lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Merge remote-tracking branch 'public/mbedtls-2.28' into merge-2.28

Browse Source 
* public/mbedtls-2.28: (88 commits)
  tests/ssl_helpers: Check that message queue is popped
  Upgrade python dependencies in requirements file
  Fix some typo for include folder
  Adjust TLS protocol cases for 2.28
  Fix copypasta
  Declare the new generated files
  Add generated config tests
  Remove some settings that don't exist in 2.28
  Adjust generate_config_tests.py for 2.28
  Terminology: use "dependencies" for a list of settings
  Terminology: consistently use "setting", not "option"
  Explain why we require TLS client and server simultaneously
  Fix missing negation
  Pacify mypy
  Detect sub-options
  Generate config test cases for single options
  Anchor relative paths
  New test suite to report configuration options
  Recognize that a double-inclusion guard is not a config setting
  Add and update some .gitignore files
  ...
This commit is contained in:
Manuel Pégourié-Gonnard
2024-08-08 10:03:24 +02:00
parent ea178ddd20 6c3ad6aa36
commit 55aa72fe21
59 changed files with 30779 additions and 21971 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -2,6 +2,9 @@
seedfile
# MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework
00000000ffffff52.psa_its
# Log files created by all.sh to reduce the logs in case a component runs
# successfully
quiet-make.*
# CMake build artifacts:
CMakeCache.txt

3
ChangeLog.d/build_without_check_config.txt Normal file
View File

@ -0,0 +1,3 @@
Bugfix
* Fix the build in some configurations when check_config.h is not included.
Fix #9152.

5
ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt Normal file
View File

@ -0,0 +1,5 @@
Bugfix
* Fix issue of redefinition warning messages for _GNU_SOURCE in
entropy_poll.c and sha_256.c. There was a build warning during
building for linux platform.
Resolves #9026

5
ChangeLog.d/fix-secure-element-key-creation.txt Normal file
View File

@ -0,0 +1,5 @@
Bugfix
* Fix error handling when creating a key in a dynamic secure element
(feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
the creation could return PSA_SUCCESS but using or destroying the key
would not work. Fixes #8537.

40
docs/requirements.txt
View File

@ -1,47 +1,50 @@
#
# This file is autogenerated by pip-compile with Python 3.9
# This file is autogenerated by pip-compile with Python 3.8
# by the following command:
#
# pip-compile requirements.in
#
alabaster==0.7.13
# via sphinx
babel==2.12.1
babel==2.15.0
# via sphinx
breathe==4.35.0
# via -r requirements.in
certifi==2022.12.7
certifi==2024.7.4
# via requests
charset-normalizer==3.1.0
charset-normalizer==3.3.2
# via requests
docutils==0.17.1
docutils==0.20.1
# via
# breathe
# sphinx
# sphinx-rtd-theme
idna==3.4
idna==3.7
# via requests
imagesize==1.4.1
# via sphinx
importlib-metadata==6.0.0
importlib-metadata==8.0.0
# via sphinx
jinja2==3.1.2
jinja2==3.1.4
# via sphinx
markupsafe==2.1.2
markupsafe==2.1.5
# via jinja2
packaging==23.0
packaging==24.1
# via sphinx
pygments==2.14.0
pygments==2.18.0
# via sphinx
requests==2.28.2
pytz==2024.1
# via babel
requests==2.32.3
# via sphinx
snowballstemmer==2.2.0
# via sphinx
sphinx==4.5.0
sphinx==7.1.2
# via
# breathe
# sphinx-rtd-theme
sphinx-rtd-theme==1.2.0
# sphinxcontrib-jquery
sphinx-rtd-theme==2.0.0
# via -r requirements.in
sphinxcontrib-applehelp==1.0.4
# via sphinx
@ -49,7 +52,7 @@ sphinxcontrib-devhelp==1.0.2
# via sphinx
sphinxcontrib-htmlhelp==2.0.1
# via sphinx
sphinxcontrib-jquery==2.0.0
sphinxcontrib-jquery==4.1
# via sphinx-rtd-theme
sphinxcontrib-jsmath==1.0.1
# via sphinx
@ -57,10 +60,7 @@ sphinxcontrib-qthelp==1.0.3
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
urllib3==1.26.15
urllib3==2.2.2
# via requests
zipp==3.15.0
zipp==3.19.2
# via importlib-metadata
# The following packages are considered to be unsafe in a requirements file:
# setuptools

2
include/mbedtls/ecdh.h
View File

@ -299,7 +299,7 @@ int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
* \brief This function sets up an ECDH context from an EC key.
*
* It is used by clients and servers in place of the
* ServerKeyEchange for static ECDH, and imports ECDH
* ServerKeyExchange for static ECDH, and imports ECDH
* parameters from the EC key information of a certificate.
*
* \see ecp.h

2
include/mbedtls/ecp.h
View File

@ -259,7 +259,7 @@ mbedtls_ecp_point;
* range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
* which is congruent mod \p P to the given MPI, and is close enough to \p pbits
* in size, so that it may be efficiently brought in the 0..P-1 range by a few
* additions or subtractions. Therefore, it is only an approximative modular
* additions or subtractions. Therefore, it is only an approximate modular
* reduction. It must return 0 on success and non-zero on failure.
*
* \note Alternative implementations must keep the group IDs distinct. If

6
include/psa/crypto.h
View File

@ -866,7 +866,7 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg,
* such that #PSA_ALG_IS_HASH(\p alg) is true).
* \param[in] input Buffer containing the message to hash.
* \param input_length Size of the \p input buffer in bytes.
* \param[out] hash Buffer containing the expected hash value.
* \param[in] hash Buffer containing the expected hash value.
* \param hash_length Size of the \p hash buffer in bytes.
*
* \retval #PSA_SUCCESS
@ -1225,7 +1225,7 @@ psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
* such that #PSA_ALG_IS_MAC(\p alg) is true).
* \param[in] input Buffer containing the input message.
* \param input_length Size of the \p input buffer in bytes.
* \param[out] mac Buffer containing the expected MAC value.
* \param[in] mac Buffer containing the expected MAC value.
* \param mac_length Size of the \p mac buffer in bytes.
*
* \retval #PSA_SUCCESS
@ -2928,7 +2928,7 @@ psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
* \p key.
* \param[in] input The message whose signature is to be verified.
* \param[in] input_length Size of the \p input buffer in bytes.
* \param[out] signature Buffer containing the signature to verify.
* \param[in] signature Buffer containing the signature to verify.
* \param[in] signature_length Size of the \p signature buffer in bytes.
*
* \retval #PSA_SUCCESS \emptydescription

12
library/CMakeLists.txt
View File

@ -129,11 +129,13 @@ if(WIN32)
set(libs ${libs} ws2_32)
endif(WIN32)
if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
SET(CMAKE_C_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
SET(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
SET(CMAKE_C_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
SET(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
if(CMAKE_C_COMPILER_ID MATCHES "AppleClang")
set(CMAKE_C_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
set(CMAKE_C_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "AppleClang")
set(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
set(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
endif()
if(HAIKU)

4
library/entropy_poll.c
View File

@ -5,10 +5,12 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE)
#if defined(__linux__) || defined(__midipix__)
/* Ensure that syscall() is available even when compiling with -std=c99 */
#if !defined(_GNU_SOURCE)
#define _GNU_SOURCE
#endif
#endif
#include "common.h"

1
library/oid.c
View File

@ -15,6 +15,7 @@
#include "mbedtls/rsa.h"
#include "mbedtls/error.h"
#include <limits.h>
#include <stdio.h>
#include <string.h>

83
library/psa_crypto.c
View File

@ -1831,6 +1831,9 @@ static psa_status_t psa_start_key_creation(
status = psa_copy_key_material_into_slot(
slot, (uint8_t *) (&slot_number), sizeof(slot_number));
if (status != PSA_SUCCESS) {
return status;
}
}
if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
@ -2259,6 +2262,50 @@ exit:
/* Message digests */
/****************************************************************/
static int is_hash_supported(psa_algorithm_t alg)
{
switch (alg) {
#if defined(PSA_WANT_ALG_MD2)
case PSA_ALG_MD2:
return 1;
#endif
#if defined(PSA_WANT_ALG_MD4)
case PSA_ALG_MD4:
return 1;
#endif
#if defined(PSA_WANT_ALG_MD5)
case PSA_ALG_MD5:
return 1;
#endif
#if defined(PSA_WANT_ALG_RIPEMD160)
case PSA_ALG_RIPEMD160:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_1)
case PSA_ALG_SHA_1:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_224)
case PSA_ALG_SHA_224:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_256)
case PSA_ALG_SHA_256:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_384)
case PSA_ALG_SHA_384:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_512)
case PSA_ALG_SHA_512:
return 1;
#endif
default:
return 0;
}
}
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
/* Aborting a non-active operation is allowed */
@ -2913,16 +2960,44 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message,
if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
}
psa_algorithm_t hash_alg = 0;
if (PSA_ALG_IS_SIGN_HASH(alg)) {
if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
}
/* Now hash_alg==0 if alg by itself doesn't need a hash.
* This is good enough for sign-hash, but a guaranteed failure for
* sign-message which needs to hash first for all algorithms
* supported at the moment. */
if (hash_alg == 0 && input_is_message) {
return PSA_ERROR_INVALID_ARGUMENT;
}
}
} else {
if (!PSA_ALG_IS_SIGN_HASH(alg)) {
if (hash_alg == PSA_ALG_ANY_HASH) {
return PSA_ERROR_INVALID_ARGUMENT;
}
/* Give up immediately if the hash is not supported. This has
* several advantages:
* - For mechanisms that don't use the hash at all (e.g.
* ECDSA verification, randomized ECDSA signature), without
* this check, the operation would succeed even though it has
* been given an invalid argument. This would not be insecure
* since the hash was not necessary, but it would be weird.
* - For mechanisms that do use the hash, we avoid an error
* deep inside the execution. In principle this doesn't matter,
* but there is a little more risk of a bug in error handling
* deep inside than in this preliminary check.
* - When calling a driver, the driver might be capable of using
* a hash that the core doesn't support. This could potentially
* result in a buffer overflow if the hash is larger than the
* maximum hash size assumed by the core.
* - Returning a consistent error makes it possible to test
* not-supported hashes in a consistent way.
*/
if (hash_alg != 0 && !is_hash_supported(hash_alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
return PSA_SUCCESS;

2
library/psa_crypto_cipher.c
View File

@ -26,7 +26,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
mbedtls_cipher_id_t *cipher_id)
{
mbedtls_cipher_mode_t mode;
mbedtls_cipher_id_t cipher_id_tmp;
mbedtls_cipher_id_t cipher_id_tmp = MBEDTLS_CIPHER_ID_NONE;
if (PSA_ALG_IS_AEAD(alg)) {
alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0);

1
library/psa_crypto_rsa.c
View File

@ -16,6 +16,7 @@
#include "psa_crypto_rsa.h"
#include "psa_crypto_hash.h"
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#include "mbedtls/platform.h"

1
library/ssl_msg.c
View File

@ -29,6 +29,7 @@
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
#include <limits.h>
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)

1
library/ssl_tls.c
View File

@ -4452,6 +4452,7 @@ static void ssl_remove_psk(mbedtls_ssl_context *ssl)
ssl->handshake->psk_len);
mbedtls_free(ssl->handshake->psk);
ssl->handshake->psk_len = 0;
ssl->handshake->psk = NULL;
}
}

1
library/x509_crt.c
View File

@ -26,6 +26,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include <limits.h>
#include <string.h>
#if defined(MBEDTLS_PEM_PARSE_C)

2
pkgconfig/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
Makefile
*.pc

19
programs/ssl/ssl_mail_client.c
View File

@ -723,7 +723,11 @@ usage:
mbedtls_printf(" > Write MAIL FROM to server:");
fflush(stdout);
len = sprintf((char *) buf, "MAIL FROM:<%s>\r\n", opt.mail_from);
len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from);
if (len < 0 || (size_t) len >= sizeof(buf)) {
mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n");
goto exit;
}
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
@ -735,7 +739,11 @@ usage:
mbedtls_printf(" > Write RCPT TO to server:");
fflush(stdout);
len = sprintf((char *) buf, "RCPT TO:<%s>\r\n", opt.mail_to);
len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to);
if (len < 0 || (size_t) len >= sizeof(buf)) {
mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n");
goto exit;
}
ret = write_ssl_and_get_response(&ssl, buf, len);
if (ret < 200 || ret > 299) {
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
@ -759,11 +767,16 @@ usage:
mbedtls_printf(" > Write content to server:");
fflush(stdout);
len = sprintf((char *) buf, "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n"
len = mbedtls_snprintf((char *) buf, sizeof(buf),
"From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n"
"This is a simple test mail from the "
"Mbed TLS mail client example.\r\n"
"\r\n"
"Enjoy!", opt.mail_from);
if (len < 0 || (size_t) len >= sizeof(buf)) {
mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n");
goto exit;
}
ret = write_ssl_data(&ssl, buf, len);
len = sprintf((char *) buf, "\r\n.\r\n");

2
programs/test/metatest.c
View File

@ -385,7 +385,7 @@ typedef struct {
void (*entry_point)(const char *name);
} metatest_t;
/* The list of availble meta-tests. Remember to register new functions here!
/* The list of available meta-tests. Remember to register new functions here!
*
* Note that we always compile all the functions, so that `metatest --list`
* will always list all the available meta-tests.

2
programs/test/udp_proxy.c
View File

@ -35,6 +35,8 @@
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
#endif /* MBEDTLS_PLATFORM_C */
#include <limits.h>
#if !defined(MBEDTLS_NET_C)
int main(void)
{

9
scripts/config.py
View File

@ -389,6 +389,7 @@ class ConfigFile(Config):
self.default_path)
super().__init__()
self.filename = filename
self.inclusion_guard = None
self.current_section = 'header'
with open(filename, 'r', encoding='utf-8') as file:
self.templates = [self._parse_line(line) for line in file]
@ -406,9 +407,11 @@ class ConfigFile(Config):
r'(?P<arguments>(?:\((?:\w|\s|,)*\))?)' +
r'(?P<separator>\s*)' +
r'(?P<value>.*)')
_ifndef_line_regexp = r'#ifndef (?P<inclusion_guard>\w+)'
_section_line_regexp = (r'\s*/?\*+\s*[\\@]name\s+SECTION:\s*' +
r'(?P<section>.*)[ */]*')
_config_line_regexp = re.compile(r'|'.join([_define_line_regexp,
_ifndef_line_regexp,
_section_line_regexp]))
def _parse_line(self, line):
"""Parse a line in config.h and return the corresponding template."""
@ -419,10 +422,16 @@ class ConfigFile(Config):
elif m.group('section'):
self.current_section = m.group('section')
return line
elif m.group('inclusion_guard') and self.inclusion_guard is None:
self.inclusion_guard = m.group('inclusion_guard')
return line
else:
active = not m.group('commented_out')
name = m.group('name')
value = m.group('value')
if name == self.inclusion_guard and value == '':
# The file double-inclusion guard is not an option.
return line
template = (name,
m.group('indentation'),
m.group('define') + name +

130
scripts/mbedtls_dev/psa_information.py
View File

@ -6,9 +6,10 @@
import re
from typing import Dict, FrozenSet, List, Optional
from typing import Dict, FrozenSet, Iterator, List, Optional, Set
from . import macro_collector
from . import test_case
def psa_want_symbol(name: str) -> str:
@ -53,26 +54,6 @@ def automatic_dependencies(*expressions: str) -> List[str]:
used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY)
return sorted(psa_want_symbol(name) for name in used)
# A temporary hack: at the time of writing, not all dependency symbols
# are implemented yet. Skip test cases for which the dependency symbols are
# not available. Once all dependency symbols are available, this hack must
# be removed so that a bug in the dependency symbols properly leads to a test
# failure.
def read_implemented_dependencies(filename: str) -> FrozenSet[str]:
return frozenset(symbol
for line in open(filename)
for symbol in re.findall(r'\bPSA_WANT_\w+\b', line))
_implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name
def hack_dependencies_not_implemented(dependencies: List[str]) -> None:
global _implemented_dependencies #pylint: disable=global-statement,invalid-name
if _implemented_dependencies is None:
_implemented_dependencies = \
read_implemented_dependencies('include/psa/crypto_config.h')
if not all((dep.lstrip('!') in _implemented_dependencies or
not dep.lstrip('!').startswith('PSA_WANT'))
for dep in dependencies):
dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET')
class Information:
"""Gather information about PSA constructors."""
@ -84,8 +65,13 @@ class Information:
def remove_unwanted_macros(
constructors: macro_collector.PSAMacroEnumerator
) -> None:
# Mbed TLS doesn't support finite-field DH yet and will not support
# finite-field DSA. Don't attempt to generate any related test case.
"""Remove macros from consideration during value enumeration."""
# Remove some mechanisms that are declared but not implemented.
# The corresponding test cases would be commented out anyway
# thanks to the detect_not_implemented_dependencies mechanism,
# but for those particular key types, we don't even have enough
# support in the test scripts to construct test keys. So
# we arrange to not even attempt to generate test cases.
constructors.key_types.discard('PSA_KEY_TYPE_DH_KEY_PAIR')
constructors.key_types.discard('PSA_KEY_TYPE_DH_PUBLIC_KEY')
constructors.key_types.discard('PSA_KEY_TYPE_DSA_KEY_PAIR')
@ -104,3 +90,101 @@ class Information:
self.remove_unwanted_macros(constructors)
constructors.gather_arguments()
return constructors
class TestCase(test_case.TestCase):
"""A PSA test case with automatically inferred dependencies.
For mechanisms like ECC curves where the support status includes
the key bit-size, this class assumes that only one bit-size is
involved in a given test case.
"""
# Use a class variable to cache the set of implemented dependencies.
# Call read_implemented_dependencies() to fill the cache.
_implemented_dependencies = None #type: Optional[FrozenSet[str]]
DEPENDENCY_SYMBOL_RE = re.compile(r'\bPSA_WANT_\w+\b')
@classmethod
def _yield_implemented_dependencies(cls) -> Iterator[str]:
for filename in ['include/psa/crypto_config.h',
'include/mbedtls/config_psa.h']:
with open(filename) as inp:
content = inp.read()
yield from cls.DEPENDENCY_SYMBOL_RE.findall(content)
@classmethod
def read_implemented_dependencies(cls) -> FrozenSet[str]:
if cls._implemented_dependencies is None:
cls._implemented_dependencies = \
frozenset(cls._yield_implemented_dependencies())
# Redundant return to reassure pylint (mypy is fine without it).
# Known issue: https://github.com/pylint-dev/pylint/issues/3045
return cls._implemented_dependencies
return cls._implemented_dependencies
# We skip test cases for which the dependency symbols are not defined.
# We assume that this means that a required mechanism is not implemented.
# Note that if we erroneously skip generating test cases for
# mechanisms that are not implemented, this should be caught
# by the NOT_SUPPORTED test cases generated by generate_psa_tests.py
# in test_suite_psa_crypto_not_supported and test_suite_psa_crypto_op_fail:
# those emit negative tests, which will not be skipped here.
def detect_not_implemented_dependencies(self) -> None:
"""Detect dependencies that are not implemented."""
all_implemented_dependencies = self.read_implemented_dependencies()
not_implemented = [dep
for dep in self.dependencies
if (dep.startswith('PSA_WANT') and
dep not in all_implemented_dependencies)]
if not_implemented:
self.skip_because('not implemented: ' +
' '.join(not_implemented))
def __init__(self) -> None:
super().__init__()
self.key_bits = None #type: Optional[int]
self.negated_dependencies = set() #type: Set[str]
def assumes_not_supported(self, name: str) -> None:
"""Negate the given mechanism for automatic dependency generation.
Call this function before set_arguments() for a test case that should
run if the given mechanism is not supported.
A mechanism is either a PSA_XXX symbol (e.g. PSA_KEY_TYPE_AES,
PSA_ALG_HMAC, etc.) or a PSA_WANT_XXX symbol.
"""
symbol = name
if not symbol.startswith('PSA_WANT_'):
symbol = psa_want_symbol(name)
self.negated_dependencies.add(symbol)
def set_key_bits(self, key_bits: Optional[int]) -> None:
"""Use the given key size for automatic dependency generation.
Call this function before set_arguments() if relevant.
This is only relevant for ECC and DH keys. For other key types,
this information is ignored.
"""
self.key_bits = key_bits
def set_arguments(self, arguments: List[str]) -> None:
"""Set test case arguments and automatically infer dependencies."""
super().set_arguments(arguments)
dependencies = automatic_dependencies(*arguments)
# In test cases for not-supported features, the dependencies for
# the not-supported feature(s) must be negated. We make sure that
# all negated dependencies are present in the result, even in edge
# cases where they would not be detected automatically (for example,
# to restrict ECDSA-not-supported test cases to configurations
# where neither deterministic ECDSA nor randomized ECDSA are supported,
# to avoid the edge case that both ECDSA verifications are the same).
dependencies = ([dep for dep in dependencies
if dep not in self.negated_dependencies] +
['!' + dep for dep in self.negated_dependencies])
if self.key_bits is not None:
dependencies = finish_family_dependencies(dependencies, self.key_bits)
self.dependencies += sorted(dependencies)
self.detect_not_implemented_dependencies()

30
scripts/mbedtls_dev/test_case.py
View File

@ -31,6 +31,7 @@ class TestCase:
self.dependencies = [] #type: List[str]
self.function = None #type: Optional[str]
self.arguments = [] #type: List[str]
self.skip_reason = ''
def add_comment(self, *lines: str) -> None:
self.comments += lines
@ -47,6 +48,23 @@ class TestCase:
def set_arguments(self, arguments: List[str]) -> None:
self.arguments = arguments
def skip_because(self, reason: str) -> None:
"""Skip this test case.
It will be included in the output, but commented out.
This is intended for test cases that are obtained from a
systematic enumeration, but that have dependencies that cannot
be fulfilled. Since we don't want to have test cases that are
never executed, we arrange not to have actual test cases. But
we do include comments to make it easier to understand the output
of test case generation.
reason must be a non-empty string explaining to humans why this
test case is skipped.
"""
self.skip_reason = reason
def check_completeness(self) -> None:
if self.description is None:
raise MissingDescription
@ -67,10 +85,16 @@ class TestCase:
out.write('\n')
for line in self.comments:
out.write('# ' + line + '\n')
out.write(self.description + '\n')
prefix = ''
if self.skip_reason:
prefix = '## '
out.write('## # skipped because: ' + self.skip_reason + '\n')
out.write(prefix + self.description + '\n')
if self.dependencies:
out.write('depends_on:' + ':'.join(self.dependencies) + '\n')
out.write(self.function + ':' + ':'.join(self.arguments) + '\n')
out.write(prefix + 'depends_on:' +
':'.join(self.dependencies) + '\n')
out.write(prefix + self.function + ':' +
':'.join(self.arguments) + '\n')
def write_data_file(filename: str,
test_cases: Iterable[TestCase],

14
tests/.gitignore vendored
View File

@ -3,13 +3,13 @@
*.log
/test_suite*
data_files/mpi_write
data_files/hmac_drbg_seed
data_files/ctr_drbg_seed
data_files/entropy_seed
/data_files/mpi_write
/data_files/hmac_drbg_seed
/data_files/ctr_drbg_seed
/data_files/entropy_seed
include/test/instrument_record_status.h
/include/test/instrument_record_status.h
src/libmbed*
/src/libmbed*
libtestdriver1/*
/libtestdriver1/*

113
tests/compat.sh
View File

@ -98,6 +98,7 @@ FILTER=""
EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
VERBOSE=""
MEMCHECK=0
MIN_TESTS=1
PRESERVE_LOGS=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@ -118,6 +119,7 @@ print_usage() {
printf " -M|--memcheck\tCheck memory leaks and errors.\n"
printf " -v|--verbose\tSet verbose output.\n"
printf " --list-test-cases\tList all potential test cases (No Execution)\n"
printf " --min \tMinimum number of non-skipped tests (default 1)\n"
printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
@ -133,6 +135,14 @@ print_test_case() {
# list_test_case lists all potential test cases in compat.sh without execution
list_test_cases() {
# We want to call filter_ciphersuites to apply standard-defined exclusions
# (like "no RC4 with DTLS") but without user-defined exludes/filters.
EXCLUDE='^$'
FILTER=""
# ssl3 is excluded by default, but it's still available
MODES="ssl3 $MODES"
for MODE in $MODES; do
for TYPE in $TYPES; do
# PSK cipher suites do not allow client certificate verification.
@ -142,16 +152,31 @@ list_test_cases() {
fi
for VERIFY in $SUB_VERIFIES; do
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
for PEER in $PEERS; do
reset_ciphersuites
add_common_ciphersuites
case "$PEER" in
[Oo]pen*)
add_openssl_ciphersuites
filter_ciphersuites
print_test_case m O "$M_CIPHERS"
print_test_case O m "$O_CIPHERS"
;;
[Gg]nu*)
add_gnutls_ciphersuites
filter_ciphersuites
print_test_case m G "$M_CIPHERS"
print_test_case G m "$G_CIPHERS"
;;
mbed*)
add_openssl_ciphersuites
add_gnutls_ciphersuites
add_mbedtls_ciphersuites
print_test_case m O "$O_CIPHERS"
print_test_case O m "$O_CIPHERS"
print_test_case m G "$G_CIPHERS"
print_test_case G m "$G_CIPHERS"
filter_ciphersuites
print_test_case m m "$M_CIPHERS"
;;
esac
done
done
done
done
@ -190,6 +215,9 @@ get_options() {
list_test_cases
exit $?
;;
--min)
shift; MIN_TESTS=$1
;;
--outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;;
@ -272,17 +300,9 @@ filter()
filter_ciphersuites()
{
if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
then
# Ciphersuite for Mbed TLS
M_CIPHERS=$( filter "$M_CIPHERS" )
# Ciphersuite for OpenSSL
O_CIPHERS=$( filter "$O_CIPHERS" )
# Ciphersuite for GnuTLS
G_CIPHERS=$( filter "$G_CIPHERS" )
fi
}
reset_ciphersuites()
@ -640,6 +660,8 @@ add_gnutls_ciphersuites()
;;
"RSA")
if [ `minor_ver "$MODE"` -ge 1 ]
then
# Not actually supported with all GnuTLS versions. See
# GNUTLS_HAS_TLS1_RSA_NULL_SHA256= below.
M_CIPHERS="$M_CIPHERS \
@ -648,6 +670,8 @@ add_gnutls_ciphersuites()
G_CIPHERS="$G_CIPHERS \
+RSA:+NULL:+SHA256 \
"
fi
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
@ -912,7 +936,26 @@ add_mbedtls_ciphersuites()
# o_check_ciphersuite CIPHER_SUITE_NAME
o_check_ciphersuite()
{
if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
# skip DTLS when lack of support was declared
if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
SKIP_NEXT_="YES"
fi
# skip DTLS 1.2 is support was not detected
if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
SKIP_NEXT="YES"
fi
# skip single-DES ciphersuite if no longer supported
if [ "$O_SUPPORT_SINGLE_DES" = "NO" ]; then
case "$1" in
# note: 3DES is DES-CBC3 for OpenSSL, 3DES for Mbed TLS
*-DES-CBC-*|DES-CBC-*) SKIP_NEXT="YES"
esac
fi
# skip static ECDH when OpenSSL doesn't support it
if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then
case "$1" in
*ECDH-*) SKIP_NEXT="YES"
esac
@ -980,7 +1023,7 @@ setup_arguments()
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
G_SERVER_ARGS="-p $PORT --http $G_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+3DES-CBC:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
# The default prime for `openssl s_server` depends on the version:
# * OpenSSL <= 1.0.2a: 512-bit
@ -1021,10 +1064,25 @@ setup_arguments()
esac
case $($OPENSSL ciphers ALL) in
*ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
*) O_SUPPORT_ECDH="NO";;
*ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";;
*) O_SUPPORT_STATIC_ECDH="NO";;
esac
case $($OPENSSL ciphers ALL) in
*DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
*) O_SUPPORT_SINGLE_DES="NO";;
esac
# OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
# supports -dtls1_2 from the s_server help. (The s_client
# help isn't accurate as of 1.0.2g: it supports DTLS 1.2
# but doesn't list it. But the s_server help seems to be
# accurate.)
O_SUPPORT_DTLS12="NO"
if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
O_SUPPORT_DTLS12="YES"
fi
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
@ -1474,19 +1532,6 @@ for MODE in $MODES; do
[Oo]pen*)
if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
continue;
fi
# OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
# supports $O_MODE from the s_server help. (The s_client
# help isn't accurate as of 1.0.2g: it supports DTLS 1.2
# but doesn't list it. But the s_server help seems to be
# accurate.)
if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
continue;
fi
reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
@ -1587,6 +1632,16 @@ fi
PASSED=$(( $TESTS - $FAILED ))
echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"
if [ $((TESTS - SKIPPED)) -lt $MIN_TESTS ]; then
cat <<EOF
Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPPED)).
Maybe a bad filter ('$FILTER' excluding '$EXCLUDE') or a bad configuration?
EOF
if [ $FAILED -eq 0 ]; then
FAILED=1
fi
fi
FAILED=$(( $FAILED + $SRVMEM ))
if [ $FAILED -gt 255 ]; then
# Clamp at 255 as caller gets exit code & 0xFF

6
tests/include/test/drivers/key_management.h
View File

@ -30,6 +30,10 @@ typedef struct {
/* Count the amount of times one of the key management driver functions
* is called. */
unsigned long hits;
/* Subset of hits which only counts public key export operations */
unsigned long hits_export_public_key;
/* Subset of hits which only counts key generation operations */
unsigned long hits_generate_key;
/* Location of the last key management driver called to import a key. */
psa_key_location_t location;
} mbedtls_test_driver_key_management_hooks_t;
@ -38,7 +42,7 @@ typedef struct {
* sense that no PSA specification will assign a meaning to this location
* (stated first in version 1.0.1 of the specification) and that it is not
* used as a location of an opaque test drivers. */
#define MBEDTLS_TEST_DRIVER_KEY_MANAGEMENT_INIT { NULL, 0, PSA_SUCCESS, 0, 0x800000 }
#define MBEDTLS_TEST_DRIVER_KEY_MANAGEMENT_INIT { NULL, 0, PSA_SUCCESS, 0, 0, 0, 0x800000 }
static inline mbedtls_test_driver_key_management_hooks_t
mbedtls_test_driver_key_management_hooks_init(void)
{

50
tests/scripts/all.sh
View File

@ -304,8 +304,9 @@ cleanup()
\( -iname cmake_install.cmake -o \
-iname CTestTestfile.cmake -o \
-iname CMakeCache.txt \) -exec rm {} \+
# Recover files overwritten by in-tree CMake builds
rm -f include/Makefile include/mbedtls/Makefile programs/!(fuzz)/Makefile
# Remove Makefiles generated by in-tree CMake builds
rm -f 3rdparty/Makefile 3rdparty/*/Makefile pkgconfig/Makefile
rm -f include/Makefile programs/!(fuzz)/Makefile
# Remove any artifacts from the component_test_cmake_as_subdirectory test.
rm -rf programs/test/cmake_subproject/build
@ -886,6 +887,13 @@ component_test_default_out_of_box () {
tests/scripts/run_demos.py
}
component_build_without_check_config () {
msg "build: full without check_config.h"
scripts/config.py full
sed -i '/#include.*check_config\.h/ s!^!//!' "$CONFIG_H"
make
}
component_test_default_cmake_gcc_asan () {
msg "build: cmake, gcc, ASan" # ~ 1 min 50s
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
@ -928,8 +936,18 @@ component_test_full_cmake_gcc_asan () {
msg "test: ssl-opt.sh (full config, ASan build)"
tests/ssl-opt.sh
msg "test: compat.sh (full config, ASan build)"
tests/compat.sh
msg "test: compat.sh all except legacy/next (full config, ASan build)"
tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \
-m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
msg "test: compat.sh single-DES (full config, ASan build)"
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \
-m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
# ARIA and ChachaPoly are both (D)TLS 1.2 only
msg "test: compat.sh ARIA + ChachaPoly (full config, ASan build)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \
-m 'tls12 dtls12'
msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
tests/context-info.sh
@ -1628,15 +1646,6 @@ component_test_full_cmake_clang () {
msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min
tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
msg "test: compat.sh single-DES (full config)" # ~ 30s
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
msg "test: compat.sh ARIA + ChachaPoly"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
skip_suites_without_constant_flow () {
@ -1925,17 +1934,18 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/ssl-opt.sh
msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/compat.sh
msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
msg "test: compat.sh all except legacy/next (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \
-m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \
-m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
# ARIA and ChachaPoly are both (D)TLS 1.2 only
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \
-m 'tls12 dtls12'
}
component_test_psa_crypto_config_accel_ecdsa () {

12
tests/scripts/analyze_outcomes.py
View File

@ -113,6 +113,18 @@ TASKS = {
'test_suite_psa_crypto_metadata;Asymmetric signature: pure EdDSA',
# Algorithm not supported yet
'test_suite_psa_crypto_metadata;Cipher: XTS',
# compat.sh tests with OpenSSL, DTLS 1.2 and singled-DES:
# we have no version of OpenSSL on the CI that supports both
# DTLS 1.2 and single-DES (1.0.2g is too recent for single-DES
# and 1.0.1j is too old for DTLS 1.2).
'compat;O->m dtls12,no DES-CBC-SHA',
'compat;O->m dtls12,no EDH-RSA-DES-CBC-SHA',
'compat;O->m dtls12,yes DES-CBC-SHA',
'compat;O->m dtls12,yes EDH-RSA-DES-CBC-SHA',
'compat;m->O dtls12,no TLS-DHE-RSA-WITH-DES-CBC-SHA',
'compat;m->O dtls12,no TLS-RSA-WITH-DES-CBC-SHA',
'compat;m->O dtls12,yes TLS-DHE-RSA-WITH-DES-CBC-SHA',
'compat;m->O dtls12,yes TLS-RSA-WITH-DES-CBC-SHA',
],
'full_coverage': False,
}

15
tests/scripts/basic-build-test.sh
View File

@ -104,17 +104,20 @@ echo
# Step 2c - Compatibility tests (keep going even if some tests fail)
echo '################ compat.sh ################'
{
echo '#### compat.sh: Default ciphers'
sh compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo '#### compat.sh: all except legacy/next'
sh compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \
-m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo
echo '#### compat.sh: legacy (null, DES, RC4)'
OPENSSL="$OPENSSL_LEGACY" \
sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
echo '#### compat.sh: legacy (single-DES)'
OPENSSL="$OPENSSL_LEGACY" sh compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \
-m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo
# ARIA and ChachaPoly are both (D)TLS 1.2 only
echo '#### compat.sh: next (ARIA, ChaCha)'
OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA'
OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA' \
-m 'tls12 dtls12'
echo
} | tee compat-test-$TEST_OUTPUT
echo '^^^^^^^^^^^^^^^^ compat.sh ^^^^^^^^^^^^^^^^'

1
tests/scripts/check-generated-files.sh
View File

@ -102,4 +102,5 @@ check scripts/generate_visualc_files.pl visualc/VS2010
check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c
check tests/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c
check tests/scripts/generate_bignum_tests.py $(tests/scripts/generate_bignum_tests.py --list)
check tests/scripts/generate_config_tests.py $(tests/scripts/generate_config_tests.py --list)
check tests/scripts/generate_psa_tests.py $(tests/scripts/generate_psa_tests.py --list)

164
tests/scripts/generate_config_tests.py Executable file
View File

@ -0,0 +1,164 @@
#!/usr/bin/env python3
"""Generate test data for configuration reporting.
"""
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
import re
import sys
from typing import Iterable, Iterator, List, Optional, Tuple
import scripts_path # pylint: disable=unused-import
import config
from mbedtls_dev import test_case
from mbedtls_dev import test_data_generation
def single_setting_case(setting: config.Setting, when_on: bool,
dependencies: List[str],
note: Optional[str]) -> test_case.TestCase:
"""Construct a test case for a boolean setting.
This test case passes if the setting and its dependencies are enabled,
and is skipped otherwise.
* setting: the setting to be tested.
* when_on: True to test with the setting enabled, or False to test
with the setting disabled.
* dependencies: extra dependencies for the test case.
* note: a note to add after the setting name in the test description.
This is generally a summary of dependencies, and is generally empty
if the given setting is only tested once.
"""
base = setting.name if when_on else '!' + setting.name
tc = test_case.TestCase()
tc.set_function('pass')
description_suffix = ' (' + note + ')' if note else ''
tc.set_description('Config: ' + base + description_suffix)
tc.set_dependencies([base] + dependencies)
return tc
# If foo is a setting that is only meaningful when bar is enabled, set
# SIMPLE_DEPENDENCIES[foo]=bar. More generally, bar can be a colon-separated
# list of settings, meaning that all the settings must be enabled. Each setting
# in bar can be prefixed with '!' to negate it. This is the same syntax as a
# depends_on directive in test data.
# See also `dependencies_of_settting`.
SIMPLE_DEPENDENCIES = {
'MBEDTLS_AESNI_C': 'MBEDTLS_AES_C',
'MBEDTLS_ERROR_STRERROR_DUMMY': '!MBEDTLS_ERROR_C',
'MBEDTLS_GENPRIME': 'MBEDTLS_RSA_C',
'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES': 'MBEDTLS_ENTROPY_C',
'MBEDTLS_NO_PLATFORM_ENTROPY': 'MBEDTLS_ENTROPY_C',
'MBEDTLS_PKCS1_V15': 'MBEDTLS_RSA_C',
'MBEDTLS_PKCS1_V21': 'MBEDTLS_RSA_C',
'MBEDTLS_PSA_CRYPTO_CLIENT': '!MBEDTLS_PSA_CRYPTO_C',
'MBEDTLS_PSA_INJECT_ENTROPY': 'MBEDTLS_PSA_CRYPTO_C',
'MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS': 'MBEDTLS_PSA_CRYPTO_C',
'MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL': 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C',
}
def dependencies_of_setting(cfg: config.Config,
setting: config.Setting) -> Optional[str]:
"""Return dependencies without which a setting is not meaningful.
The dependencies of a setting express when a setting can be enabled and
is relevant. For example, if ``check_config.h`` errors out when
``defined(FOO) && !defined(BAR)``, then ``BAR`` is a dependency of ``FOO``.
If ``FOO`` has no effect when ``CORGE`` is disabled, then ``CORGE``
is a dependency of ``FOO``.
The return value can be a colon-separated list of settings, if the setting
is only meaningful when all of these settings are enabled. Each setting can
be negated by prefixing them with '!'. This is the same syntax as a
depends_on directive in test data.
"""
#pylint: disable=too-many-return-statements
name = setting.name
if name in SIMPLE_DEPENDENCIES:
return SIMPLE_DEPENDENCIES[name]
if name.startswith('MBEDTLS_') and not name.endswith('_C'):
if name.startswith('MBEDTLS_CIPHER_PADDING_'):
return 'MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC'
if name.startswith('MBEDTLS_PK_PARSE_EC_'):
return 'MBEDTLS_PK_C:MBEDTLS_PK_HAVE_ECC_KEYS'
# For TLS settings, insist on having them once off and once on in
# a configuration where both client support and server support are
# enabled. The settings are also meaningful when only one side is
# enabled, but there isn't much point in having separate records
# for client-side and server-side, so we keep things simple.
# Requiring both sides to be enabled also means we know we'll run
# tests that only run Mbed TLS against itself, which only run in
# configurations with both sides enabled.
if name.startswith('MBEDTLS_SSL_TLS1_3_'):
return 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL'
if name.startswith('MBEDTLS_SSL_DTLS_'):
return 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS'
if name.startswith('MBEDTLS_SSL_'):
return 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C'
for pos in re.finditer(r'_', name):
super_name = name[:pos.start()] + '_C'
if cfg.known(super_name):
return super_name
return None
def conditions_for_setting(cfg: config.Config,
setting: config.Setting
) -> Iterator[Tuple[List[str], str]]:
"""Enumerate the conditions under which to test the given setting.
* cfg: all configuration settings.
* setting: the setting to be tested.
Generate a stream of conditions, i.e. extra dependencies to test with
together with a human-readable explanation of each dependency. Some
typical cases:
* By default, generate a one-element stream with no extra dependencies.
* If the setting is ignored unless some other setting is enabled, generate
a one-element stream with that other setting as an extra dependency.
* If the setting is known to interact with some other setting, generate
a stream with one element where this setting is on and one where it's off.
* To skip the setting altogether, generate an empty stream.
"""
name = setting.name
if name.endswith('_ALT') and not config.is_seamless_alt(name):
# We don't test alt implementations, except (most) platform alts
return
dependencies = dependencies_of_setting(cfg, setting)
if dependencies:
yield [dependencies], ''
return
yield [], ''
def enumerate_boolean_setting_cases(cfg: config.Config
) -> Iterable[test_case.TestCase]:
"""Emit test cases for all boolean settings."""
for name in sorted(cfg.settings.keys()):
setting = cfg.settings[name]
if not name.startswith('PSA_WANT_') and setting.value:
continue # non-boolean setting
for when_on in True, False:
for deps, note in conditions_for_setting(cfg, setting):
yield single_setting_case(setting, when_on, deps, note)
class ConfigTestGenerator(test_data_generation.TestGenerator):
"""Generate test cases for configuration reporting."""
def __init__(self, settings):
self.mbedtls_config = config.ConfigFile()
self.targets['test_suite_config.mbedtls_boolean'] = \
lambda: enumerate_boolean_setting_cases(self.mbedtls_config)
self.psa_config = config.ConfigFile('include/psa/crypto_config.h')
self.targets['test_suite_config.psa_boolean'] = \
lambda: enumerate_boolean_setting_cases(self.psa_config)
super().__init__(settings)
if __name__ == '__main__':
test_data_generation.main(sys.argv[1:], __doc__, ConfigTestGenerator)

122
tests/scripts/generate_psa_tests.py
View File

@ -25,23 +25,21 @@ from mbedtls_dev import test_data_generation
def test_case_for_key_type_not_supported(
verb: str, key_type: str, bits: int,
dependencies: List[str],
not_supported_mechanism: str,
*args: str,
param_descr: str = ''
) -> test_case.TestCase:
"""Return one test case exercising a key creation method
for an unsupported key type or size.
"""
psa_information.hack_dependencies_not_implemented(dependencies)
tc = test_case.TestCase()
tc = psa_information.TestCase()
short_key_type = crypto_knowledge.short_expression(key_type)
adverb = 'not' if dependencies else 'never'
if param_descr:
adverb = param_descr + ' ' + adverb
tc.set_description('PSA {} {} {}-bit {} supported'
.format(verb, short_key_type, bits, adverb))
tc.set_dependencies(dependencies)
tc.set_description('PSA {} {} {}-bit{} not supported'
.format(verb, short_key_type, bits,
' ' + param_descr if param_descr else ''))
tc.set_function(verb + '_not_supported')
tc.set_key_bits(bits)
tc.assumes_not_supported(not_supported_mechanism)
tc.set_arguments([key_type] + list(args))
return tc
@ -71,34 +69,27 @@ class KeyTypeNotSupported:
# Don't generate test cases for key types that are always supported.
# They would be skipped in all configurations, which is noise.
return
import_dependencies = [('!' if param is None else '') +
psa_information.psa_want_symbol(kt.name)]
if kt.params is not None:
import_dependencies += [('!' if param == i else '') +
psa_information.psa_want_symbol(sym)
for i, sym in enumerate(kt.params)]
if kt.name.endswith('_PUBLIC_KEY'):
generate_dependencies = []
if param is None:
not_supported_mechanism = kt.name
else:
generate_dependencies = import_dependencies
assert kt.params is not None
not_supported_mechanism = kt.params[param]
for bits in kt.sizes_to_test():
yield test_case_for_key_type_not_supported(
'import', kt.expression, bits,
psa_information.finish_family_dependencies(import_dependencies, bits),
not_supported_mechanism,
test_case.hex_string(kt.key_material(bits)),
param_descr=param_descr,
)
if not generate_dependencies and param is not None:
# If generation is impossible for this key type, rather than
# supported or not depending on implementation capabilities,
# only generate the test case once.
continue
# For public key we expect that key generation fails with
# INVALID_ARGUMENT. It is handled by KeyGenerate class.
# Don't generate not-supported test cases for key generation of
# public keys. Our implementation always returns
# PSA_ERROR_INVALID_ARGUMENT when attempting to generate a
# public key, so we cover this together with the positive cases
# in the KeyGenerate class.
if not kt.is_public():
yield test_case_for_key_type_not_supported(
'generate', kt.expression, bits,
psa_information.finish_family_dependencies(generate_dependencies, bits),
not_supported_mechanism,
str(bits),
param_descr=param_descr,
)
@ -124,21 +115,18 @@ class KeyTypeNotSupported:
def test_case_for_key_generation(
key_type: str, bits: int,
dependencies: List[str],
*args: str,
result: str = ''
) -> test_case.TestCase:
"""Return one test case exercising a key generation.
"""
psa_information.hack_dependencies_not_implemented(dependencies)
tc = test_case.TestCase()
tc = psa_information.TestCase()
short_key_type = crypto_knowledge.short_expression(key_type)
tc.set_description('PSA {} {}-bit'
.format(short_key_type, bits))
tc.set_dependencies(dependencies)
tc.set_function('generate_key')
tc.set_key_bits(bits)
tc.set_arguments([key_type] + list(args) + [result])
return tc
class KeyGenerate:
@ -160,28 +148,25 @@ class KeyGenerate:
PSA_ERROR_INVALID_ARGUMENT status is expected.
"""
result = 'PSA_SUCCESS'
import_dependencies = [psa_information.psa_want_symbol(kt.name)]
if kt.params is not None:
import_dependencies += [psa_information.psa_want_symbol(sym)
for i, sym in enumerate(kt.params)]
if kt.name.endswith('_PUBLIC_KEY'):
# The library checks whether the key type is a public key generically,
# before it reaches a point where it needs support for the specific key
# type, so it returns INVALID_ARGUMENT for unsupported public key types.
generate_dependencies = []
result = 'PSA_ERROR_INVALID_ARGUMENT'
else:
generate_dependencies = import_dependencies
if kt.name == 'PSA_KEY_TYPE_RSA_KEY_PAIR':
generate_dependencies.append("MBEDTLS_GENPRIME")
for bits in kt.sizes_to_test():
yield test_case_for_key_generation(
tc = test_case_for_key_generation(
kt.expression, bits,
psa_information.finish_family_dependencies(generate_dependencies, bits),
str(bits),
result
)
if result == 'PSA_ERROR_INVALID_ARGUMENT':
# The library checks whether the key type is a public key generically,
# before it reaches a point where it needs support for the specific key
# type, so it returns INVALID_ARGUMENT for unsupported public key types.
tc.set_dependencies([])
elif kt.name == 'PSA_KEY_TYPE_RSA_KEY_PAIR':
# A necessary deviation because PSA_WANT symbols don't
# distinguish between key generation and usage, but for
# RSA key generation has an extra requirement.
tc.dependencies.insert(0, 'MBEDTLS_GENPRIME')
yield tc
def test_cases_for_key_generation(self) -> Iterator[test_case.TestCase]:
"""Generate test cases that exercise the generation of keys."""
@ -223,7 +208,7 @@ class OpFail:
) -> test_case.TestCase:
"""Construct a failure test case for a one-key or keyless operation."""
#pylint: disable=too-many-arguments,too-many-locals
tc = test_case.TestCase()
tc = psa_information.TestCase()
pretty_alg = alg.short_expression()
if reason == self.Reason.NOT_SUPPORTED:
short_deps = [re.sub(r'PSA_WANT_ALG_', r'', dep)
@ -242,22 +227,22 @@ class OpFail:
pretty_alg,
pretty_reason,
' with ' + pretty_type if pretty_type else ''))
dependencies = psa_information.automatic_dependencies(alg.base_expression, key_type)
for i, dep in enumerate(dependencies):
if dep in not_deps:
dependencies[i] = '!' + dep
tc.set_dependencies(dependencies)
tc.set_function(category.name.lower() + '_fail')
arguments = [] # type: List[str]
if kt:
key_material = kt.key_material(kt.sizes_to_test()[0])
bits = kt.sizes_to_test()[0]
key_material = kt.key_material(bits)
arguments += [key_type, test_case.hex_string(key_material)]
tc.set_key_bits(bits)
arguments.append(alg.expression)
if category.is_asymmetric():
arguments.append('1' if reason == self.Reason.PUBLIC else '0')
private_only = (reason == self.Reason.PUBLIC)
arguments.append('1' if private_only else '0')
error = ('NOT_SUPPORTED' if reason == self.Reason.NOT_SUPPORTED else
'INVALID_ARGUMENT')
arguments.append('PSA_ERROR_' + error)
for dep in not_deps:
tc.assumes_not_supported(dep)
tc.set_arguments(arguments)
return tc
@ -288,9 +273,25 @@ class OpFail:
if key_is_compatible and alg.can_do(category):
# Compatible key and operation, unsupported algorithm
for dep in psa_information.automatic_dependencies(alg.base_expression):
deps = [dep]
# Special case: if one of deterministic/randomized
# ECDSA is supported but not the other, then the one
# that is not supported in the signature direction is
# still supported in the verification direction,
# because the two verification algorithms are
# identical. This property is how Mbed TLS chooses to
# behave, the specification would also allow it to
# reject the algorithm. In the generated test cases,
# we avoid this difficulty by not running the
# not-supported test case when exactly one of the
# two variants is supported.
if dep == 'PSA_WANT_ALG_DETERMINISTIC_ECDSA':
deps.append('PSA_WANT_ALG_ECDSA')
elif dep == 'PSA_WANT_ALG_ECDSA':
deps.append('PSA_WANT_ALG_DETERMINISTIC_ECDSA')
yield self.make_test_case(alg, category,
self.Reason.NOT_SUPPORTED,
kt=kt, not_deps=frozenset([dep]))
kt=kt, not_deps=frozenset(deps))
# Public key for a private-key operation
if category.is_asymmetric() and kt.is_public():
yield self.make_test_case(alg, category,
@ -461,14 +462,9 @@ class StorageFormat:
correctly.
"""
verb = 'save' if self.forward else 'read'
tc = test_case.TestCase()
tc = psa_information.TestCase()
tc.set_description(verb + ' ' + key.description)
dependencies = psa_information.automatic_dependencies(
key.lifetime.string, key.type.string,
key.alg.string, key.alg2.string,
)
dependencies = psa_information.finish_family_dependencies(dependencies, key.bits)
tc.set_dependencies(dependencies)
tc.set_key_bits(key.bits)
tc.set_function('key_storage_' + verb)
if self.forward:
extra_arguments = []

3
tests/scripts/test-ref-configs.pl
View File

@ -27,7 +27,8 @@ my %configs = (
'test_again_with_use_psa' => 1
},
'config-mini-tls1_1.h' => {
'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #',
# Include DES; exclude (EC)DH; only pure-RSA key exchanges
'compat' => '-m tls1_1 -e \'NULL\|RC4\|ARCFOUR\|ARIA\|CAMELLIA\|DH\|PSK\' -t RSA',
## Skip ssl-opt testing for now because ssl-opt.sh is missing a lot
## of requires_xxx so it would try to run tests that don't apply.
# 'opt' => ' ',

2
tests/src/drivers/test_driver_key_management.c
View File

@ -93,6 +93,7 @@ psa_status_t mbedtls_test_transparent_generate_key(
uint8_t *key, size_t key_size, size_t *key_length)
{
++mbedtls_test_driver_key_management_hooks.hits;
++mbedtls_test_driver_key_management_hooks.hits_generate_key;
if (mbedtls_test_driver_key_management_hooks.forced_status != PSA_SUCCESS) {
return mbedtls_test_driver_key_management_hooks.forced_status;
@ -291,6 +292,7 @@ psa_status_t mbedtls_test_transparent_export_public_key(
uint8_t *data, size_t data_size, size_t *data_length)
{
++mbedtls_test_driver_key_management_hooks.hits;
++mbedtls_test_driver_key_management_hooks.hits_export_public_key;
if (mbedtls_test_driver_key_management_hooks.forced_status != PSA_SUCCESS) {
return mbedtls_test_driver_key_management_hooks.forced_status;

7
tests/src/test_helpers/ssl_helpers.c
View File

@ -10,6 +10,8 @@
#include <test/ssl_helpers.h>
#include <limits.h>
#if defined(MBEDTLS_SSL_TLS_C)
void mbedtls_test_ssl_log_analyzer(void *ctx, int level,
@ -501,7 +503,10 @@ int mbedtls_test_mock_tcp_recv_msg(void *ctx,
* happen in test environment, unless forced manually. */
}
}
mbedtls_test_ssl_message_queue_pop_info(queue, buf_len);
ret = mbedtls_test_ssl_message_queue_pop_info(queue, buf_len);
if (ret < 0) {
return ret;
}
return (msg_len > INT_MAX) ? INT_MAX : (int) msg_len;
}

220
tests/ssl-opt.sh
View File

@ -69,6 +69,32 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"
# alternative versions of OpenSSL and GnuTLS (no default path)
# If $OPENSSL is at least 1.1.1, use it as OPENSSL_NEXT as well.
if [ -z "${OPENSSL_NEXT:-}" ]; then
case $($OPENSSL version) in
OpenSSL\ 1.1.[1-9]*) OPENSSL_NEXT=$OPENSSL;;
OpenSSL\ [3-9]*) OPENSSL_NEXT=$OPENSSL;;
esac
fi
# If $GNUTLS_CLI is at least 3.7, use it as GNUTLS_NEXT_CLI as well.
if [ -z "${GNUTLS_NEXT_CLI:-}" ]; then
case $($GNUTLS_CLI --version) in
gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
gnutls-cli\ [4-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
esac
fi
# If $GNUTLS_SERV is at least 3.7, use it as GNUTLS_NEXT_SERV as well.
if [ -z "${GNUTLS_NEXT_SERV:-}" ]; then
case $($GNUTLS_SERV --version) in
gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
gnutls-cli\ [4-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
esac
fi
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
@ -103,6 +129,7 @@ SHOW_TEST_NUMBER=0
LIST_TESTS=0
RUN_TEST_NUMBER=''
MIN_TESTS=1
PRESERVE_LOGS=0
# Pick a "unique" server port in the range 10000-19999, and a proxy
@ -121,6 +148,7 @@ print_usage() {
printf " -s|--show-numbers\tShow test numbers in front of test names\n"
printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
printf " --list-test-cases\tList all potential test cases (No Execution)\n"
printf " --min \tMinimum number of non-skipped tests (default 1)\n"
printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --port \tTCP/UDP port (default: randomish 1xxxx)\n"
@ -152,6 +180,9 @@ get_options() {
-p|--preserve-logs)
PRESERVE_LOGS=1
;;
--min)
shift; MIN_TESTS=$1
;;
--outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;;
@ -352,9 +383,10 @@ requires_certificate_authentication () {
adapt_cmd_for_psk () {
case "$2" in
*openssl*) s='-psk abc123 -nocert';;
*gnutls-*) s='--pskkey=abc123';;
*) s='psk=abc123';;
*openssl*s_server*) s='-psk 73776f726466697368 -nocert';;
*openssl*) s='-psk 73776f726466697368';;
*gnutls-*) s='--pskusername=Client_identity --pskkey=73776f726466697368';;
*) s='psk=73776f726466697368';;
esac
eval $1='"$2 $s"'
unset s
@ -1154,7 +1186,7 @@ do_run_test_once() {
if [ -n "$PXY_CMD" ]; then
kill $PXY_PID >/dev/null 2>&1
wait $PXY_PID
wait $PXY_PID >> $PXY_OUT 2>&1
fi
}
@ -1319,7 +1351,7 @@ run_test_psa_force_curve() {
# a maximum fragment length.
# first argument ($1) is MFL for SSL client
# second argument ($2) is memory usage for SSL client with default MFL (16k)
run_test_memory_after_hanshake_with_mfl()
run_test_memory_after_handshake_with_mfl()
{
# The test passes if the difference is around 2*(16k-MFL)
MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
@ -1339,7 +1371,7 @@ run_test_memory_after_hanshake_with_mfl()
# Test that the server's memory usage after a handshake is reduced when a client specifies
# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
run_tests_memory_after_hanshake()
run_tests_memory_after_handshake()
{
# all tests in this sequence requires the same configuration (see requires_config_enabled())
SKIP_THIS_TESTS="$SKIP_NEXT"
@ -1355,16 +1387,16 @@ run_tests_memory_after_hanshake()
-F "handshake_memory_get MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
run_test_memory_after_handshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
run_test_memory_after_handshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
run_test_memory_after_handshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
run_test_memory_after_handshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
}
cleanup() {
@ -1723,8 +1755,8 @@ run_test "Opaque key: server: ECDH-RSA not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: client: ECDHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
1 \
@ -1734,8 +1766,8 @@ run_test "Opaque psk: client: ECDHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: client: DHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
1 \
@ -1745,8 +1777,8 @@ run_test "Opaque psk: client: DHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: client: RSA-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
1 \
@ -1756,10 +1788,10 @@ run_test "Opaque psk: client: RSA-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: ECDHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo" \
1 \
-s "opaque PSK not supported with ECDHE-PSK" \
-s "error" \
@ -1767,10 +1799,10 @@ run_test "Opaque psk: server: ECDHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: DHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo" \
1 \
-s "opaque PSK not supported with DHE-PSK" \
-s "error" \
@ -1778,10 +1810,10 @@ run_test "Opaque psk: server: DHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: RSA-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo" \
1 \
-s "opaque PSK not supported with RSA-PSK" \
-s "error" \
@ -1935,12 +1967,14 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
# Tests for SHA-1 support
requires_config_enabled MBEDTLS_SHA1_C
run_test "SHA-1 forbidden by default in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI debug_level=2 allow_sha1=0" \
1 \
-c "The certificate is signed with an unacceptable hash"
requires_config_enabled MBEDTLS_SHA1_C
run_test "SHA-1 explicitly allowed in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI allow_sha1=1" \
@ -1951,17 +1985,23 @@ run_test "SHA-256 allowed by default in server certificate" \
"$P_CLI allow_sha1=0" \
0
requires_config_enabled MBEDTLS_SHA1_C
requires_config_enabled MBEDTLS_RSA_C
run_test "SHA-1 forbidden by default in client certificate" \
"$P_SRV auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1 \
-s "The certificate is signed with an unacceptable hash"
requires_config_enabled MBEDTLS_SHA1_C
requires_config_enabled MBEDTLS_RSA_C
run_test "SHA-1 explicitly allowed in client certificate" \
"$P_SRV auth_mode=required allow_sha1=1" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
0
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "SHA-256 allowed by default in client certificate" \
"$P_SRV auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
@ -4332,7 +4372,7 @@ run_test "Renegotiation: openssl server, client-initiated" \
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
-C "ssl_hanshake() returned" \
-C "ssl_handshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@ -4345,7 +4385,7 @@ run_test "Renegotiation: gnutls server strict, client-initiated" \
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
-C "ssl_hanshake() returned" \
-C "ssl_handshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@ -4386,7 +4426,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
-c "client hello, adding renegotiation extension" \
-C "found renegotiation extension" \
-c "=> renegotiate" \
-C "ssl_hanshake() returned" \
-C "ssl_handshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@ -4449,6 +4489,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
# Test for the "secure renegotiation" extension only (no actual renegotiation)
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls server strict, client default" \
"$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
@ -4458,6 +4499,7 @@ run_test "Renego ext: gnutls server strict, client default" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls server unsafe, client default" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
@ -4467,6 +4509,7 @@ run_test "Renego ext: gnutls server unsafe, client default" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls server unsafe, client break legacy" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 allow_legacy=-1" \
@ -4476,6 +4519,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \
-C "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls client strict, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
@ -4484,6 +4528,7 @@ run_test "Renego ext: gnutls client strict, server default" \
-s "server hello, secure renegotiation extension"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls client unsafe, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
@ -4492,6 +4537,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \
-S "server hello, secure renegotiation extension"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls client unsafe, server break legacy" \
"$P_SRV debug_level=3 allow_legacy=-1" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
@ -6197,9 +6243,9 @@ run_test "DHM size: server default, client 2049, rejected" \
# Tests for PSK callback
run_test "PSK callback: psk, no callback" \
"$P_SRV psk=abc123 psk_identity=foo" \
"$P_SRV psk=73776f726466697368 psk_identity=foo" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
0 \
-S "SSL - None of the common ciphersuites is usable" \
-S "SSL - Unknown identity received" \
@ -6207,9 +6253,9 @@ run_test "PSK callback: psk, no callback" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6221,9 +6267,9 @@ run_test "PSK callback: opaque psk on client, no callback" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6235,9 +6281,9 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6249,9 +6295,9 @@ run_test "PSK callback: opaque psk on client, no callback, EMS" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6263,9 +6309,9 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
0 \
-C "skip PMS generation for opaque PSK"\
-s "skip PMS generation for opaque PSK"\
@ -6277,9 +6323,9 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
0 \
-C "skip PMS generation for opaque PSK"\
-s "skip PMS generation for opaque PSK"\
@ -6291,10 +6337,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
"$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123 extended_ms=1" \
psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@ -6306,10 +6352,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123 extended_ms=1" \
psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@ -6379,7 +6425,7 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6393,7 +6439,7 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6407,7 +6453,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6420,7 +6466,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6433,7 +6479,7 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
1 \
@ -6442,16 +6488,16 @@ run_test "PSK callback: raw psk on client, matching opaque PSK on server, wro
run_test "PSK callback: no psk, no callback" \
"$P_SRV" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
1 \
-s "SSL - None of the common ciphersuites is usable" \
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
run_test "PSK callback: callback overrides other settings" \
"$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
"$P_SRV psk=73776f726466697368 psk_identity=foo psk_list=abc,dead,def,beef" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
1 \
-S "SSL - None of the common ciphersuites is usable" \
-s "SSL - Unknown identity received" \
@ -6624,11 +6670,25 @@ run_test "Per-version suites: TLS 1.2" \
# Test for ClientHello without extensions
# Without extensions, ECC is impossible (no curve negotiation).
requires_config_enabled MBEDTLS_RSA_C
requires_gnutls
run_test "ClientHello without extensions" \
run_test "ClientHello without extensions: RSA" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
-s "Ciphersuite is .*-RSA-WITH-.*" \
-S "Ciphersuite is .*-EC.*" \
-s "dumping 'client hello extensions' (0 bytes)"
requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
requires_gnutls
run_test "ClientHello without extensions: PSK" \
"$P_SRV debug_level=3 psk=73776f726466697368" \
"$G_CLI --priority=NORMAL:+PSK:-RSA:-DHE-RSA:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION --pskusername=Client_identity --pskkey=73776f726466697368 localhost" \
0 \
-s "Ciphersuite is .*-PSK-.*" \
-S "Ciphersuite is .*-EC.*" \
-s "dumping 'client hello extensions' (0 bytes)"
# Tests for mbedtls_ssl_get_bytes_avail()
@ -7964,9 +8024,9 @@ run_test "SSL async private: decrypt, delay=1" \
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
run_test "SSL async private: decrypt RSA-PSK, delay=0" \
"$P_SRV psk=abc123 \
"$P_SRV psk=73776f726466697368 \
async_operations=d async_private_delay1=0 async_private_delay2=0" \
"$P_CLI psk=abc123 \
"$P_CLI psk=73776f726466697368 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
0 \
-s "Async decrypt callback: using key slot " \
@ -7974,9 +8034,9 @@ run_test "SSL async private: decrypt RSA-PSK, delay=0" \
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
run_test "SSL async private: decrypt RSA-PSK, delay=1" \
"$P_SRV psk=abc123 \
"$P_SRV psk=73776f726466697368 \
async_operations=d async_private_delay1=1 async_private_delay2=1" \
"$P_CLI psk=abc123 \
"$P_CLI psk=73776f726466697368 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
0 \
-s "Async decrypt callback: using key slot " \
@ -8414,8 +8474,8 @@ run_test "DTLS client auth: none, client has no cert" \
-s "! Certificate verification was skipped"
run_test "DTLS wrong PSK: badmac alert" \
"$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
"$P_CLI dtls=1 psk=abc124" \
"$P_SRV dtls=1 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
"$P_CLI dtls=1 psk=73776f726466697374" \
1 \
-s "SSL - Verification of the message MAC failed" \
-c "SSL - A fatal alert message was received from our peer"
@ -10292,8 +10352,8 @@ requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
-p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
"$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
"$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=73776f726466697368 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
0 \
-s "Buffer record from epoch 1" \
-s "Found buffered record from current epoch - load" \
@ -10307,8 +10367,8 @@ client_needs_more_time 2
run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
-s "Extra-header:" \
@ -10375,8 +10435,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C
run_test "DTLS proxy: 3d, min handshake, resumption" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 debug_level=3" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 debug_level=3" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10390,8 +10450,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C
run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 debug_level=3 nbio=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 debug_level=3 nbio=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
0 \
@ -10405,8 +10465,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10420,8 +10480,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10435,9 +10495,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiation=1 exchanges=4 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10451,9 +10511,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2 nbio=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10548,7 +10608,7 @@ requires_config_enabled MBEDTLS_MEMORY_DEBUG
requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 16384
run_tests_memory_after_hanshake
run_tests_memory_after_handshake
if [ "$LIST_TESTS" -eq 0 ]; then
# Final report
@ -10562,6 +10622,16 @@ if [ "$LIST_TESTS" -eq 0 ]; then
fi
PASSES=$(( $TESTS - $FAILS ))
echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
if [ $((TESTS - SKIPS)) -lt $MIN_TESTS ]; then
cat <<EOF
Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPS)).
Maybe a bad filter ('$FILTER') or a bad configuration?
EOF
if [ $FAILS -eq 0 ]; then
FAILS=1
fi
fi
fi
if [ $FAILS -gt 255 ]; then

9
tests/suites/test_suite_config.crypto_combinations.data Normal file
View File

@ -0,0 +1,9 @@
# Interesting combinations of low-level crypto options
Config: ECC: Weierstrass curves only
depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED:!MBEDTLS_ECP_MONTGOMERY_ENABLED
pass:
Config: ECC: Montgomery curves only
depends_on:!MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED:MBEDTLS_ECP_MONTGOMERY_ENABLED
pass:

14
tests/suites/test_suite_config.function Normal file
View File

@ -0,0 +1,14 @@
/* BEGIN_HEADER */
/* END_HEADER */
/* BEGIN_CASE */
/* This test case always passes. It is intended solely for configuration
* reporting in the outcome file. Write test cases using this function
* with dependencies to record in which configurations the dependencies
* are met. */
void pass()
{
goto exit;
}
/* END_CASE */

1755
tests/suites/test_suite_config.mbedtls_boolean.data Normal file
View File

File diff suppressed because it is too large Load Diff

475
tests/suites/test_suite_config.psa_boolean.data Normal file
View File

@ -0,0 +1,475 @@
# Automatically generated by generate_config_tests.py. Do not edit!
Config: PSA_WANT_ALG_CBC_MAC
depends_on:PSA_WANT_ALG_CBC_MAC
pass:
Config: !PSA_WANT_ALG_CBC_MAC
depends_on:!PSA_WANT_ALG_CBC_MAC
pass:
Config: PSA_WANT_ALG_CBC_NO_PADDING
depends_on:PSA_WANT_ALG_CBC_NO_PADDING
pass:
Config: !PSA_WANT_ALG_CBC_NO_PADDING
depends_on:!PSA_WANT_ALG_CBC_NO_PADDING
pass:
Config: PSA_WANT_ALG_CBC_PKCS7
depends_on:PSA_WANT_ALG_CBC_PKCS7
pass:
Config: !PSA_WANT_ALG_CBC_PKCS7
depends_on:!PSA_WANT_ALG_CBC_PKCS7
pass:
Config: PSA_WANT_ALG_CCM
depends_on:PSA_WANT_ALG_CCM
pass:
Config: !PSA_WANT_ALG_CCM
depends_on:!PSA_WANT_ALG_CCM
pass:
Config: PSA_WANT_ALG_CFB
depends_on:PSA_WANT_ALG_CFB
pass:
Config: !PSA_WANT_ALG_CFB
depends_on:!PSA_WANT_ALG_CFB
pass:
Config: PSA_WANT_ALG_CHACHA20_POLY1305
depends_on:PSA_WANT_ALG_CHACHA20_POLY1305
pass:
Config: !PSA_WANT_ALG_CHACHA20_POLY1305
depends_on:!PSA_WANT_ALG_CHACHA20_POLY1305
pass:
Config: PSA_WANT_ALG_CMAC
depends_on:PSA_WANT_ALG_CMAC
pass:
Config: !PSA_WANT_ALG_CMAC
depends_on:!PSA_WANT_ALG_CMAC
pass:
Config: PSA_WANT_ALG_CTR
depends_on:PSA_WANT_ALG_CTR
pass:
Config: !PSA_WANT_ALG_CTR
depends_on:!PSA_WANT_ALG_CTR
pass:
Config: PSA_WANT_ALG_DETERMINISTIC_ECDSA
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA
pass:
Config: !PSA_WANT_ALG_DETERMINISTIC_ECDSA
depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA
pass:
Config: PSA_WANT_ALG_ECB_NO_PADDING
depends_on:PSA_WANT_ALG_ECB_NO_PADDING
pass:
Config: !PSA_WANT_ALG_ECB_NO_PADDING
depends_on:!PSA_WANT_ALG_ECB_NO_PADDING
pass:
Config: PSA_WANT_ALG_ECDH
depends_on:PSA_WANT_ALG_ECDH
pass:
Config: !PSA_WANT_ALG_ECDH
depends_on:!PSA_WANT_ALG_ECDH
pass:
Config: PSA_WANT_ALG_ECDSA
depends_on:PSA_WANT_ALG_ECDSA
pass:
Config: !PSA_WANT_ALG_ECDSA
depends_on:!PSA_WANT_ALG_ECDSA
pass:
Config: PSA_WANT_ALG_GCM
depends_on:PSA_WANT_ALG_GCM
pass:
Config: !PSA_WANT_ALG_GCM
depends_on:!PSA_WANT_ALG_GCM
pass:
Config: PSA_WANT_ALG_HKDF
depends_on:PSA_WANT_ALG_HKDF
pass:
Config: !PSA_WANT_ALG_HKDF
depends_on:!PSA_WANT_ALG_HKDF
pass:
Config: PSA_WANT_ALG_HMAC
depends_on:PSA_WANT_ALG_HMAC
pass:
Config: !PSA_WANT_ALG_HMAC
depends_on:!PSA_WANT_ALG_HMAC
pass:
Config: PSA_WANT_ALG_MD2
depends_on:PSA_WANT_ALG_MD2
pass:
Config: !PSA_WANT_ALG_MD2
depends_on:!PSA_WANT_ALG_MD2
pass:
Config: PSA_WANT_ALG_MD4
depends_on:PSA_WANT_ALG_MD4
pass:
Config: !PSA_WANT_ALG_MD4
depends_on:!PSA_WANT_ALG_MD4
pass:
Config: PSA_WANT_ALG_MD5
depends_on:PSA_WANT_ALG_MD5
pass:
Config: !PSA_WANT_ALG_MD5
depends_on:!PSA_WANT_ALG_MD5
pass:
Config: PSA_WANT_ALG_OFB
depends_on:PSA_WANT_ALG_OFB
pass:
Config: !PSA_WANT_ALG_OFB
depends_on:!PSA_WANT_ALG_OFB
pass:
Config: PSA_WANT_ALG_RIPEMD160
depends_on:PSA_WANT_ALG_RIPEMD160
pass:
Config: !PSA_WANT_ALG_RIPEMD160
depends_on:!PSA_WANT_ALG_RIPEMD160
pass:
Config: PSA_WANT_ALG_RSA_OAEP
depends_on:PSA_WANT_ALG_RSA_OAEP
pass:
Config: !PSA_WANT_ALG_RSA_OAEP
depends_on:!PSA_WANT_ALG_RSA_OAEP
pass:
Config: PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
pass:
Config: !PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
depends_on:!PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
pass:
Config: PSA_WANT_ALG_RSA_PKCS1V15_SIGN
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN
pass:
Config: !PSA_WANT_ALG_RSA_PKCS1V15_SIGN
depends_on:!PSA_WANT_ALG_RSA_PKCS1V15_SIGN
pass:
Config: PSA_WANT_ALG_RSA_PSS
depends_on:PSA_WANT_ALG_RSA_PSS
pass:
Config: !PSA_WANT_ALG_RSA_PSS
depends_on:!PSA_WANT_ALG_RSA_PSS
pass:
Config: PSA_WANT_ALG_SHA_1
depends_on:PSA_WANT_ALG_SHA_1
pass:
Config: !PSA_WANT_ALG_SHA_1
depends_on:!PSA_WANT_ALG_SHA_1
pass:
Config: PSA_WANT_ALG_SHA_224
depends_on:PSA_WANT_ALG_SHA_224
pass:
Config: !PSA_WANT_ALG_SHA_224
depends_on:!PSA_WANT_ALG_SHA_224
pass:
Config: PSA_WANT_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_256
pass:
Config: !PSA_WANT_ALG_SHA_256
depends_on:!PSA_WANT_ALG_SHA_256
pass:
Config: PSA_WANT_ALG_SHA_384
depends_on:PSA_WANT_ALG_SHA_384
pass:
Config: !PSA_WANT_ALG_SHA_384
depends_on:!PSA_WANT_ALG_SHA_384
pass:
Config: PSA_WANT_ALG_SHA_512
depends_on:PSA_WANT_ALG_SHA_512
pass:
Config: !PSA_WANT_ALG_SHA_512
depends_on:!PSA_WANT_ALG_SHA_512
pass:
Config: PSA_WANT_ALG_STREAM_CIPHER
depends_on:PSA_WANT_ALG_STREAM_CIPHER
pass:
Config: !PSA_WANT_ALG_STREAM_CIPHER
depends_on:!PSA_WANT_ALG_STREAM_CIPHER
pass:
Config: PSA_WANT_ALG_TLS12_PRF
depends_on:PSA_WANT_ALG_TLS12_PRF
pass:
Config: !PSA_WANT_ALG_TLS12_PRF
depends_on:!PSA_WANT_ALG_TLS12_PRF
pass:
Config: PSA_WANT_ALG_TLS12_PSK_TO_MS
depends_on:PSA_WANT_ALG_TLS12_PSK_TO_MS
pass:
Config: !PSA_WANT_ALG_TLS12_PSK_TO_MS
depends_on:!PSA_WANT_ALG_TLS12_PSK_TO_MS
pass:
Config: PSA_WANT_ALG_XTS
depends_on:PSA_WANT_ALG_XTS
pass:
Config: !PSA_WANT_ALG_XTS
depends_on:!PSA_WANT_ALG_XTS
pass:
Config: PSA_WANT_ECC_BRAINPOOL_P_R1_256
depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256
pass:
Config: !PSA_WANT_ECC_BRAINPOOL_P_R1_256
depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_256
pass:
Config: PSA_WANT_ECC_BRAINPOOL_P_R1_384
depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384
pass:
Config: !PSA_WANT_ECC_BRAINPOOL_P_R1_384
depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_384
pass:
Config: PSA_WANT_ECC_BRAINPOOL_P_R1_512
depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512
pass:
Config: !PSA_WANT_ECC_BRAINPOOL_P_R1_512
depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_512
pass:
Config: PSA_WANT_ECC_MONTGOMERY_255
depends_on:PSA_WANT_ECC_MONTGOMERY_255
pass:
Config: !PSA_WANT_ECC_MONTGOMERY_255
depends_on:!PSA_WANT_ECC_MONTGOMERY_255
pass:
Config: PSA_WANT_ECC_MONTGOMERY_448
depends_on:PSA_WANT_ECC_MONTGOMERY_448
pass:
Config: !PSA_WANT_ECC_MONTGOMERY_448
depends_on:!PSA_WANT_ECC_MONTGOMERY_448
pass:
Config: PSA_WANT_ECC_SECP_K1_192
depends_on:PSA_WANT_ECC_SECP_K1_192
pass:
Config: !PSA_WANT_ECC_SECP_K1_192
depends_on:!PSA_WANT_ECC_SECP_K1_192
pass:
Config: PSA_WANT_ECC_SECP_K1_224
depends_on:PSA_WANT_ECC_SECP_K1_224
pass:
Config: !PSA_WANT_ECC_SECP_K1_224
depends_on:!PSA_WANT_ECC_SECP_K1_224
pass:
Config: PSA_WANT_ECC_SECP_K1_256
depends_on:PSA_WANT_ECC_SECP_K1_256
pass:
Config: !PSA_WANT_ECC_SECP_K1_256
depends_on:!PSA_WANT_ECC_SECP_K1_256
pass:
Config: PSA_WANT_ECC_SECP_R1_192
depends_on:PSA_WANT_ECC_SECP_R1_192
pass:
Config: !PSA_WANT_ECC_SECP_R1_192
depends_on:!PSA_WANT_ECC_SECP_R1_192
pass:
Config: PSA_WANT_ECC_SECP_R1_224
depends_on:PSA_WANT_ECC_SECP_R1_224
pass:
Config: !PSA_WANT_ECC_SECP_R1_224
depends_on:!PSA_WANT_ECC_SECP_R1_224
pass:
Config: PSA_WANT_ECC_SECP_R1_256
depends_on:PSA_WANT_ECC_SECP_R1_256
pass:
Config: !PSA_WANT_ECC_SECP_R1_256
depends_on:!PSA_WANT_ECC_SECP_R1_256
pass:
Config: PSA_WANT_ECC_SECP_R1_384
depends_on:PSA_WANT_ECC_SECP_R1_384
pass:
Config: !PSA_WANT_ECC_SECP_R1_384
depends_on:!PSA_WANT_ECC_SECP_R1_384
pass:
Config: PSA_WANT_ECC_SECP_R1_521
depends_on:PSA_WANT_ECC_SECP_R1_521
pass:
Config: !PSA_WANT_ECC_SECP_R1_521
depends_on:!PSA_WANT_ECC_SECP_R1_521
pass:
Config: PSA_WANT_KEY_TYPE_AES
depends_on:PSA_WANT_KEY_TYPE_AES
pass:
Config: !PSA_WANT_KEY_TYPE_AES
depends_on:!PSA_WANT_KEY_TYPE_AES
pass:
Config: PSA_WANT_KEY_TYPE_ARC4
depends_on:PSA_WANT_KEY_TYPE_ARC4
pass:
Config: !PSA_WANT_KEY_TYPE_ARC4
depends_on:!PSA_WANT_KEY_TYPE_ARC4
pass:
Config: PSA_WANT_KEY_TYPE_ARIA
depends_on:PSA_WANT_KEY_TYPE_ARIA
pass:
Config: !PSA_WANT_KEY_TYPE_ARIA
depends_on:!PSA_WANT_KEY_TYPE_ARIA
pass:
Config: PSA_WANT_KEY_TYPE_CAMELLIA
depends_on:PSA_WANT_KEY_TYPE_CAMELLIA
pass:
Config: !PSA_WANT_KEY_TYPE_CAMELLIA
depends_on:!PSA_WANT_KEY_TYPE_CAMELLIA
pass:
Config: PSA_WANT_KEY_TYPE_CHACHA20
depends_on:PSA_WANT_KEY_TYPE_CHACHA20
pass:
Config: !PSA_WANT_KEY_TYPE_CHACHA20
depends_on:!PSA_WANT_KEY_TYPE_CHACHA20
pass:
Config: PSA_WANT_KEY_TYPE_DERIVE
depends_on:PSA_WANT_KEY_TYPE_DERIVE
pass:
Config: !PSA_WANT_KEY_TYPE_DERIVE
depends_on:!PSA_WANT_KEY_TYPE_DERIVE
pass:
Config: PSA_WANT_KEY_TYPE_DES
depends_on:PSA_WANT_KEY_TYPE_DES
pass:
Config: !PSA_WANT_KEY_TYPE_DES
depends_on:!PSA_WANT_KEY_TYPE_DES
pass:
Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
pass:
Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
pass:
Config: PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
pass:
Config: !PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
depends_on:!PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
pass:
Config: PSA_WANT_KEY_TYPE_HMAC
depends_on:PSA_WANT_KEY_TYPE_HMAC
pass:
Config: !PSA_WANT_KEY_TYPE_HMAC
depends_on:!PSA_WANT_KEY_TYPE_HMAC
pass:
Config: PSA_WANT_KEY_TYPE_RAW_DATA
depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
pass:
Config: !PSA_WANT_KEY_TYPE_RAW_DATA
depends_on:!PSA_WANT_KEY_TYPE_RAW_DATA
pass:
Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
pass:
Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
pass:
Config: PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
pass:
Config: !PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
depends_on:!PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
pass:
# End of automatically generated file.

9
tests/suites/test_suite_config.psa_combinations.data Normal file
View File

@ -0,0 +1,9 @@
# Interesting combinations of PSA options
Config: PSA_WANT_ALG_ECDSA without PSA_WANT_ALG_DETERMINISTIC_ECDSA
depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA
pass:
Config: PSA_WANT_ALG_DETERMINSTIC_ECDSA without PSA_WANT_ALG_ECDSA
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA
pass:

13
tests/suites/test_suite_config.tls_combinations.data Normal file
View File

@ -0,0 +1,13 @@
# Interesting combinations of TLS options
Config: TLS 1.0 only
depends_on:!MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_SSL_PROTO_TLS1:!MBEDTLS_SSL_PROTO_TLS1_1:!MBEDTLS_SSL_PROTO_TLS1_2:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
pass:
Config: TLS 1.1 only
depends_on:!MBEDTLS_SSL_PROTO_SSL3:!MBEDTLS_SSL_PROTO_TLS1:MBEDTLS_SSL_PROTO_TLS1_1:!MBEDTLS_SSL_PROTO_TLS1_2:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
pass:
Config: TLS 1.2 only
depends_on:!MBEDTLS_SSL_PROTO_SSL3:!MBEDTLS_SSL_PROTO_TLS1:!MBEDTLS_SSL_PROTO_TLS1_1:MBEDTLS_SSL_PROTO_TLS1_2:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
pass:

8
tests/suites/test_suite_pkparse.data
View File

@ -939,19 +939,19 @@ depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:MBEDTLS_PKCS5_C
pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #100.1 (512-bit)
depends_on:MBEDTLS_PEM_C
depends_on:MBEDTLS_PEM_PARSE_C
pk_parse_keyfile_rsa:"data_files/rsa512.key":"":0
Parse RSA Key #100.1 (521-bit)
depends_on:MBEDTLS_PEM_C
depends_on:MBEDTLS_PEM_PARSE_C
pk_parse_keyfile_rsa:"data_files/rsa521.key":"":0
Parse RSA Key #100.1 (522-bit)
depends_on:MBEDTLS_PEM_C
depends_on:MBEDTLS_PEM_PARSE_C
pk_parse_keyfile_rsa:"data_files/rsa522.key":"":0
Parse RSA Key #100.1 (528-bit)
depends_on:MBEDTLS_PEM_C
depends_on:MBEDTLS_PEM_PARSE_C
pk_parse_keyfile_rsa:"data_files/rsa528.key":"":0
Parse Public RSA Key #1 (PKCS#8 wrapped)

37
tests/suites/test_suite_psa_crypto.data
View File

@ -789,8 +789,8 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY
agreement_key_policy:0:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_PERMITTED
PSA key policy: agreement + KDF, wrong agreement algorithm
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_FFDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_FFDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_PERMITTED
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_KEY_AGREEMENT(0, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_ERROR_NOT_PERMITTED
PSA key policy: agreement + KDF, wrong KDF algorithm
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_224:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
@ -809,8 +809,8 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:P
raw_agreement_key_policy:0:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_ECDH:PSA_ERROR_NOT_PERMITTED
PSA key policy: raw agreement, wrong algorithm
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
raw_agreement_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_FFDH:PSA_ERROR_NOT_PERMITTED
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
raw_agreement_key_policy:PSA_KEY_USAGE_DERIVE:0:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_ECDH:PSA_ERROR_NOT_PERMITTED
PSA key policy: raw agreement, key permits raw agreement, but algorithm is not raw
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_ECDH_C
@ -2752,6 +2752,29 @@ PSA verify hash with keypair: ECDSA SECP256R1, good
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
# The next 4 test cases check what happens if only one of the two ECDSA
# variants is supported. The ECDSA variants (deterministic and randomized)
# are different signature algorithms that can be enabled independently,
# but they have the same verification. Mbed TLS accepts either variant
# as the algorithm requested for verification even if that variant is not
# supported. Test that this works. It would also be acceptable if the
# library returned NOT_SUPPORTED in this case.
PSA verify hash: ECDSA SECP256R1, only deterministic supported
depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
PSA verify hash with keypair: ECDSA SECP256R1, only deterministic supported
depends_on:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
PSA verify hash: deterministic ECDSA SECP256R1, only randomized supported
depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
PSA verify hash with keypair: determinitic ECDSA SECP256R1, only randomized supported
depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE
@ -2817,14 +2840,14 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS
sign_message_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263":0:PSA_ERROR_INVALID_ARGUMENT
PSA sign message: RSA PKCS#1 v1.5 SHA-256, invalid key type
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_CHACHA20:MBEDTLS_MD_C
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_CHACHA20:MBEDTLS_MD_C
sign_message_fail:PSA_KEY_TYPE_CHACHA20:"4bddc98c551a95395ef719557f813656b566bc45aac04eca3866324cc75489f2":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":128:PSA_ERROR_INVALID_ARGUMENT
PSA sign message: ECDSA SECP256R1 SHA-256, invalid hash (wildcard)
PSA sign message: ECDSA SECP256R1, invalid hash (wildcard)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C
sign_message_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):"616263":64:PSA_ERROR_INVALID_ARGUMENT
PSA sign message: ECDSA SECP256R1 SHA-256, invalid hash algorithm (0)
PSA sign message: ECDSA SECP256R1, invalid hash algorithm (0)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C
sign_message_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(0):"616263":64:PSA_ERROR_INVALID_ARGUMENT

3
tests/suites/test_suite_psa_crypto_driver_wrappers.data
View File

@ -238,10 +238,11 @@ generate_key through transparent driver: fake
generate_key:PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_SUCCESS
generate_key through transparent driver: in-driver
depends_on:MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_SUCCESS:"":PSA_SUCCESS
generate_key through transparent driver: fallback
depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR
depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256
generate_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS
generate_key through transparent driver: fallback not available

12
tests/suites/test_suite_psa_crypto_driver_wrappers.function
View File

@ -300,13 +300,14 @@ void generate_key(int force_status_arg,
fake_output->len;
}
mbedtls_test_driver_key_management_hooks.hits = 0;
mbedtls_test_driver_key_management_hooks.forced_status = force_status;
PSA_ASSERT(psa_crypto_init());
mbedtls_test_driver_key_management_hooks.hits = 0;
mbedtls_test_driver_key_management_hooks.hits_generate_key = 0;
mbedtls_test_driver_key_management_hooks.forced_status = force_status;
actual_status = psa_generate_key(&attributes, &key);
TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits, 1);
TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits_generate_key, 1);
TEST_EQUAL(actual_status, expected_status);
if (actual_status == PSA_SUCCESS) {
@ -425,6 +426,7 @@ void export_key(int force_status_arg,
mbedtls_test_driver_key_management_hooks.hits = 0;
mbedtls_test_driver_key_management_hooks.forced_status = force_status;
mbedtls_test_driver_key_management_hooks.hits_export_public_key = 0;
if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(output_key_type)) {
actual_status = psa_export_public_key(handle,
@ -441,7 +443,7 @@ void export_key(int force_status_arg,
if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(output_key_type) &&
!PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(input_key_type)) {
TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits, 1);
TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits_export_public_key, 1);
}
if (actual_status == PSA_SUCCESS) {

268
tests/suites/test_suite_psa_crypto_generate_key.generated.data
View File

@ -109,11 +109,11 @@ depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
generate_key:PSA_KEY_TYPE_RAW_DATA:128:PSA_SUCCESS:
PSA RSA_KEY_PAIR 1024-bit
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_GENPRIME
depends_on:MBEDTLS_GENPRIME:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_SUCCESS:
PSA RSA_KEY_PAIR 1536-bit
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_GENPRIME
depends_on:MBEDTLS_GENPRIME:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1536:PSA_SUCCESS:
PSA RSA_PUBLIC_KEY 1024-bit
@ -122,48 +122,56 @@ generate_key:PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ERROR_INVALID_ARGUMENT:
PSA RSA_PUBLIC_KEY 1536-bit
generate_key:PSA_KEY_TYPE_RSA_PUBLIC_KEY:1536:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 160-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_160:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):160:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_160
## PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 160-bit
## depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_160:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):160:PSA_SUCCESS:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 192-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_192:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):192:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_192
## PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 192-bit
## depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):192:PSA_SUCCESS:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 224-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_224:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):224:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_224
## PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 224-bit
## depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_224:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):224:PSA_SUCCESS:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 256-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_256
depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):256:PSA_SUCCESS:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 320-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_320:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):320:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_320
## PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 320-bit
## depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_320:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):320:PSA_SUCCESS:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 384-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_384
depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):384:PSA_SUCCESS:
PSA ECC_KEY_PAIR(BRAINPOOL_P_R1) 512-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_BRAINPOOL_P_R1_512
depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):512:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 160-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):160:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_160
## PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 160-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):160:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 192-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):192:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_192
## PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 192-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):192:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 224-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):224:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_224
## PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 224-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):224:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 256-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):256:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 320-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):320:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_BRAINPOOL_P_R1_320
## PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 320-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):320:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 384-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):384:PSA_ERROR_INVALID_ARGUMENT:
@ -172,11 +180,11 @@ PSA ECC_PUBLIC_KEY(BRAINPOOL_P_R1) 512-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_BRAINPOOL_P_R1):512:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(MONTGOMERY) 255-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_255
depends_on:PSA_WANT_ECC_MONTGOMERY_255:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_SUCCESS:
PSA ECC_KEY_PAIR(MONTGOMERY) 448-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_MONTGOMERY_448
depends_on:PSA_WANT_ECC_MONTGOMERY_448:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(MONTGOMERY) 255-bit
@ -186,44 +194,46 @@ PSA ECC_PUBLIC_KEY(MONTGOMERY) 448-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_MONTGOMERY):448:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(SECP_K1) 192-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_K1_192
depends_on:PSA_WANT_ECC_SECP_K1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):192:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECP_K1) 225-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_K1_225:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):225:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECP_K1_225
## PSA ECC_KEY_PAIR(SECP_K1) 225-bit
## depends_on:PSA_WANT_ECC_SECP_K1_225:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):225:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECP_K1) 256-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_K1_256
depends_on:PSA_WANT_ECC_SECP_K1_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):256:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(SECP_K1) 192-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_K1):192:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECP_K1) 225-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_K1):225:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECP_K1_225
## PSA ECC_PUBLIC_KEY(SECP_K1) 225-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_K1):225:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECP_K1) 256-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_K1):256:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(SECP_R1) 192-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_192
depends_on:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):192:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECP_R1) 224-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_224
depends_on:PSA_WANT_ECC_SECP_R1_224:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):224:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECP_R1) 256-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256
depends_on:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECP_R1) 384-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_384
depends_on:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECP_R1) 521-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_521
depends_on:PSA_WANT_ECC_SECP_R1_521:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(SECP_R1) 192-bit
@ -241,109 +251,139 @@ generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):384:PSA_ERROR_I
PSA ECC_PUBLIC_KEY(SECP_R1) 521-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):521:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(SECP_R2) 160-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R2_160:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):160:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECP_R2_160
## PSA ECC_KEY_PAIR(SECP_R2) 160-bit
## depends_on:PSA_WANT_ECC_SECP_R2_160:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R2):160:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(SECP_R2) 160-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R2):160:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECP_R2_160
## PSA ECC_PUBLIC_KEY(SECP_R2) 160-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R2):160:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(SECT_K1) 163-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_K1_163:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):163:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_163
## PSA ECC_KEY_PAIR(SECT_K1) 163-bit
## depends_on:PSA_WANT_ECC_SECT_K1_163:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):163:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_K1) 233-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_K1_233:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):233:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_233
## PSA ECC_KEY_PAIR(SECT_K1) 233-bit
## depends_on:PSA_WANT_ECC_SECT_K1_233:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):233:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_K1) 239-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_K1_239:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):239:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_239
## PSA ECC_KEY_PAIR(SECT_K1) 239-bit
## depends_on:PSA_WANT_ECC_SECT_K1_239:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):239:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_K1) 283-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_K1_283:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):283:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_283
## PSA ECC_KEY_PAIR(SECT_K1) 283-bit
## depends_on:PSA_WANT_ECC_SECT_K1_283:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):283:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_K1) 409-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_K1_409:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):409:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_409
## PSA ECC_KEY_PAIR(SECT_K1) 409-bit
## depends_on:PSA_WANT_ECC_SECT_K1_409:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):409:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_K1) 571-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_K1_571:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):571:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_571
## PSA ECC_KEY_PAIR(SECT_K1) 571-bit
## depends_on:PSA_WANT_ECC_SECT_K1_571:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_K1):571:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(SECT_K1) 163-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):163:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_163
## PSA ECC_PUBLIC_KEY(SECT_K1) 163-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):163:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_K1) 233-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):233:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_233
## PSA ECC_PUBLIC_KEY(SECT_K1) 233-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):233:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_K1) 239-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):239:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_239
## PSA ECC_PUBLIC_KEY(SECT_K1) 239-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):239:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_K1) 283-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):283:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_283
## PSA ECC_PUBLIC_KEY(SECT_K1) 283-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):283:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_K1) 409-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):409:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_409
## PSA ECC_PUBLIC_KEY(SECT_K1) 409-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):409:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_K1) 571-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):571:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_K1_571
## PSA ECC_PUBLIC_KEY(SECT_K1) 571-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_K1):571:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(SECT_R1) 163-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_R1_163:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):163:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_163
## PSA ECC_KEY_PAIR(SECT_R1) 163-bit
## depends_on:PSA_WANT_ECC_SECT_R1_163:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):163:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_R1) 233-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_R1_233:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):233:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_233
## PSA ECC_KEY_PAIR(SECT_R1) 233-bit
## depends_on:PSA_WANT_ECC_SECT_R1_233:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):233:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_R1) 283-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_R1_283:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):283:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_283
## PSA ECC_KEY_PAIR(SECT_R1) 283-bit
## depends_on:PSA_WANT_ECC_SECT_R1_283:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):283:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_R1) 409-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_R1_409:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):409:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_409
## PSA ECC_KEY_PAIR(SECT_R1) 409-bit
## depends_on:PSA_WANT_ECC_SECT_R1_409:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):409:PSA_SUCCESS:
PSA ECC_KEY_PAIR(SECT_R1) 571-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_R1_571:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):571:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_571
## PSA ECC_KEY_PAIR(SECT_R1) 571-bit
## depends_on:PSA_WANT_ECC_SECT_R1_571:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R1):571:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(SECT_R1) 163-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):163:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_163
## PSA ECC_PUBLIC_KEY(SECT_R1) 163-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):163:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_R1) 233-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):233:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_233
## PSA ECC_PUBLIC_KEY(SECT_R1) 233-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):233:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_R1) 283-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):283:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_283
## PSA ECC_PUBLIC_KEY(SECT_R1) 283-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):283:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_R1) 409-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):409:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_409
## PSA ECC_PUBLIC_KEY(SECT_R1) 409-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):409:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(SECT_R1) 571-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):571:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R1_571
## PSA ECC_PUBLIC_KEY(SECT_R1) 571-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R1):571:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(SECT_R2) 163-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECT_R2_163:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):163:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R2_163
## PSA ECC_KEY_PAIR(SECT_R2) 163-bit
## depends_on:PSA_WANT_ECC_SECT_R2_163:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECT_R2):163:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(SECT_R2) 163-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R2):163:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_SECT_R2_163
## PSA ECC_PUBLIC_KEY(SECT_R2) 163-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECT_R2):163:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_KEY_PAIR(TWISTED_EDWARDS) 255-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_TWISTED_EDWARDS_255:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS):255:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_TWISTED_EDWARDS_255
## PSA ECC_KEY_PAIR(TWISTED_EDWARDS) 255-bit
## depends_on:PSA_WANT_ECC_TWISTED_EDWARDS_255:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS):255:PSA_SUCCESS:
PSA ECC_KEY_PAIR(TWISTED_EDWARDS) 448-bit
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_TWISTED_EDWARDS_448:DEPENDENCY_NOT_IMPLEMENTED_YET
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS):448:PSA_SUCCESS:
## # skipped because: not implemented: PSA_WANT_ECC_TWISTED_EDWARDS_448
## PSA ECC_KEY_PAIR(TWISTED_EDWARDS) 448-bit
## depends_on:PSA_WANT_ECC_TWISTED_EDWARDS_448:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
## generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS):448:PSA_SUCCESS:
PSA ECC_PUBLIC_KEY(TWISTED_EDWARDS) 255-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS):255:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_TWISTED_EDWARDS_255
## PSA ECC_PUBLIC_KEY(TWISTED_EDWARDS) 255-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS):255:PSA_ERROR_INVALID_ARGUMENT:
PSA ECC_PUBLIC_KEY(TWISTED_EDWARDS) 448-bit
generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS):448:PSA_ERROR_INVALID_ARGUMENT:
## # skipped because: not implemented: PSA_WANT_ECC_TWISTED_EDWARDS_448
## PSA ECC_PUBLIC_KEY(TWISTED_EDWARDS) 448-bit
## generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS):448:PSA_ERROR_INVALID_ARGUMENT:
# End of automatically generated file.

26
tests/suites/test_suite_psa_crypto_not_supported.function
View File

@ -20,10 +20,28 @@ void import_not_supported(int key_type, data_t *key_material)
PSA_ASSERT(psa_crypto_init());
psa_set_key_type(&attributes, key_type);
TEST_EQUAL(psa_import_key(&attributes,
key_material->x, key_material->len,
&key_id),
PSA_ERROR_NOT_SUPPORTED);
psa_status_t actual_status =
psa_import_key(&attributes, key_material->x, key_material->len, &key_id);
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
if (actual_status == PSA_ERROR_INVALID_ARGUMENT) {
/* Edge case: when importing an ECC public key with an unspecified
* bit-size (as we do here), the implementation of psa_import_key()
* infers the bit-size from the input. If the key type specifies an
* unknown curve, the validation might reject the data as invalid
* before it checks that the curve is supported. If so, that's ok.
* In practice, at the time of writing, this happens with Ed25519,
* for which a valid but unsupported 32-byte input causes
* psa_import_key() to fail because it assumes a Weierstrass curve
* which must have an odd-length encoding.
*
* In other cases, we do not expect an INVALID_ARGUMENT error here. */
TEST_ASSERT(PSA_KEY_TYPE_IS_ECC(key_type));
} else
#endif /* defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) */
{
TEST_EQUAL(actual_status, PSA_ERROR_NOT_SUPPORTED);
}
TEST_ASSERT(mbedtls_svc_key_id_equal(key_id, MBEDTLS_SVC_KEY_ID_INIT));
exit:

612
tests/suites/test_suite_psa_crypto_not_supported.generated.data
View File

File diff suppressed because it is too large Load Diff

4
tests/suites/test_suite_psa_crypto_op_fail.function
View File

@ -232,8 +232,8 @@ void sign_fail(int key_type_arg, data_t *key_data,
input, sizeof(input),
output, sizeof(output), &length));
if (!private_only) {
/* Determine a plausible signature size to avoid an INVALID_SIGNATURE
* error based on this. */
/* Construct a signature candidate of a plausible size to avoid an
* INVALID_SIGNATURE error based on an early size verification. */
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
size_t key_bits = psa_get_key_bits(&attributes);
size_t output_length = sizeof(output);

32060
tests/suites/test_suite_psa_crypto_op_fail.generated.data
View File

File diff suppressed because it is too large Load Diff

21
tests/suites/test_suite_psa_crypto_op_fail.misc.data
View File

@ -43,3 +43,24 @@ sign_fail:PSA_KEY_TYPE_AES:"48657265006973206b6579a064617461":PSA_ALG_RSA_PSS(PS
PSA sign RSA_PSS(SHA_256): RSA_PSS not enabled, key pair
depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR
sign_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_ERROR_NOT_SUPPORTED
# There is a special case with ECDSA: deterministic and randomized ECDSA are
# different signature algorithms that can be enabled independently, but
# the verification algorithms are the same. Mbed TLS supports verification
# of either variant when either variant is enabled. (It would also be correct
# to reject the not-supported algorithm, but it would require a few more lines
# of code.) In the automatically generated test cases, we avoid this difficulty
# by making the not-supported test cases require neither variant to be
# enabled. Here, test the signature operation when one variant is supported
# but not the other. Testing the positive cases for the verification
# operation is the job of test_suite_psa_crypto.
#
# We only test with one curve and one hash, because we know from a gray-box
# approach that the curve and hash don't matter here.
PSA sign DETERMINISTIC_ECDSA(SHA_256): !DETERMINISTIC_ECDSA but ECDSA with ECC_KEY_PAIR(SECP_R1)
depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED
PSA sign DETERMINISTIC_ECDSA(SHA_256): !ECDSA but DETERMINISTIC_ECDSA with ECC_KEY_PAIR(SECP_R1)
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
sign_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"d83b57a59c51358d9c8bbb898aff507f44dd14cf16917190":PSA_ALG_ECDSA(PSA_ALG_SHA_256):1:PSA_ERROR_NOT_SUPPORTED

21
tests/suites/test_suite_psa_crypto_se_driver_hal.function
View File

@ -13,6 +13,19 @@
#include "psa/internal_trusted_storage.h"
#endif
/* Same in library/psa_crypto.c */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
#define BUILTIN_ALG_ANY_HKDF 1
#endif
#if defined(BUILTIN_ALG_ANY_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
defined(PSA_HAVE_SOFT_PBKDF2)
#define AT_LEAST_ONE_BUILTIN_KDF
#endif
/****************************************************************/
/* Test driver helpers */
@ -656,10 +669,8 @@ static int smoke_test_key(mbedtls_svc_key_id_t key)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT;
psa_cipher_operation_t cipher_operation = PSA_CIPHER_OPERATION_INIT;
#if defined(MBEDTLS_SHA256_C)
psa_key_derivation_operation_t derivation_operation =
PSA_KEY_DERIVATION_OPERATION_INIT;
#endif
uint8_t buffer[80]; /* large enough for a public key for ECDH */
size_t length;
mbedtls_svc_key_id_t key2 = MBEDTLS_SVC_KEY_ID_INIT;
@ -714,7 +725,7 @@ static int smoke_test_key(mbedtls_svc_key_id_t key)
buffer, sizeof(buffer), NULL, 0,
buffer, sizeof(buffer), &length));
#if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
/* Try the key in a plain key derivation. */
PSA_ASSERT(psa_key_derivation_setup(&derivation_operation,
PSA_ALG_HKDF(PSA_ALG_SHA_256)));
@ -747,7 +758,9 @@ static int smoke_test_key(mbedtls_svc_key_id_t key)
alg, key, buffer, length,
buffer, sizeof(buffer), &length));
}
#endif /* MBEDTLS_SHA256_C */
#else
(void) derivation_operation;
#endif /* MBEDTLS_SHA256_C && MBEDTLS_PSA_BUILTIN_ALG_HKDF */
ok = 1;

4
tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
View File

@ -550,7 +550,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE */
/* BEGIN_CASE depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 */
void mock_sign(int mock_sign_return_value, int expected_result)
{
psa_drv_se_t driver;
@ -611,7 +611,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE */
/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 */
void mock_verify(int mock_verify_return_value, int expected_result)
{
psa_drv_se_t driver;

7998
tests/suites/test_suite_psa_crypto_storage_format.current.data
View File

File diff suppressed because it is too large Load Diff

8250
tests/suites/test_suite_psa_crypto_storage_format.v0.data
View File

File diff suppressed because it is too large Load Diff

2
tests/suites/test_suite_x509parse.data
View File

@ -327,7 +327,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_RSA_C
mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n"
X509 CSR Information RSA with SHA-256, containing commas
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTS_X509_INFO
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
mbedtls_x509_csr_info:"data_files/parse_input/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n"
X509 CSR Information EC with SHA1

2
tests/suites/test_suite_x509parse.function
View File

@ -800,7 +800,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_x509_dn_gets_subject_replace(char *crt_file,
char *new_subject_ou,
char *result_str,