Merge pull request #6385 from AndrzejKurek/depends-py-reloaded

Unified tests/scripts/depends.py - reloaded
2025-07-29 11:41:15 +03:00 · 2022-10-21 10:17:58 +02:00
parent c6952491c1 f4b8a4f971
commit 45c6792faf
28 changed files with 1020 additions and 311 deletions
--- a/library/Makefile
+++ b/library/Makefile
@ -199,6 +199,7 @@ all: shared static
 endif

 static: libmbedcrypto.a libmbedx509.a libmbedtls.a
+	cd ../tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile

 shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT)

--- a/library/aes.c
+++ b/library/aes.c
@ -1690,7 +1690,8 @@ int mbedtls_aes_self_test( int verbose )
    unsigned char key[32];
    unsigned char buf[64];
    const unsigned char *aes_tests;
-#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
    unsigned char iv[16];
 #endif
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
--- a/library/constant_time_internal.h
+++ b/library/constant_time_internal.h
@ -46,7 +46,7 @@
 */
 unsigned mbedtls_ct_uint_mask( unsigned value );

-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)

 /** Turn a value into a mask:
 * - if \p value == 0, return the all-bits 0 mask, aka 0
@ -61,7 +61,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value );
 */
 size_t mbedtls_ct_size_mask( size_t value );

-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */

 #if defined(MBEDTLS_BIGNUM_C)

--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@ -38,8 +38,8 @@
 #include <string.h>

 /*
- * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
- * available. Try SHA-256 first, 512 wastes resources
+ * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-384 is
+ * available. Try SHA-256 first, 384 wastes resources
 */
 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA)
 #define COOKIE_MD           MBEDTLS_MD_SHA224
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -1665,15 +1665,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,

 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
        /*
-            * The next two sizes are the minimum and maximum values of
-            * data_len over all padlen values.
-            *
-            * They're independent of padlen, since we previously did
-            * data_len -= padlen.
-            *
-            * Note that max_len + maclen is never more than the buffer
-            * length, as we previously did in_msglen -= maclen too.
-            */
+        * The next two sizes are the minimum and maximum values of
+        * data_len over all padlen values.
+        *
+        * They're independent of padlen, since we previously did
+        * data_len -= padlen.
+        *
+        * Note that max_len + maclen is never more than the buffer
+        * length, as we previously did in_msglen -= maclen too.
+        */
        const size_t max_len = rec->data_len + padlen;
        const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;

--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -604,6 +604,12 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
    mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len );
 #endif
 #endif
+#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ssl;
+    (void) buf;
+    (void) len;
+#endif
 }

 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
@ -4046,6 +4052,9 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    const unsigned char * const end = buf + len;
    size_t session_len;
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    tls_prf_fn prf_func = NULL;
+#endif

    /*
     * The context should have been freshly setup or reset.
@ -4131,17 +4140,22 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    ssl->transform_out = ssl->transform;
    ssl->transform_negotiate = NULL;

+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    prf_func = ssl_tls12prf_from_cs( ssl->session->ciphersuite );
+    if( prf_func == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
    /* Read random bytes and populate structure */
    if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
    ret = ssl_tls12_populate_transform( ssl->transform,
                  ssl->session->ciphersuite,
                  ssl->session->master,
 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
                  ssl->session->encrypt_then_mac,
 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
-                  ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
+                  prf_func,
                  p, /* currently pointing to randbytes */
                  MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
                  ssl->conf->endpoint,
@ -5157,6 +5171,10 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
        goto exit;

 exit:
+#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ssl;
+#endif
    return( psa_ssl_status_to_mbedtls( status ) );
 }
 #else /* MBEDTLS_USE_PSA_CRYPTO */
@ -5429,6 +5447,8 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
    return( PSA_SUCCESS );
 }

+#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
+    defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int tls_prf_generic( mbedtls_md_type_t md_type,
                            const unsigned char *secret, size_t slen,
@ -5503,7 +5523,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,

    return( 0 );
 }
-
+#endif
 #else /* MBEDTLS_USE_PSA_CRYPTO */

 MBEDTLS_CHECK_RETURN_CRITICAL
@ -5909,7 +5929,10 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
        default:
            return( -1 );
    }
-
+#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ssl;
+#endif
    return( 0 );
 }

@ -7430,16 +7453,25 @@ exit:
 */
 static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
 {
-#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
    const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
-         mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
-
+             mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
+#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
    if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
        return( tls_prf_sha384 );
-#else
-    (void) ciphersuite_id;
+    else
 #endif
-    return( tls_prf_sha256 );
+#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    {
+        if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
+            return( tls_prf_sha256 );
+    }
+#endif
+#if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
+    !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+    (void) ciphersuite_info;
+#endif
+
+    return( NULL );
 }
 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */

--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -379,6 +379,7 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
                                              const unsigned char *end )
 {
+#if defined(MBEDTLS_ECDH_C)
    const mbedtls_ecp_curve_info *curve_info = NULL;
    const unsigned char *p = buf;
    int selected_group;
@ -435,6 +436,12 @@ static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
    ssl->handshake->offered_group_id = selected_group;

    return( 0 );
+#else
+    (void) ssl;
+    (void) buf;
+    (void) end;
+    return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+#endif
 }

 /*
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@ -38,6 +38,9 @@
 #define MBEDTLS_SSL_TLS1_3_LABEL( name, string )       \
    .name = string,

+#define TLS1_3_EVOLVE_INPUT_SIZE ( PSA_HASH_MAX_SIZE > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE ) ? \
+                                     PSA_HASH_MAX_SIZE : PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE
+
 struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
 {
    /* This seems to work in C, despite the string literal being one
@ -333,7 +336,7 @@ int mbedtls_ssl_tls13_evolve_secret(
    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
    size_t hlen, ilen;
    unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 };
-    unsigned char tmp_input [ MBEDTLS_ECP_MAX_BYTES ] = { 0 };
+    unsigned char tmp_input [ TLS1_3_EVOLVE_INPUT_SIZE ] = { 0 };
    psa_key_derivation_operation_t operation =
        PSA_KEY_DERIVATION_OPERATION_INIT;