config_file_name indicates which file to modify.''' args = ['unset', key] else: args = ['set', key, value] - cmd = ['scripts/config.pl'] - if config_file_name != 'include/mbedtls/config.h': - cmd += ['--file', config_file_name] - cmd += args - self.trace_command(cmd) - subprocess.check_call(cmd) + run_config_pl(options, args) def test(self, options): '''Run the job's build and test commands. @@ -105,7 +109,7 @@ and subsequent commands are tests that cannot run if the build failed).''' built = False success = True for command in self.commands: - self.trace_command(command) + log_command(command) ret = subprocess.call(command) if ret != 0: if command[0] not in ['make', options.make_command]: @@ -257,7 +261,7 @@ def run(options, job): """Run the specified job (a Job instance).""" subprocess.check_call([options.make_command, 'clean']) job.announce(None) - job.configure(options.config) + job.configure(options) success = job.test(options) job.announce(success) return success From 0fa7cbeeb9e2ebbffcea64adec8aea0acab7c0cb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 18:48:48 +0100 Subject: [PATCH 06/58] Add basic support for colored output Show "pass" lines in green and "fail" lines in red. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 51 +++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 9 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 6c55676c7f..433f352757 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -28,9 +28,38 @@ import subprocess import sys import traceback -def log_line(text, prefix='depends.py'): +class Colors: + """Minimalistic support for colored output. +Each field of an object of this class is either None if colored output +is not possible or not desired, or a pair of strings (start, stop) such +that outputting start switches the text color to the desired color and +stop switches the text color back to the default.""" + red = None + green = None + bold_red = None + bold_green = None + def __init__(self, options=None): + if not options or options.color in ['no', 'never']: + want_color = False + elif options.color in ['yes', 'always']: + want_color = True + else: + want_color = sys.stderr.isatty() + if want_color: + # Assume ANSI compatible terminal + normal = '\033[0m' + self.red = ('\033[31m', normal) + self.green = ('\033[32m', normal) + self.bold_red = ('\033[1;31m', normal) + self.bold_green = ('\033[1;32m', normal) +NO_COLORS = Colors(None) + +def log_line(text, prefix='depends.py:', suffix='', color=None): """Print a status message.""" - sys.stderr.write(prefix + ' ' + text + '\n') + if color != None: + prefix = color[0] + prefix + suffix = suffix + color[1] + sys.stderr.write(prefix + ' ' + text + suffix + '\n') sys.stderr.flush() def log_command(cmd): @@ -74,15 +103,15 @@ shell=False.""" self.config_settings = config_settings self.commands = commands - def announce(self, what): + def announce(self, colors, what): '''Announce the start or completion of a job. If what is None, announce the start of the job. If what is True, announce that the job has passed. If what is False, announce that the job has failed.''' if what is True: - log_line(self.name + ' PASSED') + log_line(self.name + ' PASSED', color=colors.green) elif what is False: - log_line(self.name + ' FAILED') + log_line(self.name + ' FAILED', color=colors.red) else: log_line('starting ' + self.name) @@ -257,13 +286,13 @@ A name can either be the name of a domain or the name of one specific job.""" else: return [self.jobs[name]] -def run(options, job): +def run(options, job, colors=NO_COLORS): """Run the specified job (a Job instance).""" subprocess.check_call([options.make_command, 'clean']) - job.announce(None) + job.announce(colors, None) job.configure(options) success = job.test(options) - job.announce(success) + job.announce(colors, success) return success def main(options, domain_data): @@ -273,6 +302,7 @@ domains and jobs. Run the jobs listed in options.domains.""" if not hasattr(options, 'config_backup'): options.config_backup = options.config + '.bak' + colors = Colors(options) jobs = [] failures = [] successes = [] @@ -281,7 +311,7 @@ Run the jobs listed in options.domains.""" backup_config(options) try: for job in jobs: - success = run(options, job) + success = run(options, job, colors=colors) if not success: if options.keep_going: failures.append(job.name) @@ -308,6 +338,9 @@ Run the jobs listed in options.domains.""" if __name__ == '__main__': try: parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument('--color', metavar='WHEN', + help='Colorize the output (always/auto/never)', + choices=['always', 'auto', 'never'], default='auto') parser.add_argument('-c', '--config', metavar='FILE', help='Configuration file to modify', default='include/mbedtls/config.h') From e85163bb5c466d25b1a7cb915ff1731afd2dadfc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 18:50:03 +0100 Subject: [PATCH 07/58] Simplify final passed/failed reporting Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 433f352757..5c4cb502b2 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -323,15 +323,12 @@ Run the jobs listed in options.domains.""" finally: if options.keep_going: restore_config(options, True) + if successes: + log_line('{} passed'.format(' '.join(successes)), color=colors.bold_green) if failures: - if successes: - log_line('{} passed; {} FAILED'.format(' '.join(successes), - ' '.join(failures))) - else: - log_line('{} FAILED'.format(' '.join(failures))) + log_line('{} FAILED'.format(' '.join(failures)), color=colors.bold_red) return False else: - log_line('{} passed'.format(' '.join(successes))) return True From bf7537d0a9faea3cd087bb2f2f1a16de3b06a84c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 18:52:16 +0100 Subject: [PATCH 08/58] Use the full config as the baseline for all jobs Start each job from the full config minus some memory management settings and the job-specific settings. The original content of config.h no longer influences the configurations used for the jobs (but it still influences what jobs may run, in that the set of jobs is partly built by parsing #define and //#define lines in config.h). Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 5c4cb502b2..daae6b057a 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -68,16 +68,23 @@ cmd is a list of strings: a command name and its arguments.""" log_line(' '.join(cmd), prefix='+') def backup_config(options): - """Back up the library configuration file (config.h).""" - shutil.copy(options.config, options.config_backup) + """Back up the library configuration file (config.h). +If the backup file already exists, it is presumed to be the desired backup, +so don't make another backup.""" + if os.path.exists(options.config_backup): + options.own_backup = False + else: + options.own_backup = True + shutil.copy(options.config, options.config_backup) -def restore_config(options, done=False): +def restore_config(options): """Restore the library configuration file (config.h). -If done is true, remove the backup file.""" - if done: +Remove the backup file if it was saved earlier.""" + if options.own_backup: shutil.move(options.config_backup, options.config) else: shutil.copy(options.config_backup, options.config) + def run_config_pl(options, args): """Run scripts/config.pl with the specified arguments.""" cmd = ['scripts/config.pl'] @@ -115,10 +122,21 @@ If what is False, announce that the job has failed.''' else: log_line('starting ' + self.name) + def set_reference_config(self, options): + """Change the library configuration file (config.h) to the reference state. + The reference state is the one from which the tested configurations are + derived.""" + # Turn off memory management options that are not relevant to + # the tests and slow them down. + run_config_pl(options, ['full']) + run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) + run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) + run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) def configure(self, options): '''Set library configuration options as required for the job. config_file_name indicates which file to modify.''' + self.set_reference_config(options) for key, value in sorted(self.config_settings.items()): if value is True: args = ['set', key] @@ -319,10 +337,14 @@ Run the jobs listed in options.domains.""" return False else: successes.append(job.name) - restore_config(options) - finally: + restore_config(options) + except: + # Restore the configuration, except in stop-on-error mode if there + # was an error, where we leave the failing configuration up for + # developer convenience. if options.keep_going: - restore_config(options, True) + restore_config(options) + raise if successes: log_line('{} passed'.format(' '.join(successes)), color=colors.bold_green) if failures: From b1284cf6bc6b33f1ae6650b8fb0c5f74addc392b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 18:56:03 +0100 Subject: [PATCH 09/58] Don't test builds with only deprecated hashes Don't try to build with only SHA-1 or with only RIPEMD160 or with only MD{2,4,5}. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index daae6b057a..f0f09f198e 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -219,7 +219,14 @@ class ExclusiveDomain(Domain): Establish a list of configuration symbols. For each symbol, run a test job with this symbol set and the others unset, and a test job with this symbol unset and the others set.""" - def __init__(self, symbols, commands): + def __init__(self, symbols, commands, exclude=None): + """Build a domain for the specified list of configuration symbols. +The domain contains two sets of jobs: jobs that enable one of the elements +of symbols and disable the others, and jobs that disable one of the elements +of symbols and enable the others. +Each job runs the specified commands. +If exclude is a regular expression, skip generated jobs whose description +would match this regular expression.""" self.jobs = [] for invert in [False, True]: base_config_settings = {} @@ -227,6 +234,8 @@ unset and the others set.""" base_config_settings[symbol] = invert for symbol in symbols: description = '!' + symbol if invert else symbol + if exclude and re.match(exclude, description): + continue config_settings = base_config_settings.copy() config_settings[symbol] = not invert turn_off_dependencies(config_settings) @@ -238,6 +247,9 @@ class ComplementaryDomain: Establish a list of configuration symbols. For each symbol, run a test job with this symbol unset.""" def __init__(self, symbols, commands): + """Build a domain for the specified list of configuration symbols. +Each job in the domain disables one of the specified symbols. +Each job runs the specified commands.""" self.jobs = [] for symbol in symbols: description = '!' + symbol @@ -279,7 +291,8 @@ Return them in a generator.""" 'curves': ExclusiveDomain(curve_symbols, build_and_test), # Hash algorithms. Exclude configurations with only one # hash which is obsolete. Run the test suites. - 'hashes': ExclusiveDomain(hash_symbols, build_and_test), + 'hashes': ExclusiveDomain(hash_symbols, build_and_test, + exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_)'), # Key exchange types. Just check the build. 'kex': ExclusiveDomain(key_exchange_symbols, [build_command]), # Public-key algorithms. Run the test suites. From 584c24ace481a7b71a7051e930b1f3d57d47235e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 19:30:40 +0100 Subject: [PATCH 10/58] Declare more reverse dependencies Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index f0f09f198e..27c2ae48b3 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -176,16 +176,22 @@ ssl_pre_1_2_dependencies = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', # If the configuration option A requires B, make sure that # B in reverse_dependencies[A]. +# All the information here should be contained in check_config.h. This +# file includes a copy because it changes rarely and it would be a pain +# to extract automatically. reverse_dependencies = { 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], 'MBEDTLS_ECP_C': ['MBEDTLS_ECDSA_C', 'MBEDTLS_ECDH_C', 'MBEDTLS_ECJPAKE_C', + 'MBEDTLS_ECP_RESTARTABLE', + 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], + 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_MD5_C': ssl_pre_1_2_dependencies, 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', @@ -198,6 +204,8 @@ reverse_dependencies = { 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'], 'MBEDTLS_SHA1_C': ssl_pre_1_2_dependencies, + 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', + 'MBEDTLS_ENTROPY_FORCE_SHA256'], 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [], } From c3b4deeb6ccac09eca55bc83a538ebdd5dca83c8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 19:33:05 +0100 Subject: [PATCH 11/58] When exercising key exchanges, don't build the test suites Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 27c2ae48b3..3ef3f20ed8 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -301,9 +301,11 @@ Return them in a generator.""" # hash which is obsolete. Run the test suites. 'hashes': ExclusiveDomain(hash_symbols, build_and_test, exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_)'), - # Key exchange types. Just check the build. - 'kex': ExclusiveDomain(key_exchange_symbols, [build_command]), - # Public-key algorithms. Run the test suites. + # Key exchange types. Only build the library and the sample + # programs. + 'kex': ExclusiveDomain(key_exchange_symbols, + [build_command + ['lib'], + build_command + ['-C', 'programs']]), 'pkalgs': ComplementaryDomain(['MBEDTLS_ECDSA_C', 'MBEDTLS_ECP_C', 'MBEDTLS_PKCS1_V21', From 34a1557df6565d532eca92d07985cdfc1fbd29b7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Jan 2019 23:12:28 +0100 Subject: [PATCH 12/58] Add domains for symmetric ciphers Add a domain for cipher base algorithms (block permutations and stream ciphers), a domain for block cipher chaining modes and a domain for block cipher padding modes. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 3ef3f20ed8..11af322fd6 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -180,6 +180,12 @@ ssl_pre_1_2_dependencies = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', # file includes a copy because it changes rarely and it would be a pain # to extract automatically. reverse_dependencies = { + 'MBEDTLS_AES_C': ['MBEDTLS_CTR_DRBG_C', + 'MBEDTLS_NIST_KW_C', + 'MBEDTLS_PSA_CRYPTO_STORAGE_C', + 'MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C', + 'MBEDTLS_PSA_CRYPTO_C'], + 'MBEDTLS_CHACHA20_C': ['MBEDTLS_CHACHAPOLY_C'], 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], 'MBEDTLS_ECP_C': ['MBEDTLS_ECDSA_C', 'MBEDTLS_ECDH_C', @@ -266,6 +272,16 @@ Each job runs the specified commands.""" job = Job(description, config_settings, commands) self.jobs.append(job) +class CipherInfo: + """Collect data about cipher.h.""" + def __init__(self, options): + self.base_symbols = set() + with open('include/mbedtls/cipher.h') as fh: + for line in fh: + m = re.match(r' *MBEDTLS_CIPHER_ID_(\w+),', line) + if m and m.group(1) not in ['NONE', 'NULL', '3DES']: + self.base_symbols.add('MBEDTLS_' + m.group(1) + '_C') + class DomainData: """Collect data about the library.""" def collect_config_symbols(self, options): @@ -294,7 +310,21 @@ Return them in a generator.""" curve_symbols = self.config_symbols_matching(r'MBEDTLS_ECP_DP_\w+_ENABLED\Z') # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') + # Find cipher IDs (block permutations and stream ciphers --- chaining + # and padding modes are exercised separately) information by parsing + # cipher.h, as the information is not readily available in config.h. + cipher_info = CipherInfo(options) + # Find block cipher chaining and padding mode enabling macros by name. + cipher_chaining_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_MODE_\w+\Z') + cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z') self.domains = { + # Cipher IDs, chaining modes and padding modes. Run the test suites. + 'cipher_id': ExclusiveDomain(cipher_info.base_symbols, + build_and_test), + 'cipher_chaining': ExclusiveDomain(cipher_chaining_symbols, + build_and_test), + 'cipher_padding': ExclusiveDomain(cipher_padding_symbols, + build_and_test), # Elliptic curves. Run the test suites. 'curves': ExclusiveDomain(curve_symbols, build_and_test), # Hash algorithms. Exclude configurations with only one From f502bcb13ed7f326ec488f5a4057647bec788957 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 27 Sep 2022 09:27:56 -0400 Subject: [PATCH 13/58] Fix missing AES dependencies Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ccm.data | 9 +++++++++ tests/suites/test_suite_cmac.data | 13 ++++++++++++- tests/suites/test_suite_cmac.function | 4 ++-- tests/suites/test_suite_gcm.aes128_en.data | 1 + tests/suites/test_suite_gcm.function | 2 +- tests/suites/test_suite_pem.data | 2 +- tests/suites/test_suite_ssl.data | 6 +++++- 7 files changed, 31 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 61e6e9b991..2c4ccc4675 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1715,30 +1715,39 @@ depends_on:MBEDTLS_AES_C mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" CCM encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" CCM decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" CCM* encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" CCM* decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98" CCM encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" CCM decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" CCM* encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" CCM* decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af" CCM pass unexpected auth data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) +depends_on:MBEDTLS_AES_C mbedtls_ccm_unexpected_ad::MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" CCM encrypt, unexpected ciphertext/plaintext data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) diff --git a/tests/suites/test_suite_cmac.data b/tests/suites/test_suite_cmac.data index 5956a69811..3ca5e542d0 100644 --- a/tests/suites/test_suite_cmac.data +++ b/tests/suites/test_suite_cmac.data @@ -2,6 +2,7 @@ CMAC self test mbedtls_cmac_self_test: CMAC null arguments +depends_on:MBEDTLS_AES_C mbedtls_cmac_null_args: CMAC init #1 AES-128: OK @@ -16,7 +17,7 @@ CMAC init #3 AES-256: OK depends_on:MBEDTLS_AES_C mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_256_ECB:256:0 -CMAC init #4 3DES : OK +CMAC init #4 3DES: OK depends_on:MBEDTLS_DES_C mbedtls_cmac_setkey:MBEDTLS_CIPHER_DES_EDE3_ECB:192:0 @@ -33,32 +34,42 @@ depends_on:MBEDTLS_CAMELLIA_C mbedtls_cmac_setkey:MBEDTLS_CIPHER_CAMELLIA_192_ECB:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC Single Blocks #1 - Empty block, no updates +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":-1:"":-1:"":-1:"":-1:"bb1d6929e95937287fa37d129b756746" CMAC Single Blocks #2 - Single 16 byte block +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96e93d7e117393172a":16:"":-1:"":-1:"":-1:"070a16b46b4d4144f79bdd9dd04a287c" CMAC Single Blocks #3 - Single 64 byte block +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":64:"":-1:"":-1:"":-1:"51f0bebf7e3b9d92fc49741779363cfe" CMAC Multiple Blocks #1 - Multiple 8 byte blocks +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96":8:"e93d7e117393172a":8:"":-1:"":-1:"070a16b46b4d4144f79bdd9dd04a287c" CMAC Multiple Blocks #2 - Multiple 16 byte blocks +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96e93d7e117393172a":16:"ae2d8a571e03ac9c9eb76fac45af8e51":16:"30c81c46a35ce411e5fbc1191a0a52ef":16:"f69f2445df4f9b17ad2b417be66c3710":16:"51f0bebf7e3b9d92fc49741779363cfe" CMAC Multiple Blocks #3 - Multiple variable sized blocks +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"6bc1bee22e409f96":8:"e93d7e117393172aae2d8a571e03ac9c":16:"9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52ef":24:"f69f2445df4f9b17ad2b417be66c3710":16:"51f0bebf7e3b9d92fc49741779363cfe" CMAC Multiple Blocks #4 - Multiple 8 byte blocks with gaps +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":0:"6bc1bee22e409f96":8:"":0:"e93d7e117393172a":8:"070a16b46b4d4144f79bdd9dd04a287c" CMAC Multiple Operations, same key #1 - Empty, empty +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_operations_same_key:MBEDTLS_CIPHER_AES_192_ECB:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":192:16:"":-1:"":-1:"":-1:"d17ddf46adaacde531cac483de7a9367":"":-1:"":-1:"":-1:"d17ddf46adaacde531cac483de7a9367" CMAC Multiple Operations, same key #2 - Empty, 64 byte block +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_operations_same_key:MBEDTLS_CIPHER_AES_192_ECB:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":192:16:"":-1:"":-1:"":-1:"d17ddf46adaacde531cac483de7a9367":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":64:"":-1:"":-1:"a1d5df0eed790f794d77589659f39a11" CMAC Multiple Operations, same key #3 - variable byte blocks +depends_on:MBEDTLS_AES_C mbedtls_cmac_multiple_operations_same_key:MBEDTLS_CIPHER_AES_192_ECB:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":192:16:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51":32:"30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":32:"":-1:"a1d5df0eed790f794d77589659f39a11":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51":32:"30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":32:"":-1:"a1d5df0eed790f794d77589659f39a11" diff --git a/tests/suites/test_suite_cmac.function b/tests/suites/test_suite_cmac.function index cabf1070c1..c3d7da43d8 100644 --- a/tests/suites/test_suite_cmac.function +++ b/tests/suites/test_suite_cmac.function @@ -77,7 +77,7 @@ void mbedtls_cmac_null_args( ) test_data, 16, NULL ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - +#if defined(MBEDTLS_AES_C) TEST_ASSERT( mbedtls_aes_cmac_prf_128( NULL, 16, test_data, 16, test_output ) == @@ -92,7 +92,7 @@ void mbedtls_cmac_null_args( ) test_data, 16, NULL ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - +#endif exit: mbedtls_cipher_free( &ctx ); } diff --git a/tests/suites/test_suite_gcm.aes128_en.data b/tests/suites/test_suite_gcm.aes128_en.data index 273642cbd7..a87fb180e0 100644 --- a/tests/suites/test_suite_gcm.aes128_en.data +++ b/tests/suites/test_suite_gcm.aes128_en.data @@ -727,6 +727,7 @@ depends_on:MBEDTLS_AES_C gcm_bad_parameters:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"d0194b6ee68f0ed8adc4b22ed15dbf14":"":"":"":32:MBEDTLS_ERR_GCM_BAD_INPUT AES-GCM, output buffer too small, NIST Validation (AES-128,128,1024,0,128) #0 +depends_on:MBEDTLS_AES_C gcm_update_output_buffer_too_small:MBEDTLS_CIPHER_ID_AES:MBEDTLS_GCM_ENCRYPT:"ce0f8cfe9d64c4f4c045d11b97c2d918":"dfff250d380f363880963b42d6913c1ba11e8edf7c4ab8b76d79ccbaac628f548ee542f48728a9a2620a0d69339c8291e8d398440d740e310908cdee7c273cc91275ce7271ba12f69237998b07b789b3993aaac8dc4ec1914432a30f5172f79ea0539bd1f70b36d437e5170bc63039a5280816c05e1e41760b58e35696cebd55":"ad4c3627a494fc628316dc03faf81db8" AES-GCM Selftest diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index ea8d6a03ad..eb2ced34a8 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -454,7 +454,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */ void gcm_selftest( ) { TEST_ASSERT( mbedtls_gcm_self_test( 1 ) == 0 ); diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data index d755c27601..1c9e0bf22d 100644 --- a/tests/suites/test_suite_pem.data +++ b/tests/suites/test_suite_pem.data @@ -28,7 +28,7 @@ depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MOD mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":"pwd":MBEDTLS_ERR_PEM_INVALID_ENC_IV:"" PEM read (unknown encryption algorithm) -depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":"pwd":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG:"" PEM read (malformed PEM DES-CBC) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1210694526..bd9f250eaf 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3115,6 +3115,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - App data payload: 70696e67 # - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 # - Padding used: No (== granularity 1) +depends_on:MBEDTLS_AES_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 @@ -3125,6 +3126,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - App data payload: 706f6e67 # - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 # - Padding used: No (== granularity 1) +depends_on:MBEDTLS_AES_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" SSL TLS 1.3 Record Encryption RFC 8448 Example #1 @@ -3143,6 +3145,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 # 3a ee bb 21 69 49 15 e4 # - Padding used: No (== granularity 1) +depends_on:MBEDTLS_AES_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" SSL TLS 1.3 Record Encryption RFC 8448 Example #2 @@ -3161,11 +3164,12 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 # 0d d0 32 e1 67 c2 95 5d # - Padding used: No (== granularity 1) +depends_on:MBEDTLS_AES_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" SSL TLS 1.3 Key schedule: Application secrets derivation helper # Vector from RFC 8448 -depends_on:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_AES_C ssl_tls13_derive_application_secrets:PSA_ALG_SHA_256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" SSL TLS 1.3 Key schedule: Resumption secrets derivation helper From 894edde9915bc34c814f5571d1b246f30a6337f7 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 29 Sep 2022 06:31:14 -0400 Subject: [PATCH 14/58] Add tls prf handling when there's no SHA256 or SHA384 Return a null prf function pointer and check for it when populating transform. Signed-off-by: Andrzej Kurek --- library/ssl_tls.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c36729fc56..50a233ddb5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4046,6 +4046,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, const unsigned char * const end = buf + len; size_t session_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + tls_prf_fn prf_func = NULL; /* * The context should have been freshly setup or reset. @@ -4131,6 +4132,10 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, ssl->transform_out = ssl->transform; ssl->transform_negotiate = NULL; + prf_func = ssl_tls12prf_from_cs( ssl->session->ciphersuite ); + if( prf_func == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Read random bytes and populate structure */ if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -4141,7 +4146,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) ssl->session->encrypt_then_mac, #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ - ssl_tls12prf_from_cs( ssl->session->ciphersuite ), + prf_func, p, /* currently pointing to randbytes */ MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ ssl->conf->endpoint, @@ -7428,6 +7433,8 @@ exit: * Helper to get TLS 1.2 PRF from ciphersuite * (Duplicates bits of logic from ssl_set_handshake_prfs().) */ +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ + defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) { #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) @@ -7436,11 +7443,22 @@ static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) return( tls_prf_sha384 ); -#else - (void) ciphersuite_id; + else #endif - return( tls_prf_sha256 ); +#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + { + if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) + return( tls_prf_sha256 ); + } +#endif +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ciphersuite_info; +#endif + return( NULL ); } +#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || + MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) From 2d59dbc0323d30570a51d2ab36c067f9b3be6759 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 13 Oct 2022 08:34:38 -0400 Subject: [PATCH 15/58] Use TLS prf only if TLS 1.2 is compiled in Signed-off-by: Andrzej Kurek --- library/ssl_tls.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 50a233ddb5..7792957397 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4046,7 +4046,9 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, const unsigned char * const end = buf + len; size_t session_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) tls_prf_fn prf_func = NULL; +#endif /* * The context should have been freshly setup or reset. @@ -4132,6 +4134,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, ssl->transform_out = ssl->transform; ssl->transform_negotiate = NULL; +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) prf_func = ssl_tls12prf_from_cs( ssl->session->ciphersuite ); if( prf_func == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -4139,7 +4142,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, /* Read random bytes and populate structure */ if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + ret = ssl_tls12_populate_transform( ssl->transform, ssl->session->ciphersuite, ssl->session->master, From 084334c8f28fd2c32462d47be996a2b65dd7993c Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 27 Sep 2022 14:19:50 -0400 Subject: [PATCH 16/58] Compile constant time masking and hmac if there are suites using MAC This is used in TLS 1.2 authentication with NULL cipher, when there are no TLS_CBC suites. Signed-off-by: Andrzej Kurek --- library/constant_time_internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index 340a5882d8..9cc63c2308 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -46,7 +46,7 @@ */ unsigned mbedtls_ct_uint_mask( unsigned value ); -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /** Turn a value into a mask: * - if \p value == 0, return the all-bits 0 mask, aka 0 @@ -61,7 +61,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value ); */ size_t mbedtls_ct_size_mask( size_t value ); -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) From 46a987367c5f3bcbf126ec7db6a8a1743ffe08e4 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 08:11:11 -0400 Subject: [PATCH 17/58] Formatting fix Signed-off-by: Andrzej Kurek --- library/ssl_msg.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index ab2ecb327a..4f998b4f5f 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1665,15 +1665,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * The next two sizes are the minimum and maximum values of - * data_len over all padlen values. - * - * They're independent of padlen, since we previously did - * data_len -= padlen. - * - * Note that max_len + maclen is never more than the buffer - * length, as we previously did in_msglen -= maclen too. - */ + * The next two sizes are the minimum and maximum values of + * data_len over all padlen values. + * + * They're independent of padlen, since we previously did + * data_len -= padlen. + * + * Note that max_len + maclen is never more than the buffer + * length, as we previously did in_msglen -= maclen too. + */ const size_t max_len = rec->data_len + padlen; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; From 0abebebe6d8a182ccdee8ea2275576a0accbe030 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 30 Sep 2022 12:54:41 -0400 Subject: [PATCH 18/58] Refactor ssl test suite to use pointers more This way it's easier to track structures that are partially set up. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.function | 122 ++++++++++++++++----------- 1 file changed, 73 insertions(+), 49 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d832853ee0..5042d9fc3a 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -797,9 +797,9 @@ int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len ) */ typedef struct mbedtls_endpoint_certificate { - mbedtls_x509_crt ca_cert; - mbedtls_x509_crt cert; - mbedtls_pk_context pkey; + mbedtls_x509_crt* ca_cert; + mbedtls_x509_crt* cert; + mbedtls_pk_context* pkey; } mbedtls_endpoint_certificate; /* @@ -814,6 +814,42 @@ typedef struct mbedtls_endpoint mbedtls_endpoint_certificate cert; } mbedtls_endpoint; +/* + * Deinitializes certificates from endpoint represented by \p ep. + */ +void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep ) +{ + mbedtls_endpoint_certificate *cert = &( ep->cert ); + if( cert != NULL ) + { + if( cert->ca_cert != NULL ) + { + mbedtls_x509_crt_free( cert->ca_cert ); + mbedtls_free( cert->ca_cert ); + cert->ca_cert = NULL; + } + if( cert->cert != NULL ) + { + mbedtls_x509_crt_free( cert->cert ); + mbedtls_free( cert->cert ); + cert->cert = NULL; + } + if( cert->pkey != NULL ) + { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( mbedtls_pk_get_type( cert->pkey ) == MBEDTLS_PK_OPAQUE ) + { + mbedtls_svc_key_id_t *key_slot = cert->pkey->pk_ctx; + psa_destroy_key( *key_slot ); + } +#endif + mbedtls_pk_free( cert->pkey ); + mbedtls_free( cert->pkey ); + cert->pkey = NULL; + } + } +} + /* * Initializes \p ep_cert structure and assigns it to endpoint * represented by \p ep. @@ -826,7 +862,7 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, { int i = 0; int ret = -1; - mbedtls_endpoint_certificate *cert; + mbedtls_endpoint_certificate *cert = NULL; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; #endif @@ -837,15 +873,19 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } cert = &( ep->cert ); - mbedtls_x509_crt_init( &( cert->ca_cert ) ); - mbedtls_x509_crt_init( &( cert->cert ) ); - mbedtls_pk_init( &( cert->pkey ) ); + cert->ca_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); + cert->cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); + cert->pkey = mbedtls_calloc( 1, sizeof(mbedtls_pk_context) ); + + mbedtls_x509_crt_init( cert->ca_cert ); + mbedtls_x509_crt_init( cert->cert ); + mbedtls_pk_init( cert->pkey ); /* Load the trusted CA */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( &( cert->ca_cert ), + ret = mbedtls_x509_crt_parse_der( cert->ca_cert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); TEST_ASSERT( ret == 0 ); @@ -857,12 +897,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, { if( pk_alg == MBEDTLS_PK_RSA ) { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char*) mbedtls_test_srv_crt_rsa_sha256_der, mbedtls_test_srv_crt_rsa_sha256_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char*) mbedtls_test_srv_key_rsa_der, mbedtls_test_srv_key_rsa_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -870,12 +910,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } else { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char*) mbedtls_test_srv_crt_ec_der, mbedtls_test_srv_crt_ec_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char*) mbedtls_test_srv_key_ec_der, mbedtls_test_srv_key_ec_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -886,12 +926,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, { if( pk_alg == MBEDTLS_PK_RSA ) { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char *) mbedtls_test_cli_crt_rsa_der, mbedtls_test_cli_crt_rsa_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char *) mbedtls_test_cli_key_rsa_der, mbedtls_test_cli_key_rsa_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -899,12 +939,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } else { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char *) mbedtls_test_cli_crt_ec_der, mbedtls_test_cli_crt_ec_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char *) mbedtls_test_cli_key_ec_der, mbedtls_test_cli_key_ec_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -915,7 +955,7 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opaque_alg != 0 ) { - TEST_EQUAL( mbedtls_pk_wrap_as_opaque( &( cert->pkey ), &key_slot, + TEST_EQUAL( mbedtls_pk_wrap_as_opaque( cert->pkey, &key_slot, opaque_alg, opaque_usage, opaque_alg2 ), 0 ); } @@ -925,10 +965,10 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, (void) opaque_usage; #endif - mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL ); + mbedtls_ssl_conf_ca_chain( &( ep->conf ), cert->ca_cert, NULL ); - ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), - &( cert->pkey ) ); + ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), cert->cert, + cert->pkey ); TEST_ASSERT( ret == 0 ); TEST_ASSERT( ep->conf.key_cert != NULL ); @@ -936,20 +976,14 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, TEST_ASSERT( ret == 0 ); TEST_ASSERT( ep->conf.key_cert == NULL ); - ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), - &( cert->pkey ) ); + ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), cert->cert, + cert->pkey ); TEST_ASSERT( ret == 0 ); exit: if( ret != 0 ) { - mbedtls_x509_crt_free( &( cert->ca_cert ) ); - mbedtls_x509_crt_free( &( cert->cert ) ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opaque_alg != 0 ) - psa_destroy_key( key_slot ); -#endif - mbedtls_pk_free( &( cert->pkey ) ); + mbedtls_endpoint_certificate_free( ep ); } return ret; @@ -1075,25 +1109,6 @@ exit: return ret; } -/* - * Deinitializes certificates from endpoint represented by \p ep. - */ -void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep ) -{ - mbedtls_endpoint_certificate *cert = &( ep->cert ); - mbedtls_x509_crt_free( &( cert->ca_cert ) ); - mbedtls_x509_crt_free( &( cert->cert ) ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( mbedtls_pk_get_type( &( cert->pkey ) ) == MBEDTLS_PK_OPAQUE ) - { - mbedtls_svc_key_id_t *key_slot = cert->pkey.pk_ctx; - - psa_destroy_key( *key_slot ); - } -#endif - mbedtls_pk_free( &( cert->pkey ) ); -} - /* * Deinitializes endpoint represented by \p ep. */ @@ -2077,7 +2092,8 @@ void perform_handshake( handshake_test_options *options ) int expected_handshake_result = options->expected_handshake_result; USE_PSA_INIT( ); - + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); mbedtls_test_message_queue server_queue, client_queue; mbedtls_test_message_socket_context server_context, client_context; mbedtls_message_socket_init( &server_context ); @@ -5122,6 +5138,8 @@ void move_handshake_to_state(int endpoint_type, int state, int need_pass) options.pk_alg = MBEDTLS_PK_RSA; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &base_ep, sizeof(base_ep) ); + mbedtls_platform_zeroize( &second_ep, sizeof(second_ep) ); ret = mbedtls_endpoint_init( &base_ep, endpoint_type, &options, NULL, NULL, NULL, NULL ); @@ -5827,6 +5845,8 @@ void force_bad_session_id_len( ) options.srv_log_fun = log_analyzer; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); mbedtls_message_socket_init( &server_context ); mbedtls_message_socket_init( &client_context ); @@ -6007,6 +6027,8 @@ void raw_key_agreement_fail( int bad_server_ecdhe_key ) uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); init_handshake_options( &options ); options.pk_alg = MBEDTLS_PK_ECDSA; @@ -6081,6 +6103,8 @@ void tls13_server_certificate_msg_invalid_vector_len( ) * Test set-up */ USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client_ep, sizeof(client_ep) ); + mbedtls_platform_zeroize( &server_ep, sizeof(server_ep) ); init_handshake_options( &client_options ); client_options.pk_alg = MBEDTLS_PK_ECDSA; From 90e8204476e18f88e2575018aaa27e4b194cfb2c Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 07:45:53 -0400 Subject: [PATCH 19/58] Add missing SHA256 and ECDSA_C dependencies in test_suite_ssl Most of the tests (including those using endpoint_init functions) parse certificates that require MBEDTLS_SHA256_C to be present. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.data | 12 ++++++----- tests/suites/test_suite_ssl.function | 32 ++++++++++++++-------------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index bd9f250eaf..20a0c6d8d5 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3115,7 +3115,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - App data payload: 70696e67 # - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 @@ -3126,7 +3126,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - App data payload: 706f6e67 # - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" SSL TLS 1.3 Record Encryption RFC 8448 Example #1 @@ -3145,7 +3145,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 # 3a ee bb 21 69 49 15 e4 # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" SSL TLS 1.3 Record Encryption RFC 8448 Example #2 @@ -3164,12 +3164,12 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 # 0d d0 32 e1 67 c2 95 5d # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" SSL TLS 1.3 Key schedule: Application secrets derivation helper # Vector from RFC 8448 -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_AES_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:PSA_WANT_ALG_SHA_256 ssl_tls13_derive_application_secrets:PSA_ALG_SHA_256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" SSL TLS 1.3 Key schedule: Resumption secrets derivation helper @@ -3522,9 +3522,11 @@ Sanity test cid functions cid_sanity: Raw key agreement: nominal +depends_on:MBEDTLS_SHA256_C raw_key_agreement_fail:0 Raw key agreement: bad server key +depends_on:MBEDTLS_SHA256_C raw_key_agreement_fail:1 Force a bad session id length diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 5042d9fc3a..d169160de2 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4543,7 +4543,7 @@ void ssl_tls13_create_psk_binder( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SHA256_C */ void ssl_tls13_record_protection( int ciphersuite, int endpoint, int ctr, @@ -5100,7 +5100,7 @@ void ssl_session_serialize_version_check( int corrupt_major, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15*/ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C */ void mbedtls_endpoint_sanity( int endpoint_type ) { enum { BUFFSIZE = 1024 }; @@ -5127,7 +5127,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15 */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C */ void move_handshake_to_state(int endpoint_type, int state, int need_pass) { enum { BUFFSIZE = 1024 }; @@ -5183,7 +5183,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ void handshake_version( int dtls, int client_min_version, int client_max_version, int server_min_version, int server_max_version, int expected_negotiated_version ) @@ -5208,7 +5208,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2 */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C */ void handshake_psk_cipher( char* cipher, int pk_alg, data_t *psk_str, int dtls ) { handshake_test_options options; @@ -5229,7 +5229,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2 */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C */ void handshake_cipher( char* cipher, int pk_alg, int dtls ) { test_handshake_psk_cipher( cipher, pk_alg, NULL, dtls ); @@ -5239,7 +5239,7 @@ void handshake_cipher( char* cipher, int pk_alg, int dtls ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2 */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C */ void handshake_ciphersuite_select( char* cipher, int pk_alg, data_t *psk_str, int psa_alg, int psa_alg2, int psa_usage, int expected_handshake_result, @@ -5266,7 +5266,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ void app_data( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments, int dtls ) @@ -5294,7 +5294,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -5306,7 +5306,7 @@ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SHA256_C */ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -5318,7 +5318,7 @@ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SHA256_C */ void handshake_serialization( ) { handshake_test_options options; @@ -5334,7 +5334,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_SHA256_C */ void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation) { handshake_test_options options; @@ -5373,7 +5373,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SHA256_C */ void renegotiation( int legacy_renegotiation ) { handshake_test_options options; @@ -5392,7 +5392,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation, int serialize, int dtls, char *cipher ) { @@ -5416,7 +5416,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SHA256_C */ void resize_buffers_serialize_mfl( int mfl ) { test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1, @@ -5427,7 +5427,7 @@ void resize_buffers_serialize_mfl( int mfl ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, char *cipher ) { From 68327748d398b81deb7772ff06f1c4a04e48c88b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Oct 2022 06:18:18 -0400 Subject: [PATCH 20/58] Add missing dependencies Signed-off-by: Andrzej Kurek --- library/ssl_tls.c | 5 ++--- programs/ssl/ssl_client2.c | 3 ++- programs/ssl/ssl_server2.c | 3 ++- programs/test/benchmark.c | 5 +++-- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7792957397..eee0dadacf 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7440,10 +7440,9 @@ exit: defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) { -#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = - mbedtls_ssl_ciphersuite_from_id( ciphersuite_id ); - + mbedtls_ssl_ciphersuite_from_id( ciphersuite_id ); +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) return( tls_prf_sha384 ); else diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index be474d4737..9426a82643 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2030,7 +2030,8 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.sig_algs != NULL ) mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4f789d5230..e3587a5b5a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3234,7 +3234,8 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.sig_algs != NULL ) mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 920a473c62..ecb093e14f 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -915,7 +915,8 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_HMAC_DRBG_C) +#if defined(MBEDTLS_HMAC_DRBG_C) && \ + ( defined(MBEDTLS_SHA1_C) || defined(MBEDTLS_SHA256_C) ) if( todo.hmac_drbg ) { mbedtls_hmac_drbg_context hmac_drbg; @@ -958,7 +959,7 @@ int main( int argc, char *argv[] ) #endif mbedtls_hmac_drbg_free( &hmac_drbg ); } -#endif +#endif /* MBEDTLS_HMAC_DRBG_C && ( MBEDTLS_SHA1_C || MBEDTLS_SHA256_C ) */ #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) if( todo.rsa ) From e38b788b79f507ae61bb3a1e072dab59eff0f9e6 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 07:46:51 -0400 Subject: [PATCH 21/58] Add missing key exchange dependencies Signed-off-by: Andrzej Kurek --- programs/ssl/ssl_client2.c | 26 ++++++++++++-------- programs/ssl/ssl_server2.c | 3 ++- tests/suites/test_suite_ssl.data | 42 ++++++++++++++++---------------- 3 files changed, 39 insertions(+), 32 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 9426a82643..caf9ac5cf5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -541,7 +541,7 @@ struct options #include "ssl_test_common_source.c" -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) static unsigned char peer_crt_info[1024]; /* @@ -579,7 +579,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, return( 0 ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) int report_cid_usage( mbedtls_ssl_context *ssl, @@ -768,7 +768,7 @@ int main( int argc, char *argv[] ) psa_status_t status; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #endif rng_context_t rng; @@ -781,7 +781,9 @@ int main( int argc, char *argv[] ) mbedtls_timing_delay_context timer; #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; +#endif mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; mbedtls_pk_context pkey; @@ -2131,7 +2133,8 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.context_crt_cb == 1 ) mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -2455,7 +2458,8 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the server certificate */ @@ -2478,7 +2482,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ret = report_cid_usage( &ssl, "initial handshake" ); @@ -2853,9 +2857,10 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -3089,9 +3094,10 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e3587a5b5a..0554d2cb12 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1444,7 +1444,8 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_ctx cookie_ctx; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #endif mbedtls_ssl_context ssl; diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 20a0c6d8d5..c344b21826 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -254,23 +254,23 @@ depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C: handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:0 Handshake, RSA-WITH-AES-128-CCM -depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:0 Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256 -depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:0 Handshake, ECDHE-ECDSA-WITH-AES-256-CCM -depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:0 Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0 Handshake, PSK-WITH-AES-128-CBC-SHA -depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":0 DTLS Handshake, tls1_2 @@ -282,23 +282,23 @@ depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C: handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:1 DTLS Handshake, RSA-WITH-AES-128-CCM -depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:1 DTLS Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256 -depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:1 DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM -depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:1 DTLS Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1 DTLS Handshake, PSK-WITH-AES-128-CBC-SHA -depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":1 DTLS Handshake with serialization, tls1_2 @@ -354,27 +354,27 @@ depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER handshake_ciphersuite_select:"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select DHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-DHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque @@ -3115,7 +3115,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - App data payload: 70696e67 # - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 @@ -3126,7 +3126,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - App data payload: 706f6e67 # - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" SSL TLS 1.3 Record Encryption RFC 8448 Example #1 @@ -3145,7 +3145,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 # 3a ee bb 21 69 49 15 e4 # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" SSL TLS 1.3 Record Encryption RFC 8448 Example #2 @@ -3164,12 +3164,12 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 # 0d d0 32 e1 67 c2 95 5d # - Padding used: No (== granularity 1) -depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" SSL TLS 1.3 Key schedule: Application secrets derivation helper # Vector from RFC 8448 -depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:PSA_WANT_ALG_SHA_256 +depends_on:MBEDTLS_AES_C:MBEDTLS_ECDSA_C:PSA_WANT_ALG_SHA_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ssl_tls13_derive_application_secrets:PSA_ALG_SHA_256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" SSL TLS 1.3 Key schedule: Resumption secrets derivation helper From 84f30f2eb022aa35084ff03368c7d14770af114b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Oct 2022 09:24:23 -0400 Subject: [PATCH 22/58] Add missing SHA256 dependency Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d169160de2..464ae06c50 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5828,7 +5828,7 @@ void conf_group() } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15 */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C */ void force_bad_session_id_len( ) { enum { BUFFSIZE = 1024 }; From 8e44139ca0e4328db54f39bfa0cd98b81492ce4c Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Oct 2022 09:24:51 -0400 Subject: [PATCH 23/58] Add missing CURVE25519 requirements to TLS 1.3 tests Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.data | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index c344b21826..f2497ec6bb 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -2949,26 +2949,26 @@ ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255 SSL TLS 1.3 Key schedule: Secret evolution #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Initial secret to Early Secret -depends_on:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_key_evolution:PSA_ALG_SHA_256:"":"":"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a" SSL TLS 1.3 Key schedule: Secret evolution #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Early secret to Handshake Secret -depends_on:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_key_evolution:PSA_ALG_SHA_256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" SSL TLS 1.3 Key schedule: Secret evolution #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Handshake secret to Master Secret -depends_on:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_key_evolution:PSA_ALG_SHA_256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" SSL TLS 1.3 Key schedule: HKDF Expand Label #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -depends_on:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_hkdf_expand_label:PSA_ALG_SHA_256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls13_label_key:"":16:"844780a7acad9f980fa25c114e43402a" SSL TLS 1.3 Key schedule: HKDF Expand Label #2 @@ -3181,7 +3181,7 @@ SSL TLS 1.3 Key schedule: PSK binder # Vector from RFC 8448 # For the resumption PSK, see Section 3, 'generate resumption secret "tls13 resumption"' # For all other data, see Section 4, 'construct a ClientHello handshake message:' -depends_on:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_create_psk_binder:PSA_ALG_SHA_256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3":MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:"63224b2e4573f2d3454ca84b9d009a04f6be9e05711a8396473aefa01e924a14":"3add4fb2d8fdf822a0ca3cf7678ef5e88dae990141c5924d57bb6fa31b9e5f9d" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE From e64bd43495fe9a5cbc4d6e94d37e6b52374daba7 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Oct 2022 10:51:10 -0400 Subject: [PATCH 24/58] Add missing ECP and ECDH dependencies in ssl test suites Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.data | 67 +++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index f2497ec6bb..eab6c862a7 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -111,53 +111,63 @@ Test moving clients handshake to state: CLIENT_HELLO move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_HELLO:1 Test moving clients handshake to state: SERVER_HELLO +depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO:1 Test moving clients handshake to state: SERVER_CERTIFICATE +depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CERTIFICATE:1 Test moving clients handshake to state: SERVER_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1 Test moving clients handshake to state: CERTIFICATE_REQUEST +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_REQUEST:1 Test moving clients handshake to state: SERVER_HELLO_DONE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO_DONE:1 Test moving clients handshake to state: CLIENT_CERTIFICATE +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CERTIFICATE:1 Test moving clients handshake to state: CLIENT_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1 Test moving clients handshake to state: CERTIFICATE_VERIFY +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_VERIFY:1 Test moving clients handshake to state: CLIENT_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1 Test moving clients handshake to state: CLIENT_FINISHED +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_FINISHED:1 Test moving clients handshake to state: SERVER_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1 Test moving clients handshake to state: SERVER_FINISHED +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_FINISHED:1 Test moving clients handshake to state: FLUSH_BUFFERS +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_FLUSH_BUFFERS:1 Test moving clients handshake to state: HANDSHAKE_WRAPUP +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1 Test moving clients handshake to state: HANDSHAKE_OVER +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_OVER:1 Test moving servers handshake to state: HELLO_REQUEST @@ -167,54 +177,63 @@ Test moving servers handshake to state: CLIENT_HELLO move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_HELLO:1 Test moving servers handshake to state: SERVER_HELLO +depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO:1 Test moving servers handshake to state: SERVER_CERTIFICATE +depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CERTIFICATE:1 Test moving servers handshake to state: SERVER_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1 Test moving servers handshake to state: CERTIFICATE_REQUEST +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_REQUEST:1 Test moving servers handshake to state: SERVER_HELLO_DONE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO_DONE:1 Test moving servers handshake to state: CLIENT_CERTIFICATE +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CERTIFICATE:1 Test moving servers handshake to state: CLIENT_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1 Test moving servers handshake to state: CERTIFICATE_VERIFY +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_VERIFY:1 Test moving servers handshake to state: CLIENT_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1 Test moving servers handshake to state: CLIENT_FINISHED +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_FINISHED:1 Test moving servers handshake to state: SERVER_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1 Test moving servers handshake to state: SERVER_FINISHED +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_FINISHED:1 Test moving servers handshake to state: FLUSH_BUFFERS -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_FLUSH_BUFFERS:1 Test moving servers handshake to state: HANDSHAKE_WRAPUP +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1 Test moving servers handshake to state: HANDSHAKE_OVER +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_OVER:1 Negative test moving clients ssl to state: VERIFY_REQUEST_SENT @@ -314,7 +333,7 @@ depends_on:MBEDTLS_SSL_PROTO_DTLS handshake_fragmentation:MBEDTLS_SSL_MAX_FRAG_LEN_1024:0:1 Handshake min/max version check, all -> 1.2 -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C handshake_version:0:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_TLS1_2 Handshake, select RSA-WITH-AES-256-CBC-SHA256, non-opaque @@ -458,41 +477,43 @@ depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Sending app data via TLS, MFL=512 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:400:512:1:1 Sending app data via TLS, MFL=512 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:513:1536:2:3 Sending app data via TLS, MFL=1024 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_1024:1000:1024:1:1 Sending app data via TLS, MFL=1024 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_1024:1025:5120:2:5 Sending app data via TLS, MFL=2048 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_2048:2000:2048:1:1 Sending app data via TLS, MFL=2048 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_2048:2049:8192:2:4 Sending app data via TLS, MFL=4096 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_4096:4000:4096:1:1 Sending app data via TLS, MFL=4096 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_4096:4097:12288:2:3 Sending app data via TLS without MFL and without fragmentation +depends_on:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_NONE:16001:16384:1:1 Sending app data via TLS without MFL and with fragmentation +depends_on:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_NONE:16385:100000:2:7 Sending app data via DTLS, MFL=512 without fragmentation @@ -2955,13 +2976,13 @@ ssl_tls13_key_evolution:PSA_ALG_SHA_256:"":"":"33ad0a1c607ec03b09e6cd9893680ce21 SSL TLS 1.3 Key schedule: Secret evolution #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Early secret to Handshake Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C ssl_tls13_key_evolution:PSA_ALG_SHA_256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" SSL TLS 1.3 Key schedule: Secret evolution #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Handshake secret to Master Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C ssl_tls13_key_evolution:PSA_ALG_SHA_256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" SSL TLS 1.3 Key schedule: HKDF Expand Label #1 @@ -3181,7 +3202,7 @@ SSL TLS 1.3 Key schedule: PSK binder # Vector from RFC 8448 # For the resumption PSK, see Section 3, 'generate resumption secret "tls13 resumption"' # For all other data, see Section 4, 'construct a ClientHello handshake message:' -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C ssl_tls13_create_psk_binder:PSA_ALG_SHA_256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3":MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:"63224b2e4573f2d3454ca84b9d009a04f6be9e05711a8396473aefa01e924a14":"3add4fb2d8fdf822a0ca3cf7678ef5e88dae990141c5924d57bb6fa31b9e5f9d" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE From c19fb08dd37a58bb8a2dc99359d4a75a3abf60d4 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Oct 2022 10:52:24 -0400 Subject: [PATCH 25/58] Add missing ECDH dependency in tls 1.3 client Signed-off-by: Andrzej Kurek --- library/ssl_tls13_client.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 2b59b4aae1..8510d8f3e6 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -379,6 +379,7 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) { +#if defined(MBEDTLS_ECDH_C) const mbedtls_ecp_curve_info *curve_info = NULL; const unsigned char *p = buf; int selected_group; @@ -435,6 +436,12 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl, ssl->handshake->offered_group_id = selected_group; return( 0 ); +#else + (void) ssl; + (void) buf; + (void) end; + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); +#endif } /* From e05b17fb85109b9eb516d8a3a72a0e643f404fd1 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 28 Sep 2022 03:17:56 -0400 Subject: [PATCH 26/58] Update depends.py Remove old and add new dependencies. Introduce a way to handle non-trivial problems stemming from exclusive group testing. Exclude SHA256 and SHA512, as these are tested in SHA224 and SHA384 jobs, respectively. Change config.h to mbedtls_config.h). Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 91 ++++++++++++++++++++++++++++++---------- 1 file changed, 69 insertions(+), 22 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 11af322fd6..b2a2f27b2a 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -68,7 +68,7 @@ cmd is a list of strings: a command name and its arguments.""" log_line(' '.join(cmd), prefix='+') def backup_config(options): - """Back up the library configuration file (config.h). + """Back up the library configuration file (mbedtls_config.h). If the backup file already exists, it is presumed to be the desired backup, so don't make another backup.""" if os.path.exists(options.config_backup): @@ -78,7 +78,7 @@ so don't make another backup.""" shutil.copy(options.config, options.config_backup) def restore_config(options): - """Restore the library configuration file (config.h). + """Restore the library configuration file (mbedtls_config.h). Remove the backup file if it was saved earlier.""" if options.own_backup: shutil.move(options.config_backup, options.config) @@ -88,7 +88,7 @@ Remove the backup file if it was saved earlier.""" def run_config_pl(options, args): """Run scripts/config.pl with the specified arguments.""" cmd = ['scripts/config.pl'] - if options.config != 'include/mbedtls/config.h': + if options.config != 'include/mbedtls/mbedtls_config.h': cmd += ['--file', options.config] cmd += args log_command(cmd) @@ -123,7 +123,7 @@ If what is False, announce that the job has failed.''' log_line('starting ' + self.name) def set_reference_config(self, options): - """Change the library configuration file (config.h) to the reference state. + """Change the library configuration file (mbedtls_config.h) to the reference state. The reference state is the one from which the tested configurations are derived.""" # Turn off memory management options that are not relevant to @@ -181,22 +181,19 @@ ssl_pre_1_2_dependencies = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', # to extract automatically. reverse_dependencies = { 'MBEDTLS_AES_C': ['MBEDTLS_CTR_DRBG_C', - 'MBEDTLS_NIST_KW_C', - 'MBEDTLS_PSA_CRYPTO_STORAGE_C', - 'MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C', - 'MBEDTLS_PSA_CRYPTO_C'], + 'MBEDTLS_NIST_KW_C'], 'MBEDTLS_CHACHA20_C': ['MBEDTLS_CHACHAPOLY_C'], - 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], + 'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED'], 'MBEDTLS_ECP_C': ['MBEDTLS_ECDSA_C', 'MBEDTLS_ECDH_C', 'MBEDTLS_ECJPAKE_C', - 'MBEDTLS_ECP_RESTARTABLE', - 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'], + 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_MD5_C': ssl_pre_1_2_dependencies, 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], @@ -208,13 +205,59 @@ reverse_dependencies = { 'MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED'], + 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', + 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], 'MBEDTLS_SHA1_C': ssl_pre_1_2_dependencies, 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', - 'MBEDTLS_ENTROPY_FORCE_SHA256'], - 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [], + 'MBEDTLS_ENTROPY_FORCE_SHA256', + 'MBEDTLS_SHA224_C', + 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', + 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', + 'MBEDTLS_SSL_PROTO_TLS1_3'], + 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA384_C', + 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', + 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], + 'MBEDTLS_SHA224_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', + 'MBEDTLS_ENTROPY_FORCE_SHA256', + 'MBEDTLS_SHA256_C', + 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', + 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY'], + 'MBEDTLS_SHA384_C': ['MBEDTLS_SSL_PROTO_TLS1_3'], + 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [] } +# If an option is tested in an exclusive test, alter the following defines. +# These are not neccesarily dependencies, but just minimal required changes +# if a given define is the only one enabled from an exclusive group. +exclusive_groups = { + 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'], + 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], + 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', + '!MBEDTLS_ECDSA_DETERMINISTIC', + '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + '!MBEDTLS_ECJPAKE_C', + '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['!MBEDTLS_ECDSA_C', + '!MBEDTLS_ECDSA_DETERMINISTIC', + '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + '!MBEDTLS_ECJPAKE_C', + '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + 'MBEDTLS_ARIA_C': ['!MBEDTLS_CMAC_C'], + 'MBEDTLS_CAMELLIA_C': ['!MBEDTLS_CMAC_C'], + 'MBEDTLS_CHACHA20_C': ['!MBEDTLS_CMAC_C', '!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C'], + 'MBEDTLS_DES_C': ['!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C'], +} +def handle_exclusive_groups(config_settings, symbol): + """For every symbol tested in an exclusive group check if there are other +defines to be altered. """ + for dep in exclusive_groups.get(symbol, []): + unset = dep.startswith('!') + if unset: + dep=dep[1:] + config_settings[dep] = not unset + def turn_off_dependencies(config_settings): """For every option turned off config_settings, also turn off what depends on it. An option O is turned off if config_settings[O] is False.""" @@ -252,6 +295,8 @@ would match this regular expression.""" continue config_settings = base_config_settings.copy() config_settings[symbol] = not invert + if not invert: + handle_exclusive_groups(config_settings, symbol) turn_off_dependencies(config_settings) job = Job(description, config_settings, commands) self.jobs.append(job) @@ -285,7 +330,7 @@ class CipherInfo: class DomainData: """Collect data about the library.""" def collect_config_symbols(self, options): - """Read the list of settings from config.h. + """Read the list of settings from mbedtls_config.h. Return them in a generator.""" with open(options.config) as config_file: rx = re.compile(r'\s*(?://\s*)?#define\s+(\w+)\s*(?:$|/[/*])') @@ -295,7 +340,7 @@ Return them in a generator.""" yield m.group(1) def config_symbols_matching(self, regexp): - """List the config.h settings matching regexp.""" + """List the mbedtls_config.h settings matching regexp.""" return [symbol for symbol in self.all_config_symbols if re.match(regexp, symbol)] @@ -312,7 +357,8 @@ Return them in a generator.""" key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') # Find cipher IDs (block permutations and stream ciphers --- chaining # and padding modes are exercised separately) information by parsing - # cipher.h, as the information is not readily available in config.h. + # cipher.h, as the information is not readily available in mbedtls_config.h. + cipher_info = CipherInfo(options) # Find block cipher chaining and padding mode enabling macros by name. cipher_chaining_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_MODE_\w+\Z') @@ -328,9 +374,10 @@ Return them in a generator.""" # Elliptic curves. Run the test suites. 'curves': ExclusiveDomain(curve_symbols, build_and_test), # Hash algorithms. Exclude configurations with only one - # hash which is obsolete. Run the test suites. + # hash which is obsolete. Run the test suites. Exclude + # SHA512 and SHA256, as these are tested with SHA384 and SHA224. 'hashes': ExclusiveDomain(hash_symbols, build_and_test, - exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_)'), + exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_|SHA256_|SHA512_)|!MBEDTLS_(SHA256_|SHA512_)'), # Key exchange types. Only build the library and the sample # programs. 'kex': ExclusiveDomain(key_exchange_symbols, @@ -415,7 +462,7 @@ if __name__ == '__main__': choices=['always', 'auto', 'never'], default='auto') parser.add_argument('-c', '--config', metavar='FILE', help='Configuration file to modify', - default='include/mbedtls/config.h') + default='include/mbedtls/mbedtls_config.h') parser.add_argument('-C', '--directory', metavar='DIR', help='Change to this directory before anything else', default='.') @@ -435,7 +482,7 @@ if __name__ == '__main__': help='Command to run instead of make (e.g. gmake)', action='store', default='make') parser.add_argument('domains', metavar='DOMAIN', nargs='*', - help='The domain(s) to test (default: all)', + help='The domain(s) to test (default: all). This can be also a list of jobs to run.', default=True) options = parser.parse_args() os.chdir(options.directory) From 3cca0c8e68a6d548288c210fbeae121582ffc766 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 4 Oct 2022 10:38:28 -0400 Subject: [PATCH 27/58] Add an all.sh component running depends.pl Signed-off-by: Andrzej Kurek --- tests/scripts/all.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f1b2f0e29f..93dbfb968e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1777,6 +1777,11 @@ component_build_key_exchanges () { tests/scripts/key-exchanges.pl } +component_test_depends () { + msg "test/build: depends.py (gcc)" # ~ 15 min + tests/scripts/depends.py +} + component_test_make_cxx () { msg "build: Unix make, full, gcc + g++" scripts/config.py full From 0e8b2d74f0fa7c30ce30ceedd6cadfba25b4cb44 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 4 Oct 2022 11:14:59 -0400 Subject: [PATCH 28/58] Fix python formatting and indentation Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index b2a2f27b2a..79a43dd6c9 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -233,17 +233,17 @@ exclusive_groups = { 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'], 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', - '!MBEDTLS_ECDSA_DETERMINISTIC', - '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', - '!MBEDTLS_ECJPAKE_C', - '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + '!MBEDTLS_ECDSA_DETERMINISTIC', + '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + '!MBEDTLS_ECJPAKE_C', + '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['!MBEDTLS_ECDSA_C', - '!MBEDTLS_ECDSA_DETERMINISTIC', - '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', - '!MBEDTLS_ECJPAKE_C', - '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + '!MBEDTLS_ECDSA_DETERMINISTIC', + '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + '!MBEDTLS_ECJPAKE_C', + '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ARIA_C': ['!MBEDTLS_CMAC_C'], 'MBEDTLS_CAMELLIA_C': ['!MBEDTLS_CMAC_C'], 'MBEDTLS_CHACHA20_C': ['!MBEDTLS_CMAC_C', '!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C'], @@ -255,7 +255,7 @@ defines to be altered. """ for dep in exclusive_groups.get(symbol, []): unset = dep.startswith('!') if unset: - dep=dep[1:] + dep = dep[1:] config_settings[dep] = not unset def turn_off_dependencies(config_settings): From 3322c220870ac6e65a043e5de8ac7cf0f8ebf104 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 4 Oct 2022 15:02:41 -0400 Subject: [PATCH 29/58] Improve depends.py structrue Apply most improvements suggested by pylint. Use config.py instead of config.pl. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 105 +++++++++++++++++++-------------------- 1 file changed, 52 insertions(+), 53 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 79a43dd6c9..4c47778b09 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -28,7 +28,7 @@ import subprocess import sys import traceback -class Colors: +class Colors: # pylint: disable=too-few-public-methods """Minimalistic support for colored output. Each field of an object of this class is either None if colored output is not possible or not desired, or a pair of strings (start, stop) such @@ -39,6 +39,7 @@ stop switches the text color back to the default.""" bold_red = None bold_green = None def __init__(self, options=None): + """Initialize color profile according to passed options.""" if not options or options.color in ['no', 'never']: want_color = False elif options.color in ['yes', 'always']: @@ -56,7 +57,7 @@ NO_COLORS = Colors(None) def log_line(text, prefix='depends.py:', suffix='', color=None): """Print a status message.""" - if color != None: + if color is not None: prefix = color[0] + prefix suffix = suffix + color[1] sys.stderr.write(prefix + ' ' + text + suffix + '\n') @@ -86,14 +87,35 @@ Remove the backup file if it was saved earlier.""" shutil.copy(options.config_backup, options.config) def run_config_pl(options, args): - """Run scripts/config.pl with the specified arguments.""" - cmd = ['scripts/config.pl'] + """Run scripts/config.py with the specified arguments.""" + cmd = ['scripts/config.py'] if options.config != 'include/mbedtls/mbedtls_config.h': cmd += ['--file', options.config] cmd += args log_command(cmd) subprocess.check_call(cmd) +def set_reference_config(options): + """Change the library configuration file (mbedtls_config.h) to the reference state. +The reference state is the one from which the tested configurations are +derived.""" + # Turn off memory management options that are not relevant to + # the tests and slow them down. + run_config_pl(options, ['full']) + run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) + run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) + run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) + +def collect_config_symbols(options): + """Read the list of settings from mbedtls_config.h. +Return them in a generator.""" + with open(options.config, encoding="utf-8") as config_file: + rx = re.compile(r'\s*(?://\s*)?#define\s+(\w+)\s*(?:$|/[/*])') + for line in config_file: + m = re.match(rx, line) + if m: + yield m.group(1) + class Job: """A job builds the library in a specific configuration and runs some tests.""" def __init__(self, name, config_settings, commands): @@ -122,21 +144,10 @@ If what is False, announce that the job has failed.''' else: log_line('starting ' + self.name) - def set_reference_config(self, options): - """Change the library configuration file (mbedtls_config.h) to the reference state. - The reference state is the one from which the tested configurations are - derived.""" - # Turn off memory management options that are not relevant to - # the tests and slow them down. - run_config_pl(options, ['full']) - run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) - run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) - run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) - def configure(self, options): '''Set library configuration options as required for the job. config_file_name indicates which file to modify.''' - self.set_reference_config(options) + set_reference_config(options) for key, value in sorted(self.config_settings.items()): if value is True: args = ['set', key] @@ -267,11 +278,7 @@ An option O is turned off if config_settings[O] is False.""" for dep in reverse_dependencies.get(key, []): config_settings[dep] = False -class Domain: - """A domain is a set of jobs that all relate to a particular configuration aspect.""" - pass - -class ExclusiveDomain(Domain): +class ExclusiveDomain: # pylint: disable=too-few-public-methods """A domain consisting of a set of conceptually-equivalent settings. Establish a list of configuration symbols. For each symbol, run a test job with this symbol set and the others unset, and a test job with this symbol @@ -301,7 +308,7 @@ would match this regular expression.""" job = Job(description, config_settings, commands) self.jobs.append(job) -class ComplementaryDomain: +class ComplementaryDomain: # pylint: disable=too-few-public-methods """A domain consisting of a set of loosely-related settings. Establish a list of configuration symbols. For each symbol, run a test job with this symbol unset.""" @@ -317,28 +324,18 @@ Each job runs the specified commands.""" job = Job(description, config_settings, commands) self.jobs.append(job) -class CipherInfo: +class CipherInfo: # pylint: disable=too-few-public-methods """Collect data about cipher.h.""" - def __init__(self, options): + def __init__(self): self.base_symbols = set() - with open('include/mbedtls/cipher.h') as fh: + with open('include/mbedtls/cipher.h', encoding="utf-8") as fh: for line in fh: m = re.match(r' *MBEDTLS_CIPHER_ID_(\w+),', line) if m and m.group(1) not in ['NONE', 'NULL', '3DES']: self.base_symbols.add('MBEDTLS_' + m.group(1) + '_C') class DomainData: - """Collect data about the library.""" - def collect_config_symbols(self, options): - """Read the list of settings from mbedtls_config.h. -Return them in a generator.""" - with open(options.config) as config_file: - rx = re.compile(r'\s*(?://\s*)?#define\s+(\w+)\s*(?:$|/[/*])') - for line in config_file: - m = re.match(rx, line) - if m: - yield m.group(1) - + """A container for domains and jobs, used to structurize testing.""" def config_symbols_matching(self, regexp): """List the mbedtls_config.h settings matching regexp.""" return [symbol for symbol in self.all_config_symbols @@ -348,7 +345,7 @@ Return them in a generator.""" """Gather data about the library and establish a list of domains to test.""" build_command = [options.make_command, 'CFLAGS=-Werror'] build_and_test = [build_command, [options.make_command, 'test']] - self.all_config_symbols = set(self.collect_config_symbols(options)) + self.all_config_symbols = set(collect_config_symbols(options)) # Find hash modules by name. hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z') # Find elliptic curve enabling macros by name. @@ -359,7 +356,7 @@ Return them in a generator.""" # and padding modes are exercised separately) information by parsing # cipher.h, as the information is not readily available in mbedtls_config.h. - cipher_info = CipherInfo(options) + cipher_info = CipherInfo() # Find block cipher chaining and padding mode enabling macros by name. cipher_chaining_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_MODE_\w+\Z') cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z') @@ -377,7 +374,8 @@ Return them in a generator.""" # hash which is obsolete. Run the test suites. Exclude # SHA512 and SHA256, as these are tested with SHA384 and SHA224. 'hashes': ExclusiveDomain(hash_symbols, build_and_test, - exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_|SHA256_|SHA512_)|!MBEDTLS_(SHA256_|SHA512_)'), + exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_|SHA256_|SHA512_)\ + |!MBEDTLS_(SHA256_|SHA512_)'), # Key exchange types. Only build the library and the sample # programs. 'kex': ExclusiveDomain(key_exchange_symbols, @@ -413,7 +411,7 @@ def run(options, job, colors=NO_COLORS): job.announce(colors, success) return success -def main(options, domain_data): +def run_tests(options, domain_data): """Run the desired jobs. domain_data should be a DomainData instance that describes the available domains and jobs. @@ -453,8 +451,7 @@ Run the jobs listed in options.domains.""" else: return True - -if __name__ == '__main__': +def main(): try: parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('--color', metavar='WHEN', @@ -482,22 +479,24 @@ if __name__ == '__main__': help='Command to run instead of make (e.g. gmake)', action='store', default='make') parser.add_argument('domains', metavar='DOMAIN', nargs='*', - help='The domain(s) to test (default: all). This can be also a list of jobs to run.', + help='The domain(s) to test (default: all). This can \ + be also a list of jobs to run.', default=True) options = parser.parse_args() os.chdir(options.directory) domain_data = DomainData(options) - if options.domains == True: + if options.domains is True: options.domains = sorted(domain_data.domains.keys()) if options.list: - for what in options.list: - for key in sorted(getattr(domain_data, what).keys()): - print(key) - exit(0) + for arg in options.list: + for domain_name in sorted(getattr(domain_data, arg).keys()): + print(domain_name) + sys.exit(0) else: - sys.exit(0 if main(options, domain_data) else 1) - except SystemExit: - raise - except: + sys.exit(0 if run_tests(options, domain_data) else 1) + except Exception: # pylint: disable=broad-except traceback.print_exc() - exit(3) + sys.exit(3) + +if __name__ == '__main__': + main() From 202932f521372a78da629d552ccab3758bcd1761 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 4 Oct 2022 16:22:22 -0400 Subject: [PATCH 30/58] Use upper case for constants in depends.py Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 4c47778b09..feb88f2434 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -180,17 +180,17 @@ and subsequent commands are tests that cannot run if the build failed).''' # SSL/TLS versions up to 1.1 and corresponding options. These require # both MD5 and SHA-1. -ssl_pre_1_2_dependencies = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', +SSL_PRE_1_2_DEPENDENCIES = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', 'MBEDTLS_SSL_PROTO_SSL3', 'MBEDTLS_SSL_PROTO_TLS1', 'MBEDTLS_SSL_PROTO_TLS1_1'] # If the configuration option A requires B, make sure that -# B in reverse_dependencies[A]. +# B in REVERSE_DEPENDENCIES[A]. # All the information here should be contained in check_config.h. This # file includes a copy because it changes rarely and it would be a pain # to extract automatically. -reverse_dependencies = { +REVERSE_DEPENDENCIES = { 'MBEDTLS_AES_C': ['MBEDTLS_CTR_DRBG_C', 'MBEDTLS_NIST_KW_C'], 'MBEDTLS_CHACHA20_C': ['MBEDTLS_CHACHAPOLY_C'], @@ -206,7 +206,7 @@ reverse_dependencies = { 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_MD5_C': ssl_pre_1_2_dependencies, + 'MBEDTLS_MD5_C': SSL_PRE_1_2_DEPENDENCIES, 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', @@ -218,7 +218,7 @@ reverse_dependencies = { 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], - 'MBEDTLS_SHA1_C': ssl_pre_1_2_dependencies, + 'MBEDTLS_SHA1_C': SSL_PRE_1_2_DEPENDENCIES, 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA224_C', @@ -240,7 +240,7 @@ reverse_dependencies = { # If an option is tested in an exclusive test, alter the following defines. # These are not neccesarily dependencies, but just minimal required changes # if a given define is the only one enabled from an exclusive group. -exclusive_groups = { +EXCLUSIVE_GROUPS = { 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'], 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', @@ -263,7 +263,7 @@ exclusive_groups = { def handle_exclusive_groups(config_settings, symbol): """For every symbol tested in an exclusive group check if there are other defines to be altered. """ - for dep in exclusive_groups.get(symbol, []): + for dep in EXCLUSIVE_GROUPS.get(symbol, []): unset = dep.startswith('!') if unset: dep = dep[1:] @@ -275,7 +275,7 @@ An option O is turned off if config_settings[O] is False.""" for key, value in sorted(config_settings.items()): if value is not False: continue - for dep in reverse_dependencies.get(key, []): + for dep in REVERSE_DEPENDENCIES.get(key, []): config_settings[dep] = False class ExclusiveDomain: # pylint: disable=too-few-public-methods From fcbd2acbc2faf7e3e651551c2ea130bea15a4b58 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 5 Oct 2022 09:14:07 -0400 Subject: [PATCH 31/58] Split depends.py all.sh job into seven Signed-off-by: Andrzej Kurek --- tests/scripts/all.sh | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 93dbfb968e..07adc15232 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1777,9 +1777,39 @@ component_build_key_exchanges () { tests/scripts/key-exchanges.pl } -component_test_depends () { - msg "test/build: depends.py (gcc)" # ~ 15 min - tests/scripts/depends.py +component_test_depends_py_cipher_id () { + msg "test/build: depends.py cipher_id (gcc)" + tests/scripts/depends.py cipher_id +} + +component_test_depends_py_cipher_chaining () { + msg "test/build: depends.py cipher_chaining (gcc)" + tests/scripts/depends.py cipher_chaining +} + +component_test_depends_py_cipher_padding () { + msg "test/build: depends.py cipher_padding (gcc)" + tests/scripts/depends.py cipher_padding +} + +component_test_depends_py_curves () { + msg "test/build: depends.py curves (gcc)" + tests/scripts/depends.py curves +} + +component_test_depends_py_hashes () { + msg "test/build: depends.py hashes (gcc)" + tests/scripts/depends.py hashes +} + +component_test_depends_py_kex () { + msg "test/build: depends.py kex (gcc)" + tests/scripts/depends.py kex +} + +component_test_depends_py_pkalgs () { + msg "test/build: depends.py pkalgs (gcc)" + tests/scripts/depends.py pkalgs } component_test_make_cxx () { From fe469496862789a9eb3b20ff15a9021b06671a21 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 6 Oct 2022 16:57:38 -0400 Subject: [PATCH 32/58] depends.py: disable part of the test jobs Disable exclusive jobs that run with a single config disabled. A lot more bugs should be found by running jobs with only one config of a family enabled. This will also lessen the burden on the CI. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index feb88f2434..859cad14a8 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -281,32 +281,28 @@ An option O is turned off if config_settings[O] is False.""" class ExclusiveDomain: # pylint: disable=too-few-public-methods """A domain consisting of a set of conceptually-equivalent settings. Establish a list of configuration symbols. For each symbol, run a test job -with this symbol set and the others unset, and a test job with this symbol -unset and the others set.""" +with this symbol set and the others unset.""" def __init__(self, symbols, commands, exclude=None): """Build a domain for the specified list of configuration symbols. -The domain contains two sets of jobs: jobs that enable one of the elements -of symbols and disable the others, and jobs that disable one of the elements -of symbols and enable the others. +The domain contains a set of jobs that enable one of the elements +of symbols and disable the others. Each job runs the specified commands. If exclude is a regular expression, skip generated jobs whose description would match this regular expression.""" self.jobs = [] - for invert in [False, True]: - base_config_settings = {} - for symbol in symbols: - base_config_settings[symbol] = invert - for symbol in symbols: - description = '!' + symbol if invert else symbol - if exclude and re.match(exclude, description): - continue - config_settings = base_config_settings.copy() - config_settings[symbol] = not invert - if not invert: - handle_exclusive_groups(config_settings, symbol) - turn_off_dependencies(config_settings) - job = Job(description, config_settings, commands) - self.jobs.append(job) + base_config_settings = {} + for symbol in symbols: + base_config_settings[symbol] = False + for symbol in symbols: + description = symbol + if exclude and re.match(exclude, description): + continue + config_settings = base_config_settings.copy() + config_settings[symbol] = True + handle_exclusive_groups(config_settings, symbol) + turn_off_dependencies(config_settings) + job = Job(description, config_settings, commands) + self.jobs.append(job) class ComplementaryDomain: # pylint: disable=too-few-public-methods """A domain consisting of a set of loosely-related settings. From 228b12ce54cbe9994fb255bb176869510aec4db3 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 6 Oct 2022 18:52:44 -0400 Subject: [PATCH 33/58] Rework depends.py to run more tests with hashes The test coverage reduction introduced in dc25cee lowered the coverage of hash tests due to intertwining dependencies. This commit introduces a new class for building a domain using both the complementary and exclusive classes. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 859cad14a8..2d7750f77e 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -278,7 +278,13 @@ An option O is turned off if config_settings[O] is False.""" for dep in REVERSE_DEPENDENCIES.get(key, []): config_settings[dep] = False -class ExclusiveDomain: # pylint: disable=too-few-public-methods +class BaseDomain: # pylint: disable=too-few-public-methods, unused-argument + """A base class for all domains.""" + def __init__(self, symbols, commands, exclude): + """Initialize the jobs container""" + self.jobs = [] + +class ExclusiveDomain(BaseDomain): # pylint: disable=too-few-public-methods """A domain consisting of a set of conceptually-equivalent settings. Establish a list of configuration symbols. For each symbol, run a test job with this symbol set and the others unset.""" @@ -289,7 +295,7 @@ of symbols and disable the others. Each job runs the specified commands. If exclude is a regular expression, skip generated jobs whose description would match this regular expression.""" - self.jobs = [] + super().__init__(symbols, commands, exclude) base_config_settings = {} for symbol in symbols: base_config_settings[symbol] = False @@ -304,22 +310,29 @@ would match this regular expression.""" job = Job(description, config_settings, commands) self.jobs.append(job) -class ComplementaryDomain: # pylint: disable=too-few-public-methods +class ComplementaryDomain(BaseDomain): # pylint: disable=too-few-public-methods """A domain consisting of a set of loosely-related settings. Establish a list of configuration symbols. For each symbol, run a test job with this symbol unset.""" - def __init__(self, symbols, commands): + def __init__(self, symbols, commands, exclude=None): """Build a domain for the specified list of configuration symbols. Each job in the domain disables one of the specified symbols. Each job runs the specified commands.""" - self.jobs = [] + super().__init__(symbols, commands, exclude) for symbol in symbols: description = '!' + symbol + if exclude and re.match(exclude, description): + continue config_settings = {symbol: False} turn_off_dependencies(config_settings) job = Job(description, config_settings, commands) self.jobs.append(job) +class DualDomain(ExclusiveDomain, ComplementaryDomain): # pylint: disable=too-few-public-methods + """A domain that contains both the ExclusiveDomain and BaseDomain tests""" + def __init__(self, symbols, commands, exclude=None): + super().__init__(symbols=symbols, commands=commands, exclude=exclude) + class CipherInfo: # pylint: disable=too-few-public-methods """Collect data about cipher.h.""" def __init__(self): @@ -369,9 +382,9 @@ class DomainData: # Hash algorithms. Exclude configurations with only one # hash which is obsolete. Run the test suites. Exclude # SHA512 and SHA256, as these are tested with SHA384 and SHA224. - 'hashes': ExclusiveDomain(hash_symbols, build_and_test, - exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_|SHA256_|SHA512_)\ - |!MBEDTLS_(SHA256_|SHA512_)'), + 'hashes': DualDomain(hash_symbols, build_and_test, + exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_|SHA256_|SHA512_)' \ + '|!MBEDTLS_(SHA256_|SHA512_)'), # Key exchange types. Only build the library and the sample # programs. 'kex': ExclusiveDomain(key_exchange_symbols, From eabeb30c65d5f31856af46100ffe4c9fc2bd843b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 07:52:51 -0400 Subject: [PATCH 34/58] Fix SHA512 vs SHA384 dependencies When building SHA512 without SHA384, there are some code paths that resulted in unused variables or usage of undefined code. This commit fixes that. Signed-off-by: Andrzej Kurek --- library/ssl_cookie.c | 4 ++-- library/ssl_tls.c | 24 ++++++++++++++++++------ programs/fuzz/fuzz_dtlsserver.c | 10 +++++++--- tests/scripts/depends.py | 1 + 4 files changed, 28 insertions(+), 11 deletions(-) diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index 190c0f0667..3f9bf87b42 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -38,8 +38,8 @@ #include /* - * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is - * available. Try SHA-256 first, 512 wastes resources + * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-384 is + * available. Try SHA-256 first, 384 wastes resources */ #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA) #define COOKIE_MD MBEDTLS_MD_SHA224 diff --git a/library/ssl_tls.c b/library/ssl_tls.c index eee0dadacf..4678f53864 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -604,6 +604,12 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len ); #endif #endif +#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; + (void) buf; + (void) len; +#endif } #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) @@ -5165,6 +5171,10 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, goto exit; exit: +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; +#endif return( psa_ssl_status_to_mbedtls( status ) ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ @@ -5437,6 +5447,8 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de return( PSA_SUCCESS ); } +#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ + defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_generic( mbedtls_md_type_t md_type, const unsigned char *secret, size_t slen, @@ -5511,7 +5523,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, return( 0 ); } - +#endif #else /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -5917,7 +5929,10 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) default: return( -1 ); } - +#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ + !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) + (void) ssl; +#endif return( 0 ); } @@ -7436,8 +7451,6 @@ exit: * Helper to get TLS 1.2 PRF from ciphersuite * (Duplicates bits of logic from ssl_set_handshake_prfs().) */ -#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ - defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) { const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = @@ -7457,10 +7470,9 @@ static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) (void) ciphersuite_info; #endif + return( NULL ); } -#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || - MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 1aa757c376..17caab211c 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -11,12 +11,14 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/timing.h" #include "mbedtls/ssl_cookie.h" - +#include "mbedtls/legacy_or_psa.h" #if defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_ENTROPY_C) && \ defined(MBEDTLS_CTR_DRBG_C) && \ - defined(MBEDTLS_TIMING_C) + defined(MBEDTLS_TIMING_C) && \ + ( defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ + defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) ) const char *pers = "fuzz_dtlsserver"; const unsigned char client_ip[4] = {0x7F, 0, 0, 1}; static int initialized = 0; @@ -32,7 +34,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_ENTROPY_C) && \ defined(MBEDTLS_CTR_DRBG_C) && \ - defined(MBEDTLS_TIMING_C) + defined(MBEDTLS_TIMING_C) && \ + ( defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ + defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) ) int ret; size_t len; mbedtls_ssl_context ssl; diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 2d7750f77e..409d144136 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -243,6 +243,7 @@ REVERSE_DEPENDENCIES = { EXCLUSIVE_GROUPS = { 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'], 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], + 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', '!MBEDTLS_ECDSA_DETERMINISTIC', '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', From 2f8ac287b61da83c0cb826a605fbb780f5e6f662 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 7 Oct 2022 16:07:58 -0400 Subject: [PATCH 35/58] Disable MBEDTLS_TEST_HOOKS in depends.py This option was increasing testing duration by about 40%. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 409d144136..6a1c171c94 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -105,6 +105,7 @@ derived.""" run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) + run_config_pl(options, ['unset', 'MBEDTLS_TEST_HOOKS']) def collect_config_symbols(options): """Read the list of settings from mbedtls_config.h. From 01af84a0ca90e94705c22be966c3197ba934b67a Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sun, 9 Oct 2022 05:29:44 -0400 Subject: [PATCH 36/58] depends.py: Add script documentation Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 57 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 3 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 6a1c171c94..9f37a33999 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -17,9 +17,53 @@ # # This file is part of Mbed TLS (https://tls.mbed.org) -"""Test Mbed TLS with a subset of algorithms. """ +Test Mbed TLS with a subset of algorithms. +This script can be divided into several steps: + +First, include/mbedtls/mbedtls_config.h or a different config file passed +in the arguments is parsed to extract any configuration options (collect_config_symbols). + +Then, test domains (groups of jobs, tests) are built based on predefined data +collected in the DomainData class. Here, each domain has five major traits: +- domain name, can be used to run only specific tests via commandline; +- configuration building method, described in detail below; +- list of symbols passed to the configuration building method; +- commands to be run on each job (only build, build and test, or any other custom); +- optional list of symbols to be excluded from testing. + +The configuration building method can be one of the three following: + +- ComplementaryDomain - build a job for each passed symbol by disabling a single + symbol and its reverse dependencies (defined in REVERSE_DEPENDENCIES); + +- ExclusiveDomain - build a job where, for each passed symbol, only this particular + one is defined and other symbols from the list are unset. For each job look for + any non-standard symbols to set/unset in EXCLUSIVE_GROUPS. These are usually not + direct dependencies, but rather non-trivial results of other configs missing. Then + look for any unset symbols and handle their reverse dependencies. + Examples of EXCLUSIVE_GROUPS usage: + - MBEDTLS_SHA224 job turns off all hashes except SHA224, however, when investigating + reverse dependencies, SHA256 is found to depend on SHA224, so it is disabled, + and then SHA224 is found to depend on SHA256, so it is also disabled. To handle + this, there's a field in EXCLUSIVE_GROUPS that states that in a SHA224 test SHA256 + should also be enabled before processing reverse dependencies: + 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'] + - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C + requires either SHA256 or SHA384 to work, so it also has to be disabled. + This is not a dependency on SHA512_C, but a result of an exclusive domain + config building method. Relevant field: + 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C'], + +- DualDomain - combination of the two above - both complementary and exclusive domain + job generation code will be run. Currently only used for hashes. + +Lastly, the collected jobs are executed and (optionally) tested, with +error reporting and coloring as configured in options. Each test starts with +a full config without a couple of slowing down or unnecessary options +(see set_reference_config), then the specific job config is derived. +""" import argparse import os import re @@ -239,7 +283,7 @@ REVERSE_DEPENDENCIES = { } # If an option is tested in an exclusive test, alter the following defines. -# These are not neccesarily dependencies, but just minimal required changes +# These are not necessarily dependencies, but just minimal required changes # if a given define is the only one enabled from an exclusive group. EXCLUSIVE_GROUPS = { 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'], @@ -464,7 +508,14 @@ Run the jobs listed in options.domains.""" def main(): try: - parser = argparse.ArgumentParser(description=__doc__) + parser = argparse.ArgumentParser( + formatter_class=argparse.RawDescriptionHelpFormatter, + description= + "Test Mbed TLS with a subset of algorithms.\n\n" + "Example usage:\n" + r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA224_C""\n" + "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n" + "./tests/scripts/depends.py cipher_id cipher_chaining\n") parser.add_argument('--color', metavar='WHEN', help='Colorize the output (always/auto/never)', choices=['always', 'auto', 'never'], default='auto') From 2d637c4cbbd4d72dc923a8d26e6b96db570003f4 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 09:27:44 -0400 Subject: [PATCH 37/58] Fix unchecked allocation in test_suite_ssl Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 464ae06c50..c5ded5a71e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -873,9 +873,9 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } cert = &( ep->cert ); - cert->ca_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); - cert->cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); - cert->pkey = mbedtls_calloc( 1, sizeof(mbedtls_pk_context) ); + ASSERT_ALLOC( cert->ca_cert, sizeof(mbedtls_x509_crt) ); + ASSERT_ALLOC( cert->cert, sizeof(mbedtls_x509_crt) ); + ASSERT_ALLOC( cert->pkey, sizeof(mbedtls_pk_context) ); mbedtls_x509_crt_init( cert->ca_cert ); mbedtls_x509_crt_init( cert->cert ); From 6ee1e20d7fb1fb1c29c50b2b7f51f6e113a37133 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 10:17:25 -0400 Subject: [PATCH 38/58] Replace x509_CRT_PARSE_C with KEY_EXCHANGE_WITH_CERT_ENABLED SSL programs use certificates in an exchange, so it's more natural to have such dependency instead of just certificate parsing. Signed-off-by: Andrzej Kurek --- programs/ssl/ssl_client2.c | 60 ++++++++++++++++---------------------- programs/ssl/ssl_server2.c | 45 ++++++++++++---------------- 2 files changed, 43 insertions(+), 62 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index caf9ac5cf5..87c13c02a9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -120,7 +120,7 @@ int main( void ) #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST_END "\r\n\r\n" -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_CONTEXT_CRT_CB \ " context_crt_cb=%%d This determines whether the CRT verification callback is bound\n" \ " to the SSL configuration of the SSL context.\n" \ @@ -129,8 +129,8 @@ int main( void ) " - 1: Use CRT callback bound to SSL context\n" #else #define USAGE_CONTEXT_CRT_CB "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_FS_IO) #define USAGE_IO \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ @@ -148,10 +148,10 @@ int main( void ) #define USAGE_IO \ " No file operations available (MBEDTLS_FS_IO not defined)\n" #endif /* MBEDTLS_FS_IO */ -#else /* MBEDTLS_X509_CRT_PARSE_C */ +#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #define USAGE_IO "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -768,9 +768,6 @@ int main( int argc, char *argv[] ) psa_status_t status; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#endif rng_context_t rng; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; @@ -780,17 +777,16 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_TIMING_C) mbedtls_timing_delay_context timer; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; -#endif mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; mbedtls_pk_context pkey; + mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ char *p, *q; const int *list; #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) @@ -831,7 +827,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_config_init( &conf ); memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) ); rng_init( &rng ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &clicert ); mbedtls_pk_init( &pkey ); @@ -1031,7 +1027,7 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); #endif @@ -1709,7 +1705,7 @@ int main( int argc, char *argv[] ) goto exit; mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 1.1. Load the trusted CA */ @@ -1831,7 +1827,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok (key type: %s)\n", strlen( opt.key_file ) || strlen( opt.key_opaque_alg1 ) ? mbedtls_pk_get_name( &pkey ) : "none" ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * 2. Setup stuff @@ -1849,7 +1845,6 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* The default algorithms profile disables SHA-1, but our tests still rely on it heavily. */ @@ -1864,7 +1859,6 @@ int main( int argc, char *argv[] ) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) @@ -2001,7 +1995,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { @@ -2022,7 +2016,7 @@ int main( int argc, char *argv[] ) goto exit; } } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) if( opt.curves != NULL && @@ -2110,7 +2104,7 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", @@ -2133,11 +2127,10 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.context_crt_cb == 1 ) mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ io_ctx.ssl = &ssl; io_ctx.net = &server_fd; @@ -2458,8 +2451,7 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the server certificate */ @@ -2482,7 +2474,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ret = report_cid_usage( &ssl, "initial handshake" ); @@ -2857,10 +2849,9 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -3094,10 +3085,9 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -3201,14 +3191,14 @@ exit: mbedtls_free( context_buf ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_free( &clicert ); mbedtls_x509_crt_free( &cacert ); mbedtls_pk_free( &pkey ); #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key( key_slot ); #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0554d2cb12..c39871a6dc 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -175,7 +175,7 @@ int main( void ) */ #define DFL_IO_BUF_LEN 200 -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_FS_IO) #define USAGE_IO \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ @@ -206,8 +206,8 @@ int main( void ) #endif /* MBEDTLS_FS_IO */ #else #define USAGE_IO "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -1444,10 +1444,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_ctx cookie_ctx; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#endif mbedtls_ssl_context ssl; mbedtls_ssl_config conf; #if defined(MBEDTLS_TIMING_C) @@ -1456,13 +1452,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned char renego_period[8] = { 0 }; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; mbedtls_x509_crt cacert; mbedtls_x509_crt srvcert; mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; + mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ @@ -1471,7 +1468,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) ssl_async_key_context_t ssl_async_keys; #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) mbedtls_dhm_context dhm; #endif @@ -1553,7 +1550,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); rng_init( &rng ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &srvcert ); mbedtls_pk_init( &pkey ); @@ -1782,7 +1779,7 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); #endif @@ -2586,7 +2583,7 @@ int main( int argc, char *argv[] ) goto exit; mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 1.1. Load the trusted CA */ @@ -2794,7 +2791,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name( &pkey ) : "none", key_cert_init2 ? mbedtls_pk_get_name( &pkey2 ) : "none" ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) @@ -2844,7 +2841,6 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* The default algorithms profile disables SHA-1, but our tests still rely on it heavily. Hence we allow it here. A real-world server @@ -2856,7 +2852,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test ); } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); @@ -2864,15 +2859,13 @@ int main( int argc, char *argv[] ) if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by * a specific CA which is an intermediate in a CA chain, not the root) */ if( opt.cert_req_dn_hint == 2 && key_cert_init2 ) mbedtls_ssl_conf_dn_hints( &conf, &srvcert2 ); #endif -#endif #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) @@ -3109,7 +3102,7 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { @@ -3198,7 +3191,7 @@ int main( int argc, char *argv[] ) &ssl_async_keys ); } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(SNI_OPTION) if( opt.sni != NULL ) @@ -3492,9 +3485,8 @@ reset: } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by * a specific CA which is an intermediate in a CA chain, not the root) @@ -3503,7 +3495,6 @@ reset: if( opt.cert_req_dn_hint == 3 && key_cert_init2 ) mbedtls_ssl_set_hs_dn_hints( &ssl, &srvcert2 ); #endif -#endif #endif mbedtls_printf( " ok\n" ); @@ -3552,7 +3543,7 @@ handshake: { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; @@ -3607,7 +3598,7 @@ handshake: } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the client certificate */ @@ -3636,7 +3627,7 @@ handshake: mbedtls_printf( "%s\n", crt_buf ); } #endif /* MBEDTLS_X509_REMOVE_INFO */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( opt.eap_tls != 0 ) { @@ -4330,7 +4321,7 @@ exit: mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_free( &cacert ); mbedtls_x509_crt_free( &srvcert ); mbedtls_pk_free( &pkey ); From daf43fbe219bf1769e72702c4796b5de32497698 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 10:46:42 -0400 Subject: [PATCH 39/58] Move the location of MBEDTLS_ECP_C dependencies Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.data | 84 +++++++++++++--------------- tests/suites/test_suite_ssl.function | 36 ++++++------ 2 files changed, 57 insertions(+), 63 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index eab6c862a7..6b28a2fe97 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -111,63 +111,61 @@ Test moving clients handshake to state: CLIENT_HELLO move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_HELLO:1 Test moving clients handshake to state: SERVER_HELLO -depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO:1 Test moving clients handshake to state: SERVER_CERTIFICATE -depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CERTIFICATE:1 Test moving clients handshake to state: SERVER_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1 Test moving clients handshake to state: CERTIFICATE_REQUEST -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_REQUEST:1 Test moving clients handshake to state: SERVER_HELLO_DONE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO_DONE:1 Test moving clients handshake to state: CLIENT_CERTIFICATE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CERTIFICATE:1 Test moving clients handshake to state: CLIENT_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1 Test moving clients handshake to state: CERTIFICATE_VERIFY -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_VERIFY:1 Test moving clients handshake to state: CLIENT_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1 Test moving clients handshake to state: CLIENT_FINISHED -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_FINISHED:1 Test moving clients handshake to state: SERVER_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1 Test moving clients handshake to state: SERVER_FINISHED -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_FINISHED:1 Test moving clients handshake to state: FLUSH_BUFFERS -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_FLUSH_BUFFERS:1 Test moving clients handshake to state: HANDSHAKE_WRAPUP -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1 Test moving clients handshake to state: HANDSHAKE_OVER -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_OVER:1 Test moving servers handshake to state: HELLO_REQUEST @@ -177,63 +175,61 @@ Test moving servers handshake to state: CLIENT_HELLO move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_HELLO:1 Test moving servers handshake to state: SERVER_HELLO -depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO:1 Test moving servers handshake to state: SERVER_CERTIFICATE -depends_on:MBEDTLS_ECP_C move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CERTIFICATE:1 Test moving servers handshake to state: SERVER_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1 Test moving servers handshake to state: CERTIFICATE_REQUEST -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_REQUEST:1 Test moving servers handshake to state: SERVER_HELLO_DONE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO_DONE:1 Test moving servers handshake to state: CLIENT_CERTIFICATE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CERTIFICATE:1 Test moving servers handshake to state: CLIENT_KEY_EXCHANGE -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1 Test moving servers handshake to state: CERTIFICATE_VERIFY -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_VERIFY:1 Test moving servers handshake to state: CLIENT_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1 Test moving servers handshake to state: CLIENT_FINISHED -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_FINISHED:1 Test moving servers handshake to state: SERVER_CHANGE_CIPHER_SPEC -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1 Test moving servers handshake to state: SERVER_FINISHED -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_FINISHED:1 Test moving servers handshake to state: FLUSH_BUFFERS -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_FLUSH_BUFFERS:1 Test moving servers handshake to state: HANDSHAKE_WRAPUP -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1 Test moving servers handshake to state: HANDSHAKE_OVER -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_OVER:1 Negative test moving clients ssl to state: VERIFY_REQUEST_SENT @@ -333,7 +329,7 @@ depends_on:MBEDTLS_SSL_PROTO_DTLS handshake_fragmentation:MBEDTLS_SSL_MAX_FRAG_LEN_1024:0:1 Handshake min/max version check, all -> 1.2 -depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 handshake_version:0:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_TLS1_2 Handshake, select RSA-WITH-AES-256-CBC-SHA256, non-opaque @@ -477,43 +473,41 @@ depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Sending app data via TLS, MFL=512 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:400:512:1:1 Sending app data via TLS, MFL=512 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:513:1536:2:3 Sending app data via TLS, MFL=1024 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_1024:1000:1024:1:1 Sending app data via TLS, MFL=1024 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_1024:1025:5120:2:5 Sending app data via TLS, MFL=2048 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_2048:2000:2048:1:1 Sending app data via TLS, MFL=2048 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_2048:2049:8192:2:4 Sending app data via TLS, MFL=4096 without fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_4096:4000:4096:1:1 Sending app data via TLS, MFL=4096 with fragmentation -depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_ECP_C +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_4096:4097:12288:2:3 Sending app data via TLS without MFL and without fragmentation -depends_on:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_NONE:16001:16384:1:1 Sending app data via TLS without MFL and with fragmentation -depends_on:MBEDTLS_ECP_C app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_NONE:16385:100000:2:7 Sending app data via DTLS, MFL=512 without fragmentation @@ -2976,13 +2970,13 @@ ssl_tls13_key_evolution:PSA_ALG_SHA_256:"":"":"33ad0a1c607ec03b09e6cd9893680ce21 SSL TLS 1.3 Key schedule: Secret evolution #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Early secret to Handshake Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_key_evolution:PSA_ALG_SHA_256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" SSL TLS 1.3 Key schedule: Secret evolution #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Handshake secret to Master Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_key_evolution:PSA_ALG_SHA_256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" SSL TLS 1.3 Key schedule: HKDF Expand Label #1 @@ -3543,11 +3537,11 @@ Sanity test cid functions cid_sanity: Raw key agreement: nominal -depends_on:MBEDTLS_SHA256_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA raw_key_agreement_fail:0 Raw key agreement: bad server key -depends_on:MBEDTLS_SHA256_C +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA raw_key_agreement_fail:1 Force a bad session id length diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c5ded5a71e..c129903299 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4543,7 +4543,7 @@ void ssl_tls13_create_psk_binder( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void ssl_tls13_record_protection( int ciphersuite, int endpoint, int ctr, @@ -4643,7 +4643,7 @@ void ssl_tls13_record_protection( int ciphersuite, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_ECP_C */ void ssl_tls13_key_evolution( int hash_alg, data_t *secret, data_t *input, @@ -5100,7 +5100,7 @@ void ssl_session_serialize_version_check( int corrupt_major, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void mbedtls_endpoint_sanity( int endpoint_type ) { enum { BUFFSIZE = 1024 }; @@ -5127,7 +5127,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ void move_handshake_to_state(int endpoint_type, int state, int need_pass) { enum { BUFFSIZE = 1024 }; @@ -5183,7 +5183,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ void handshake_version( int dtls, int client_min_version, int client_max_version, int server_min_version, int server_max_version, int expected_negotiated_version ) @@ -5208,7 +5208,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_psk_cipher( char* cipher, int pk_alg, data_t *psk_str, int dtls ) { handshake_test_options options; @@ -5229,7 +5229,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_cipher( char* cipher, int pk_alg, int dtls ) { test_handshake_psk_cipher( cipher, pk_alg, NULL, dtls ); @@ -5239,7 +5239,7 @@ void handshake_cipher( char* cipher, int pk_alg, int dtls ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_ciphersuite_select( char* cipher, int pk_alg, data_t *psk_str, int psa_alg, int psa_alg2, int psa_usage, int expected_handshake_result, @@ -5266,7 +5266,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void app_data( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments, int dtls ) @@ -5294,7 +5294,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -5306,7 +5306,7 @@ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -5318,7 +5318,7 @@ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_serialization( ) { handshake_test_options options; @@ -5334,7 +5334,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation) { handshake_test_options options; @@ -5373,7 +5373,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void renegotiation( int legacy_renegotiation ) { handshake_test_options options; @@ -5392,7 +5392,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation, int serialize, int dtls, char *cipher ) { @@ -5416,7 +5416,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void resize_buffers_serialize_mfl( int mfl ) { test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1, @@ -5427,7 +5427,7 @@ void resize_buffers_serialize_mfl( int mfl ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, char *cipher ) { @@ -5828,7 +5828,7 @@ void conf_group() } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void force_bad_session_id_len( ) { enum { BUFFSIZE = 1024 }; From e5a5cc194442d6757cc6da452ee8fbd5a614080e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 11:14:28 -0400 Subject: [PATCH 40/58] Remove the dependency of tls1_3 key evolution tests on curve25519 Signed-off-by: Andrzej Kurek --- library/ssl_tls13_keys.c | 5 ++++- tests/suites/test_suite_ssl.data | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 48de3d008d..56967cd122 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -38,6 +38,9 @@ #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, +#define MBEDTLS_EVOLVE_INPUT_SIZE (PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)? \ + PSA_HASH_MAX_SIZE : PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE + struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = { /* This seems to work in C, despite the string literal being one @@ -333,7 +336,7 @@ int mbedtls_ssl_tls13_evolve_secret( psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; size_t hlen, ilen; unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 }; - unsigned char tmp_input [ MBEDTLS_ECP_MAX_BYTES ] = { 0 }; + unsigned char tmp_input [ MBEDTLS_EVOLVE_INPUT_SIZE ] = { 0 }; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6b28a2fe97..1cc1c9821f 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -2964,26 +2964,26 @@ ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255 SSL TLS 1.3 Key schedule: Secret evolution #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Initial secret to Early Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256 ssl_tls13_key_evolution:PSA_ALG_SHA_256:"":"":"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a" SSL TLS 1.3 Key schedule: Secret evolution #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Early secret to Handshake Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256 ssl_tls13_key_evolution:PSA_ALG_SHA_256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" SSL TLS 1.3 Key schedule: Secret evolution #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Handshake secret to Master Secret -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256 ssl_tls13_key_evolution:PSA_ALG_SHA_256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" SSL TLS 1.3 Key schedule: HKDF Expand Label #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:PSA_WANT_ALG_SHA_256 ssl_tls13_hkdf_expand_label:PSA_ALG_SHA_256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls13_label_key:"":16:"844780a7acad9f980fa25c114e43402a" SSL TLS 1.3 Key schedule: HKDF Expand Label #2 From 658442fe78738690195a6abf84e62230e8a1af3b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 11:28:41 -0400 Subject: [PATCH 41/58] Remove unnecessary ECP_C dependencies Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.data | 2 +- tests/suites/test_suite_ssl.function | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1cc1c9821f..2b58e6005c 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3196,7 +3196,7 @@ SSL TLS 1.3 Key schedule: PSK binder # Vector from RFC 8448 # For the resumption PSK, see Section 3, 'generate resumption secret "tls13 resumption"' # For all other data, see Section 4, 'construct a ClientHello handshake message:' -depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_ECP_DP_CURVE25519_ENABLED ssl_tls13_create_psk_binder:PSA_ALG_SHA_256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3":MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:"63224b2e4573f2d3454ca84b9d009a04f6be9e05711a8396473aefa01e924a14":"3add4fb2d8fdf822a0ca3cf7678ef5e88dae990141c5924d57bb6fa31b9e5f9d" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c129903299..6664a79f97 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4643,7 +4643,7 @@ void ssl_tls13_record_protection( int ciphersuite, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_ECP_C */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ void ssl_tls13_key_evolution( int hash_alg, data_t *secret, data_t *input, @@ -6015,7 +6015,7 @@ void cid_sanity( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_C:MBEDTLS_ECDSA_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECDSA_C */ void raw_key_agreement_fail( int bad_server_ecdhe_key ) { enum { BUFFSIZE = 17000 }; From 6454a90c6deed835586cf6f0178ee25e00f59976 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 11:57:04 -0400 Subject: [PATCH 42/58] Remove pre-1_2 TLS dependencies from depends.py Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 9f37a33999..829e330cea 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -223,13 +223,6 @@ and subsequent commands are tests that cannot run if the build failed).''' built = True return success -# SSL/TLS versions up to 1.1 and corresponding options. These require -# both MD5 and SHA-1. -SSL_PRE_1_2_DEPENDENCIES = ['MBEDTLS_SSL_CBC_RECORD_SPLITTING', - 'MBEDTLS_SSL_PROTO_SSL3', - 'MBEDTLS_SSL_PROTO_TLS1', - 'MBEDTLS_SSL_PROTO_TLS1_1'] - # If the configuration option A requires B, make sure that # B in REVERSE_DEPENDENCIES[A]. # All the information here should be contained in check_config.h. This @@ -251,7 +244,6 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], 'MBEDTLS_ECP_DP_SECP256R1_ENABLED': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_MD5_C': SSL_PRE_1_2_DEPENDENCIES, 'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT'], 'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', @@ -263,7 +255,6 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], - 'MBEDTLS_SHA1_C': SSL_PRE_1_2_DEPENDENCIES, 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA224_C', From a2a96885015cb6f65f1f09468327dc5ea978b75e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 13 Oct 2022 08:22:08 -0400 Subject: [PATCH 43/58] Fix the memory allocation in test_suite_ssl ASSERT_ALLOC calculates the size itself, and the parameter indicates number of elements. ``` mbedtls_calloc( sizeof( *( pointer ) ), ( length ) ); ``` Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6664a79f97..cd356f563c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -873,9 +873,9 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } cert = &( ep->cert ); - ASSERT_ALLOC( cert->ca_cert, sizeof(mbedtls_x509_crt) ); - ASSERT_ALLOC( cert->cert, sizeof(mbedtls_x509_crt) ); - ASSERT_ALLOC( cert->pkey, sizeof(mbedtls_pk_context) ); + ASSERT_ALLOC( cert->ca_cert, 1 ); + ASSERT_ALLOC( cert->cert, 1 ); + ASSERT_ALLOC( cert->pkey, 1 ); mbedtls_x509_crt_init( cert->ca_cert ); mbedtls_x509_crt_init( cert->cert ); From ecb630925fd348620c4e7510e094fd5330b66899 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 13 Oct 2022 09:05:12 -0400 Subject: [PATCH 44/58] Fix constant name in ssl_tls13_keys Signed-off-by: Andrzej Kurek --- library/ssl_tls13_keys.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 56967cd122..d22aab8de2 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -38,8 +38,8 @@ #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, -#define MBEDTLS_EVOLVE_INPUT_SIZE (PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)? \ - PSA_HASH_MAX_SIZE : PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE +#define TLS1_3_EVOLVE_INPUT_SIZE (PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)? \ + PSA_HASH_MAX_SIZE : PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = { @@ -336,7 +336,7 @@ int mbedtls_ssl_tls13_evolve_secret( psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; size_t hlen, ilen; unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 }; - unsigned char tmp_input [ MBEDTLS_EVOLVE_INPUT_SIZE ] = { 0 }; + unsigned char tmp_input [ TLS1_3_EVOLVE_INPUT_SIZE ] = { 0 }; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; From d0786f5f26a119907e7199c5f911e05e7b09f484 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 13 Oct 2022 09:06:48 -0400 Subject: [PATCH 45/58] Revert one of the changes to ssl_server2 dependencies Signed-off-by: Andrzej Kurek --- programs/ssl/ssl_server2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c39871a6dc..678311ccb4 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2859,7 +2859,7 @@ int main( int argc, char *argv[] ) if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by * a specific CA which is an intermediate in a CA chain, not the root) */ @@ -3486,7 +3486,7 @@ reset: #endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by * a specific CA which is an intermediate in a CA chain, not the root) From e5535e3123766cc33bc3de0a1fbd87bfbecb39bd Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 13 Oct 2022 09:07:47 -0400 Subject: [PATCH 46/58] Add MBEDTLS_DES_C exclusive group dependencies Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 829e330cea..a2c939a157 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -295,7 +295,8 @@ EXCLUSIVE_GROUPS = { 'MBEDTLS_ARIA_C': ['!MBEDTLS_CMAC_C'], 'MBEDTLS_CAMELLIA_C': ['!MBEDTLS_CMAC_C'], 'MBEDTLS_CHACHA20_C': ['!MBEDTLS_CMAC_C', '!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C'], - 'MBEDTLS_DES_C': ['!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C'], + 'MBEDTLS_DES_C': ['!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C', '!MBEDTLS_SSL_TICKET_C', + '!MBEDTLS_SSL_CONTEXT_SERIALIZATION'], } def handle_exclusive_groups(config_settings, symbol): """For every symbol tested in an exclusive group check if there are other From b50754ae869169cb6f627ac39aca96774c56412e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 13 Oct 2022 14:19:01 -0400 Subject: [PATCH 47/58] Switch from x509_CRT_PARSE to KEY_EXCHANGE_WITH_CERT_ENABLED Signed-off-by: Andrzej Kurek --- programs/ssl/ssl_server2.c | 24 ++++++----- tests/suites/test_suite_ssl.function | 64 ++++++++++++++-------------- 2 files changed, 46 insertions(+), 42 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 678311ccb4..1fd63d2d0d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1103,14 +1103,6 @@ typedef enum ASYNC_OP_SIGN, ASYNC_OP_DECRYPT, } ssl_async_operation_type_t; -/* Note that the enum above and the array below need to be kept in sync! - * `ssl_async_operation_names[op]` is the name of op for each value `op` - * of type `ssl_async_operation_type_t`. */ -static const char *const ssl_async_operation_names[] = -{ - "sign", - "decrypt", -}; typedef struct { @@ -1122,6 +1114,17 @@ typedef struct unsigned remaining_delay; } ssl_async_operation_context_t; +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + +/* Note that ssl_async_operation_type_t and the array below need to be kept in sync! + * `ssl_async_operation_names[op]` is the name of op for each value `op` + * of type `ssl_async_operation_type_t`. */ +static const char *const ssl_async_operation_names[] = +{ + "sign", + "decrypt", +}; + static int ssl_async_start( mbedtls_ssl_context *ssl, mbedtls_x509_crt *cert, ssl_async_operation_type_t op_type, @@ -1274,6 +1277,7 @@ static void ssl_async_cancel( mbedtls_ssl_context *ssl ) mbedtls_printf( "Async cancel callback.\n" ); mbedtls_free( ctx ); } +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1465,10 +1469,10 @@ int main( int argc, char *argv[] ) mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ #endif int key_cert_init = 0, key_cert_init2 = 0; +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) ssl_async_key_context_t ssl_async_keys; #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) mbedtls_dhm_context dhm; #endif @@ -1556,10 +1560,10 @@ int main( int argc, char *argv[] ) mbedtls_pk_init( &pkey ); mbedtls_x509_crt_init( &srvcert2 ); mbedtls_pk_init( &pkey2 ); +#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) memset( &ssl_async_keys, 0, sizeof( ssl_async_keys ) ); #endif -#endif #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) mbedtls_dhm_init( &dhm ); #endif diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index cd356f563c..cc7497818f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -31,7 +31,7 @@ typedef struct log_pattern size_t counter; } log_pattern; -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) static int rng_seed = 0xBEEF; static int rng_get( void *p_rng, unsigned char *output, size_t output_len ) { @@ -103,7 +103,7 @@ typedef struct handshake_test_options void init_handshake_options( handshake_test_options *opts ) { -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) srand( rng_seed ); rng_seed += 0xD0; #endif @@ -790,7 +790,7 @@ int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len ) return msg_len; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Structure with endpoint's certificates for SSL communication tests. @@ -1178,7 +1178,7 @@ int mbedtls_move_handshake_to_state( mbedtls_ssl_context *ssl, return ( max_steps >= 0 ) ? ret : -1; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * Write application data. Increase write counter if necessary. @@ -1750,7 +1750,7 @@ static int ssl_tls12_populate_session( mbedtls_ssl_session *session, memset( session->id, 66, session->id_len ); memset( session->master, 17, sizeof( session->master ) ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_FS_IO) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && defined(MBEDTLS_FS_IO) if( crt_file != NULL && strlen( crt_file ) != 0 ) { mbedtls_x509_crt tmp_crt; @@ -1801,9 +1801,9 @@ static int ssl_tls12_populate_session( mbedtls_ssl_session *session, mbedtls_x509_crt_free( &tmp_crt ); } -#else /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO */ +#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */ (void) crt_file; -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_FS_IO */ session->verify_result = 0xdeadbeef; #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) @@ -2029,7 +2029,7 @@ int exchange_data( mbedtls_ssl_context *ssl_1, ssl_2, 256, 1 ); } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) static int check_ssl_version( mbedtls_ssl_protocol_version expected_negotiated_version, const mbedtls_ssl_context *ssl ) { @@ -2066,10 +2066,10 @@ static int check_ssl_version( mbedtls_ssl_protocol_version expected_negotiated_v exit: return( 0 ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) void perform_handshake( handshake_test_options *options ) { /* forced_ciphersuite needs to last until the end of the handshake */ @@ -2467,7 +2467,7 @@ exit: #endif USE_PSA_DONE( ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_TEST_HOOKS) /* @@ -3685,7 +3685,7 @@ void ssl_dtls_replay( data_t * prevs, data_t * new, int ret ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ void ssl_set_hostname_twice( char *hostname0, char *hostname1 ) { mbedtls_ssl_context ssl; @@ -4752,7 +4752,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file, TEST_ASSERT( memcmp( original.master, restored.master, sizeof( original.master ) ) == 0 ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) TEST_ASSERT( ( original.peer_cert == NULL ) == ( restored.peer_cert == NULL ) ); @@ -4778,7 +4778,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file, original.peer_cert_digest_len ) == 0 ); } #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ TEST_ASSERT( original.verify_result == restored.verify_result ); #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) @@ -5100,7 +5100,7 @@ void ssl_session_serialize_version_check( int corrupt_major, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void mbedtls_endpoint_sanity( int endpoint_type ) { enum { BUFFSIZE = 1024 }; @@ -5127,7 +5127,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ void move_handshake_to_state(int endpoint_type, int state, int need_pass) { enum { BUFFSIZE = 1024 }; @@ -5183,7 +5183,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ void handshake_version( int dtls, int client_min_version, int client_max_version, int server_min_version, int server_max_version, int expected_negotiated_version ) @@ -5208,7 +5208,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_psk_cipher( char* cipher, int pk_alg, data_t *psk_str, int dtls ) { handshake_test_options options; @@ -5229,7 +5229,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_cipher( char* cipher, int pk_alg, int dtls ) { test_handshake_psk_cipher( cipher, pk_alg, NULL, dtls ); @@ -5239,7 +5239,7 @@ void handshake_cipher( char* cipher, int pk_alg, int dtls ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_ciphersuite_select( char* cipher, int pk_alg, data_t *psk_str, int psa_alg, int psa_alg2, int psa_usage, int expected_handshake_result, @@ -5266,7 +5266,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void app_data( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments, int dtls ) @@ -5294,7 +5294,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECP_C */ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -5306,7 +5306,7 @@ void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, int expected_cli_fragments, int expected_srv_fragments ) @@ -5318,7 +5318,7 @@ void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_serialization( ) { handshake_test_options options; @@ -5334,7 +5334,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation) { handshake_test_options options; @@ -5373,7 +5373,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void renegotiation( int legacy_renegotiation ) { handshake_test_options options; @@ -5392,7 +5392,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation, int serialize, int dtls, char *cipher ) { @@ -5416,7 +5416,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void resize_buffers_serialize_mfl( int mfl ) { test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1, @@ -5427,7 +5427,7 @@ void resize_buffers_serialize_mfl( int mfl ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, char *cipher ) { @@ -5828,7 +5828,7 @@ void conf_group() } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ void force_bad_session_id_len( ) { enum { BUFFSIZE = 1024 }; @@ -6015,7 +6015,7 @@ void cid_sanity( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECDSA_C */ +/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECDSA_C */ void raw_key_agreement_fail( int bad_server_ecdhe_key ) { enum { BUFFSIZE = 17000 }; @@ -6086,7 +6086,7 @@ exit: USE_PSA_DONE( ); } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED */ void tls13_server_certificate_msg_invalid_vector_len( ) { int ret = -1; From a0cb4fa302cf5a3253027bbfebfcec4ba1c0a2c9 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 14 Oct 2022 07:06:43 -0400 Subject: [PATCH 48/58] Improve depends.py readability Switch from SHA224 & SHA384 testing to SHA256 and SHA512. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index a2c939a157..48e2f2b707 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -143,8 +143,7 @@ def set_reference_config(options): """Change the library configuration file (mbedtls_config.h) to the reference state. The reference state is the one from which the tested configurations are derived.""" - # Turn off memory management options that are not relevant to - # the tests and slow them down. + # Turn off options that are not relevant to the tests and slow them down. run_config_pl(options, ['full']) run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) @@ -190,8 +189,7 @@ If what is False, announce that the job has failed.''' log_line('starting ' + self.name) def configure(self, options): - '''Set library configuration options as required for the job. -config_file_name indicates which file to modify.''' + '''Set library configuration options as required for the job.''' set_reference_config(options) for key, value in sorted(self.config_settings.items()): if value is True: @@ -277,7 +275,7 @@ REVERSE_DEPENDENCIES = { # These are not necessarily dependencies, but just minimal required changes # if a given define is the only one enabled from an exclusive group. EXCLUSIVE_GROUPS = { - 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'], + 'MBEDTLS_SHA256_C': ['MBEDTLS_SHA224_C'], 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', @@ -351,7 +349,9 @@ would match this regular expression.""" class ComplementaryDomain(BaseDomain): # pylint: disable=too-few-public-methods """A domain consisting of a set of loosely-related settings. Establish a list of configuration symbols. For each symbol, run a test job -with this symbol unset.""" +with this symbol unset. +If exclude is a regular expression, skip generated jobs whose description +would match this regular expression.""" def __init__(self, symbols, commands, exclude=None): """Build a domain for the specified list of configuration symbols. Each job in the domain disables one of the specified symbols. @@ -367,9 +367,12 @@ Each job runs the specified commands.""" self.jobs.append(job) class DualDomain(ExclusiveDomain, ComplementaryDomain): # pylint: disable=too-few-public-methods - """A domain that contains both the ExclusiveDomain and BaseDomain tests""" + """A domain that contains both the ExclusiveDomain and BaseDomain tests. +Both parent class __init__ calls are performed in any order and +each call adds respective jobs. The job array initialization is done once in +BaseDomain, before the parent __init__ calls.""" def __init__(self, symbols, commands, exclude=None): - super().__init__(symbols=symbols, commands=commands, exclude=exclude) + super().__init__(symbols, commands, exclude) class CipherInfo: # pylint: disable=too-few-public-methods """Collect data about cipher.h.""" @@ -402,7 +405,6 @@ class DomainData: # Find cipher IDs (block permutations and stream ciphers --- chaining # and padding modes are exercised separately) information by parsing # cipher.h, as the information is not readily available in mbedtls_config.h. - cipher_info = CipherInfo() # Find block cipher chaining and padding mode enabling macros by name. cipher_chaining_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_MODE_\w+\Z') @@ -417,12 +419,15 @@ class DomainData: build_and_test), # Elliptic curves. Run the test suites. 'curves': ExclusiveDomain(curve_symbols, build_and_test), - # Hash algorithms. Exclude configurations with only one - # hash which is obsolete. Run the test suites. Exclude - # SHA512 and SHA256, as these are tested with SHA384 and SHA224. + # Hash algorithms. Exclude three groups: + # - Exclusive domain of MD, RIPEMD, SHA1 (obsolete); + # - Exclusive domain of SHA224 (tested with and depends on SHA256); + # - Complementary domain of SHA224 and SHA384 - tested with and depend + # on SHA256 and SHA512, respectively. 'hashes': DualDomain(hash_symbols, build_and_test, - exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_|SHA256_|SHA512_)' \ - '|!MBEDTLS_(SHA256_|SHA512_)'), + exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_)' \ + '|MBEDTLS_SHA224_'\ + '|!MBEDTLS_(SHA224_|SHA384_)'), # Key exchange types. Only build the library and the sample # programs. 'kex': ExclusiveDomain(key_exchange_symbols, From f4b18672ffe43a4ff3e048714905fc8883f70a07 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 14 Oct 2022 07:57:00 -0400 Subject: [PATCH 49/58] depends.py: fix TLS 1.3 requirements Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 48e2f2b707..e1c8c13e24 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -257,8 +257,7 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA224_C', 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', - 'MBEDTLS_SSL_PROTO_TLS1_3'], + 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY'], 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA384_C', 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], @@ -267,7 +266,6 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_SHA256_C', 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY'], - 'MBEDTLS_SHA384_C': ['MBEDTLS_SSL_PROTO_TLS1_3'], 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [] } @@ -277,7 +275,7 @@ REVERSE_DEPENDENCIES = { EXCLUSIVE_GROUPS = { 'MBEDTLS_SHA256_C': ['MBEDTLS_SHA224_C'], 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], - 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C'], + 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C', '!MBEDTLS_SSL_PROTO_TLS1_3'], 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', '!MBEDTLS_ECDSA_DETERMINISTIC', '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', @@ -368,11 +366,9 @@ Each job runs the specified commands.""" class DualDomain(ExclusiveDomain, ComplementaryDomain): # pylint: disable=too-few-public-methods """A domain that contains both the ExclusiveDomain and BaseDomain tests. -Both parent class __init__ calls are performed in any order and +Both parent class __init__ calls are performed in any order and each call adds respective jobs. The job array initialization is done once in BaseDomain, before the parent __init__ calls.""" - def __init__(self, symbols, commands, exclude=None): - super().__init__(symbols, commands, exclude) class CipherInfo: # pylint: disable=too-few-public-methods """Collect data about cipher.h.""" From 65b2ac1f1d4da9f7b7b36eda4bcdbdf8417bcf05 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 14 Oct 2022 08:09:16 -0400 Subject: [PATCH 50/58] Change the way exclusive groups are defined in depends.py Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 48 +++++++++++++++++++++------------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index e1c8c13e24..894857ff2d 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -273,34 +273,36 @@ REVERSE_DEPENDENCIES = { # These are not necessarily dependencies, but just minimal required changes # if a given define is the only one enabled from an exclusive group. EXCLUSIVE_GROUPS = { - 'MBEDTLS_SHA256_C': ['MBEDTLS_SHA224_C'], - 'MBEDTLS_SHA384_C': ['MBEDTLS_SHA512_C'], - 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C', '!MBEDTLS_SSL_PROTO_TLS1_3'], - 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['!MBEDTLS_ECDSA_C', - '!MBEDTLS_ECDSA_DETERMINISTIC', - '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', - '!MBEDTLS_ECJPAKE_C', - '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['!MBEDTLS_ECDSA_C', - '!MBEDTLS_ECDSA_DETERMINISTIC', - '!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - '!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', - '!MBEDTLS_ECJPAKE_C', - '!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], - 'MBEDTLS_ARIA_C': ['!MBEDTLS_CMAC_C'], - 'MBEDTLS_CAMELLIA_C': ['!MBEDTLS_CMAC_C'], - 'MBEDTLS_CHACHA20_C': ['!MBEDTLS_CMAC_C', '!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C'], - 'MBEDTLS_DES_C': ['!MBEDTLS_CCM_C', '!MBEDTLS_GCM_C', '!MBEDTLS_SSL_TICKET_C', - '!MBEDTLS_SSL_CONTEXT_SERIALIZATION'], + 'MBEDTLS_SHA256_C': ['+MBEDTLS_SHA224_C'], + 'MBEDTLS_SHA384_C': ['+MBEDTLS_SHA512_C'], + 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C', + '-MBEDTLS_SSL_PROTO_TLS1_3'], + 'MBEDTLS_ECP_DP_CURVE448_ENABLED': ['-MBEDTLS_ECDSA_C', + '-MBEDTLS_ECDSA_DETERMINISTIC', + '-MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + '-MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + '-MBEDTLS_ECJPAKE_C', + '-MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + 'MBEDTLS_ECP_DP_CURVE25519_ENABLED': ['-MBEDTLS_ECDSA_C', + '-MBEDTLS_ECDSA_DETERMINISTIC', + '-MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', + '-MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', + '-MBEDTLS_ECJPAKE_C', + '-MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'], + 'MBEDTLS_ARIA_C': ['-MBEDTLS_CMAC_C'], + 'MBEDTLS_CAMELLIA_C': ['-MBEDTLS_CMAC_C'], + 'MBEDTLS_CHACHA20_C': ['-MBEDTLS_CMAC_C', '-MBEDTLS_CCM_C', '-MBEDTLS_GCM_C'], + 'MBEDTLS_DES_C': ['-MBEDTLS_CCM_C', + '-MBEDTLS_GCM_C', + '-MBEDTLS_SSL_TICKET_C', + '-MBEDTLS_SSL_CONTEXT_SERIALIZATION'], } def handle_exclusive_groups(config_settings, symbol): """For every symbol tested in an exclusive group check if there are other defines to be altered. """ for dep in EXCLUSIVE_GROUPS.get(symbol, []): - unset = dep.startswith('!') - if unset: - dep = dep[1:] + unset = dep.startswith('-') + dep = dep[1:] config_settings[dep] = not unset def turn_off_dependencies(config_settings): From c610e7402e0fe5a078c3057a4a59106be0d6c74e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 14 Oct 2022 10:02:24 -0400 Subject: [PATCH 51/58] Formatting & unnecessary (void) fixes Signed-off-by: Andrzej Kurek --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index d22aab8de2..730e50c67a 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -38,7 +38,7 @@ #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, -#define TLS1_3_EVOLVE_INPUT_SIZE (PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)? \ +#define TLS1_3_EVOLVE_INPUT_SIZE ( PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE ) ? \ PSA_HASH_MAX_SIZE : PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = From 22b959d9a56e2e72342d919d9a10fd14b6c4e2b7 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sun, 16 Oct 2022 12:51:41 -0400 Subject: [PATCH 52/58] depends.py - add SHA256 dependency of LMS Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 894857ff2d..9a5599d919 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -257,7 +257,9 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA224_C', 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY'], + 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', + 'MBEDTLS_LMS_C', + 'MBEDTLS_LMS_PRIVATE'], 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA384_C', 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], From a44c5bcdb7e9009deaa5c49d1a772c0eba6f9b3b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sun, 16 Oct 2022 12:52:20 -0400 Subject: [PATCH 53/58] depends.py: rename config_pl usage to config_py Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 9a5599d919..232e3fc77f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -130,7 +130,7 @@ Remove the backup file if it was saved earlier.""" else: shutil.copy(options.config_backup, options.config) -def run_config_pl(options, args): +def run_config_py(options, args): """Run scripts/config.py with the specified arguments.""" cmd = ['scripts/config.py'] if options.config != 'include/mbedtls/mbedtls_config.h': @@ -144,11 +144,11 @@ def set_reference_config(options): The reference state is the one from which the tested configurations are derived.""" # Turn off options that are not relevant to the tests and slow them down. - run_config_pl(options, ['full']) - run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) - run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) - run_config_pl(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) - run_config_pl(options, ['unset', 'MBEDTLS_TEST_HOOKS']) + run_config_py(options, ['full']) + run_config_py(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) + run_config_py(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) + run_config_py(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) + run_config_py(options, ['unset', 'MBEDTLS_TEST_HOOKS']) def collect_config_symbols(options): """Read the list of settings from mbedtls_config.h. @@ -198,7 +198,7 @@ If what is False, announce that the job has failed.''' args = ['unset', key] else: args = ['set', key, value] - run_config_pl(options, args) + run_config_py(options, args) def test(self, options): '''Run the job's build and test commands. From b489f958b81af0e27fadba63c7106e6c05f2e9a1 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 06:51:10 -0400 Subject: [PATCH 54/58] depends.py: remove config options that are unset anyway Over the lifespan of this script these options have been removed from the "full" configuration. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 232e3fc77f..c5d0bbadec 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -145,9 +145,6 @@ The reference state is the one from which the tested configurations are derived.""" # Turn off options that are not relevant to the tests and slow them down. run_config_py(options, ['full']) - run_config_py(options, ['unset', 'MBEDTLS_MEMORY_BACKTRACE']) - run_config_py(options, ['unset', 'MBEDTLS_MEMORY_BUFFER_ALLOC_C']) - run_config_py(options, ['unset', 'MBEDTLS_MEMORY_DEBUG']) run_config_py(options, ['unset', 'MBEDTLS_TEST_HOOKS']) def collect_config_symbols(options): From 9387b7b34e9c10045ec49c2995e3dfa6ae04f02f Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 4 Oct 2022 08:06:59 -0400 Subject: [PATCH 55/58] Add a temporary solution to create a seedfile This caused problems if a config with SHA512 was compiled after a config without it and the seedfile did not contain enough data. Signed-off-by: Andrzej Kurek --- library/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/library/Makefile b/library/Makefile index 624773dc19..b1cdc7f0ea 100644 --- a/library/Makefile +++ b/library/Makefile @@ -199,6 +199,7 @@ all: shared static endif static: libmbedcrypto.a libmbedx509.a libmbedtls.a + cd ../tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT) From 629c412e812a9e9b0fdd425b68ec289320940039 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 08:34:40 -0400 Subject: [PATCH 56/58] depends.py documentation fixes Now that the format of exclusive groups has been changed, update the documentation using it too. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index c5d0bbadec..b86192079f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright (c) 2018, Arm Limited, All Rights Reserved. +# Copyright (c) 2022, Arm Limited, All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -27,7 +27,7 @@ in the arguments is parsed to extract any configuration options (collect_config_ Then, test domains (groups of jobs, tests) are built based on predefined data collected in the DomainData class. Here, each domain has five major traits: -- domain name, can be used to run only specific tests via commandline; +- domain name, can be used to run only specific tests via command-line; - configuration building method, described in detail below; - list of symbols passed to the configuration building method; - commands to be run on each job (only build, build and test, or any other custom); @@ -44,17 +44,17 @@ The configuration building method can be one of the three following: direct dependencies, but rather non-trivial results of other configs missing. Then look for any unset symbols and handle their reverse dependencies. Examples of EXCLUSIVE_GROUPS usage: - - MBEDTLS_SHA224 job turns off all hashes except SHA224, however, when investigating - reverse dependencies, SHA256 is found to depend on SHA224, so it is disabled, - and then SHA224 is found to depend on SHA256, so it is also disabled. To handle - this, there's a field in EXCLUSIVE_GROUPS that states that in a SHA224 test SHA256 + - MBEDTLS_SHA256 job turns off all hashes except SHA256, however, when investigating + reverse dependencies, SHA224 is found to depend on SHA256, so it is disabled, + and then SHA256 is found to depend on SHA224, so it is also disabled. To handle + this, there's a field in EXCLUSIVE_GROUPS that states that in a SHA256 test SHA224 should also be enabled before processing reverse dependencies: - 'MBEDTLS_SHA224_C': ['MBEDTLS_SHA256_C'] + 'MBEDTLS_SHA256_C': ['+MBEDTLS_SHA224_C'] - MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C requires either SHA256 or SHA384 to work, so it also has to be disabled. This is not a dependency on SHA512_C, but a result of an exclusive domain config building method. Relevant field: - 'MBEDTLS_SHA512_C': ['!MBEDTLS_SSL_COOKIE_C'], + 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'], - DualDomain - combination of the two above - both complementary and exclusive domain job generation code will be run. Currently only used for hashes. @@ -507,7 +507,7 @@ def main(): description= "Test Mbed TLS with a subset of algorithms.\n\n" "Example usage:\n" - r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA224_C""\n" + r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n" "./tests/scripts/depends.py MBEDTLS_AES_C hashes\n" "./tests/scripts/depends.py cipher_id cipher_chaining\n") parser.add_argument('--color', metavar='WHEN', From b8a97e7520280112eef0083aa9ef19dbd67ee23a Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 17 Oct 2022 08:39:09 -0400 Subject: [PATCH 57/58] depends.py: rename domains argument to tasks Tasks can consist of domains and/or jobs. Signed-off-by: Andrzej Kurek --- tests/scripts/depends.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index b86192079f..ce7fee65c2 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -464,14 +464,14 @@ def run_tests(options, domain_data): """Run the desired jobs. domain_data should be a DomainData instance that describes the available domains and jobs. -Run the jobs listed in options.domains.""" +Run the jobs listed in options.tasks.""" if not hasattr(options, 'config_backup'): options.config_backup = options.config + '.bak' colors = Colors(options) jobs = [] failures = [] successes = [] - for name in options.domains: + for name in options.tasks: jobs += domain_data.get_jobs(name) backup_config(options) try: @@ -534,15 +534,14 @@ def main(): parser.add_argument('--make-command', metavar='CMD', help='Command to run instead of make (e.g. gmake)', action='store', default='make') - parser.add_argument('domains', metavar='DOMAIN', nargs='*', - help='The domain(s) to test (default: all). This can \ - be also a list of jobs to run.', + parser.add_argument('tasks', metavar='TASKS', nargs='*', + help='The domain(s) or job(s) to test (default: all).', default=True) options = parser.parse_args() os.chdir(options.directory) domain_data = DomainData(options) - if options.domains is True: - options.domains = sorted(domain_data.domains.keys()) + if options.tasks is True: + options.tasks = sorted(domain_data.domains.keys()) if options.list: for arg in options.list: for domain_name in sorted(getattr(domain_data, arg).keys()): From f4b8a4f9719a7009bd137da3de9f0b08863585d4 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 19 Oct 2022 09:13:11 -0400 Subject: [PATCH 58/58] pylint: ignore duplicated imports It is not uncommon to have the same imports across different python files. Ignore it when running pylint. Starting at pylint 2.14.5 this is the default value. Signed-off-by: Andrzej Kurek --- .pylintrc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pylintrc b/.pylintrc index d217ff69c5..10c93f8791 100644 --- a/.pylintrc +++ b/.pylintrc @@ -73,3 +73,7 @@ reports=no # Allow unused variables if their name starts with an underscore. # [unused-argument] dummy-variables-rgx=_.* + +[SIMILARITIES] +# Ignore imports when computing similarities. +ignore-imports=yes