lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-08 17:42:09 +03:00
Code Activity

Merge remote-tracking branch 'public/development' into development-restricted

Browse Source 
* public/development: (23 commits)
  tests: suite_x509parse: set PSA max operations in x509_verify_restart()
  library: debug: remove mbedtls_debug_printf_ecdh()
  library: debug: make mbedtls_debug_print_psa_ec() static
  Remove call to pk_decrypt() in ssl_server2
  Change hardcoded error values in ssl-opt to take in the PSA error alias
  Test with GCC 15 with sloppy union initialization
  Update crypto with the union initialization fixes
  Mark ssl_tls12_preset_suiteb_sig_algs const
  Mark ssl_tls12_preset_default_sig_algs const
  Use PSA macros for the `pkalgs` domain
  reverted compat-2.x.h removal from psa-transition.md
  Correct ChangeLog file extension
  Add ChangeLog
  remove compat-2.x.h
  Remove trace of secp224k1
  Update submodules
  Improve comments
  Allow gcc-15 to be in $PATH
  Enable drivers when testing with GCC 15
  GCC 15: Silence -Wunterminated-string-initialization
  ...
This commit is contained in:
Manuel Pégourié-Gonnard
2025-05-28 12:41:28 +02:00
parent 235143090b 80b697d78a
commit a4ffc4e4c6
17 changed files with 2039 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
tests/scripts/components-compiler.sh
View File

@@ -73,6 +73,36 @@ support_test_gcc_latest_opt () {
type "$GCC_LATEST" >/dev/null 2>/dev/null
}
# Prepare for a non-regression for https://github.com/Mbed-TLS/mbedtls/issues/9814 :
# test with GCC 15.
# Eventually, $GCC_LATEST will be GCC 15 or above, and we can remove this
# separate component.
# For the time being, we don't make $GCC_LATEST be GCC 15 on the CI
# platform, because that would break branches where #9814 isn't fixed yet.
support_test_gcc15_drivers_opt () {
if type gcc-15 >/dev/null 2>/dev/null; then
GCC_15=gcc-15
elif [ -x /usr/local/gcc-15/bin/gcc-15 ]; then
GCC_15=/usr/local/gcc-15/bin/gcc-15
else
return 1
fi
}
component_test_gcc15_drivers_opt () {
msg "build: GCC 15: full + test drivers dispatching to builtins"
scripts/config.py full
loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS"
loc_cflags="${loc_cflags} -I../framework/tests/include -O2"
# Allow a warning that we don't yet comply to.
# https://github.com/Mbed-TLS/mbedtls/issues/9944
loc_cflags="${loc_cflags} -Wno-error=unterminated-string-initialization"
make CC=$GCC_15 CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
msg "test: GCC 15: full + test drivers dispatching to builtins"
make test
}
component_test_gcc_earliest_opt () {
scripts/config.py full
test_build_opt 'full config' "$GCC_EARLIEST" -O2

99
tests/scripts/depends.py
View File

@@ -281,50 +281,52 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'],
'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_256': ['MBEDTLS_ECJPAKE_C',
'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE',
'MBEDTLS_ECP_DP_SECP256R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'],
'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'],
'MBEDTLS_ECDSA_C': ['MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
'PSA_WANT_ALG_ECDSA',
'PSA_WANT_ALG_DETERMINISTIC_ECDSA'],
'MBEDTLS_ECP_C': ['MBEDTLS_ECDSA_C',
'MBEDTLS_ECDH_C', 'PSA_WANT_ALG_ECDH',
'MBEDTLS_ECJPAKE_C',
'MBEDTLS_ECP_RESTARTABLE',
'MBEDTLS_PK_PARSE_EC_EXTENDED',
'MBEDTLS_PK_PARSE_EC_COMPRESSED',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED',
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED',
'PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE'],
'MBEDTLS_ECJPAKE_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'PSA_WANT_ALG_JPAKE'],
'MBEDTLS_PKCS1_V21': ['MBEDTLS_X509_RSASSA_PSS_SUPPORT',
'PSA_WANT_ALG_RSA_OAEP',
'PSA_WANT_ALG_RSA_PSS'],
'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],
'MBEDTLS_RSA_C': ['MBEDTLS_PKCS1_V15',
'MBEDTLS_PKCS1_V21',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE'],
'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA',
'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
'MBEDTLS_ECDSA_C'],
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC': [
'PSA_WANT_ALG_ECDSA',
'PSA_WANT_ALG_ECDH', 'MBEDTLS_ECDH_C',
'PSA_WANT_ALG_JPAKE',
'PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE',
'MBEDTLS_ECP_RESTARTABLE',
'MBEDTLS_PK_PARSE_EC_EXTENDED',
'MBEDTLS_PK_PARSE_EC_COMPRESSED',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED',
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED',
'MBEDTLS_ECP_C'],
'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C',
'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS',
'MBEDTLS_X509_RSASSA_PSS_SUPPORT',
'MBEDTLS_PKCS1_V21'],
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN',
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_PKCS1_V15'],
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_ALG_RSA_OAEP',
'PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_RSA_C'],
'MBEDTLS_MD5_C' : ['PSA_WANT_ALG_MD5'],
'MBEDTLS_RIPEMD160_C' : ['PSA_WANT_ALG_RIPEMD160'],
@@ -359,12 +361,10 @@ REVERSE_DEPENDENCIES = {
EXCLUSIVE_GROUPS = {
'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C',
'-MBEDTLS_SSL_TLS_C'],
'PSA_WANT_ECC_MONTGOMERY_448': ['-MBEDTLS_ECDSA_C',
'-MBEDTLS_ECDSA_DETERMINISTIC',
'-MBEDTLS_ECJPAKE_C',],
'PSA_WANT_ECC_MONTGOMERY_255': ['-MBEDTLS_ECDSA_C',
'-MBEDTLS_ECDSA_DETERMINISTIC',
'-MBEDTLS_ECJPAKE_C'],
'PSA_WANT_ECC_MONTGOMERY_448': ['-PSA_WANT_ALG_ECDSA',
'-PSA_WANT_ALG_JPAKE',],
'PSA_WANT_ECC_MONTGOMERY_255': ['-PSA_WANT_ALG_ECDSA',
'-PSA_WANT_ALG_JPAKE'],
'PSA_WANT_KEY_TYPE_ARIA': ['-PSA_WANT_ALG_CMAC',
'-PSA_WANT_ALG_CCM',
'-PSA_WANT_ALG_GCM',
@@ -559,11 +559,12 @@ class DomainData:
'|MBEDTLS_SHA3_'),
# Key exchange types.
'kex': ExclusiveDomain(key_exchange_symbols, build_and_test),
'pkalgs': ComplementaryDomain(['MBEDTLS_ECDSA_C',
'MBEDTLS_ECP_C',
'MBEDTLS_PKCS1_V21',
'MBEDTLS_PKCS1_V15',
'MBEDTLS_RSA_C',
'pkalgs': ComplementaryDomain(['PSA_WANT_ALG_ECDSA',
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC',
'PSA_WANT_ALG_RSA_OAEP',
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC',
'MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
build_and_test),
}

120
tests/ssl-opt.sh
View File

@@ -9412,10 +9412,10 @@ run_test "EC restart: TLS, default" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1" \
0 \
-C "x509_verify_cert.*4b00" \
-C "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
-C "x509_verify_cert.*\(4b00\|-248\)" \
-C "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -9425,10 +9425,10 @@ run_test "EC restart: TLS, max_ops=0" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=0" \
0 \
-C "x509_verify_cert.*4b00" \
-C "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
-C "x509_verify_cert.*\(4b00\|-248\)" \
-C "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -9438,10 +9438,10 @@ run_test "EC restart: TLS, max_ops=65535" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=65535" \
0 \
-C "x509_verify_cert.*4b00" \
-C "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
-C "x509_verify_cert.*\(4b00\|-248\)" \
-C "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
# The following test cases for restartable ECDH come in two variants:
# * The "(USE_PSA)" variant expects the current behavior, which is the behavior
@@ -9466,10 +9466,10 @@ run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-c "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00"
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
@@ -9481,10 +9481,10 @@ run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00"
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
# This works the same with & without USE_PSA as we never get to ECDH:
# we abort as soon as we determined the cert is bad.
@@ -9498,10 +9498,10 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000" \
1 \
-c "x509_verify_cert.*4b00" \
-C "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00" \
-c "x509_verify_cert.*\(4b00\|-248\)" \
-C "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)" \
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed"
@@ -9518,10 +9518,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000 auth_mode=optional" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-c "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00" \
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -9538,10 +9538,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000 auth_mode=optional" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00" \
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -9558,10 +9558,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)"
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000 auth_mode=none" \
0 \
-C "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-c "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00" \
-C "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -9578,10 +9578,10 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000 auth_mode=none" \
0 \
-C "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00" \
-C "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -9596,10 +9596,10 @@ run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
dtls=1 debug_level=1 ec_max_ops=1000" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-c "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00"
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
@@ -9611,10 +9611,10 @@ run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
dtls=1 debug_level=1 ec_max_ops=1000" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-c "mbedtls_pk_sign.*4b00"
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-c "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
@@ -9625,10 +9625,10 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-c "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-c "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
# With USE_PSA enabled we expect only partial restartable behaviour:
@@ -9640,10 +9640,10 @@ run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
debug_level=1 ec_max_ops=1000" \
0 \
-c "x509_verify_cert.*4b00" \
-c "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
-c "x509_verify_cert.*\(4b00\|-248\)" \
-c "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
# Restartable is only for ECDHE-ECDSA, with another ciphersuite we expect no
# restartable behaviour at all (not even client auth).
@@ -9657,10 +9657,10 @@ run_test "EC restart: TLS, max_ops=1000, ECDHE-RSA" \
key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
debug_level=1 ec_max_ops=1000" \
0 \
-C "x509_verify_cert.*4b00" \
-C "mbedtls_pk_verify.*4b00" \
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
-C "x509_verify_cert.*\(4b00\|-248\)" \
-C "mbedtls_pk_verify.*\(4b00\|-248\)" \
-C "mbedtls_ecdh_make_public.*\(4b00\|-248\)" \
-C "mbedtls_pk_sign.*\(4b00\|-248\)"
# Tests of asynchronous private key support in SSL

146
tests/suites/test_suite_x509_oid.data Normal file
View File

@@ -0,0 +1,146 @@
OID get Any Policy certificate policy
oid_get_certificate_policies:"551D2000":"Any Policy"
OID get certificate policy invalid oid
oid_get_certificate_policies:"5533445566":""
OID get certificate policy wrong oid - id-ce-authorityKeyIdentifier
oid_get_certificate_policies:"551D23":""
OID get Ext Key Usage - id-kp-serverAuth
oid_get_extended_key_usage:"2B06010505070301":"TLS Web Server Authentication"
OID get Ext Key Usage - id-kp-clientAuth
oid_get_extended_key_usage:"2B06010505070302":"TLS Web Client Authentication"
OID get Ext Key Usage - id-kp-codeSigning
oid_get_extended_key_usage:"2B06010505070303":"Code Signing"
OID get Ext Key Usage - id-kp-emailProtection
oid_get_extended_key_usage:"2B06010505070304":"E-mail Protection"
OID get Ext Key Usage - id-kp-timeStamping
oid_get_extended_key_usage:"2B06010505070308":"Time Stamping"
OID get Ext Key Usage - id-kp-OCSPSigning
oid_get_extended_key_usage:"2B06010505070309":"OCSP Signing"
OID get Ext Key Usage - id-kp-wisun-fan-device
oid_get_extended_key_usage:"2B0601040182E42501":"Wi-SUN Alliance Field Area Network (FAN)"
OID get Ext Key Usage invalid oid
oid_get_extended_key_usage:"5533445566":""
OID get Ext Key Usage wrong oid - id-ce-authorityKeyIdentifier
oid_get_extended_key_usage:"551D23":""
OID get x509 extension - id-ce-basicConstraints
oid_get_x509_extension:"551D13":MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS
OID get x509 extension - id-ce-keyUsage
oid_get_x509_extension:"551D0F":MBEDTLS_OID_X509_EXT_KEY_USAGE
OID get x509 extension - id-ce-extKeyUsage
oid_get_x509_extension:"551D25":MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE
OID get x509 extension - id-ce-subjectAltName
oid_get_x509_extension:"551D11":MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME
OID get x509 extension - id-netscape-certtype
oid_get_x509_extension:"6086480186F8420101":MBEDTLS_OID_X509_EXT_NS_CERT_TYPE
OID get x509 extension - id-ce-certificatePolicies
oid_get_x509_extension:"551D20":MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES
OID get x509 extension - invalid oid
oid_get_x509_extension:"5533445566":0
OID get x509 extension - wrong oid - id-ce
oid_get_x509_extension:"551D":0
OID hash id - id-md5
depends_on:PSA_WANT_ALG_MD5
oid_get_md_alg_id:"2A864886f70d0205":MBEDTLS_MD_MD5
OID hash id - id-sha1
depends_on:PSA_WANT_ALG_SHA_1
oid_get_md_alg_id:"2b0e03021a":MBEDTLS_MD_SHA1
OID hash id - id-sha224
depends_on:PSA_WANT_ALG_SHA_224
oid_get_md_alg_id:"608648016503040204":MBEDTLS_MD_SHA224
OID hash id - id-sha256
depends_on:PSA_WANT_ALG_SHA_256
oid_get_md_alg_id:"608648016503040201":MBEDTLS_MD_SHA256
OID hash id - id-sha384
depends_on:PSA_WANT_ALG_SHA_384
oid_get_md_alg_id:"608648016503040202":MBEDTLS_MD_SHA384
OID hash id - id-sha512
depends_on:PSA_WANT_ALG_SHA_512
oid_get_md_alg_id:"608648016503040203":MBEDTLS_MD_SHA512
OID hash id - id-sha3-224
depends_on:PSA_WANT_ALG_SHA3_224
oid_get_md_alg_id:"608648016503040207":MBEDTLS_MD_SHA3_224
OID hash id - id-sha3-256
depends_on:PSA_WANT_ALG_SHA3_256
oid_get_md_alg_id:"608648016503040208":MBEDTLS_MD_SHA3_256
OID hash id - id-sha3-384
depends_on:PSA_WANT_ALG_SHA3_384
oid_get_md_alg_id:"608648016503040209":MBEDTLS_MD_SHA3_384
OID hash id - id-sha3-512
depends_on:PSA_WANT_ALG_SHA3_512
oid_get_md_alg_id:"60864801650304020a":MBEDTLS_MD_SHA3_512
OID hash id - id-ripemd160
depends_on:PSA_WANT_ALG_RIPEMD160
oid_get_md_alg_id:"2b24030201":MBEDTLS_MD_RIPEMD160
OID hash id - invalid oid
oid_get_md_alg_id:"2B864886f70d0204":-1
mbedtls_oid_get_md_hmac - RIPEMD160
depends_on:PSA_WANT_ALG_RIPEMD160
mbedtls_oid_get_md_hmac:"2B06010505080104":MBEDTLS_MD_RIPEMD160
mbedtls_oid_get_md_hmac - SHA1
depends_on:PSA_WANT_ALG_SHA_1
mbedtls_oid_get_md_hmac:"2A864886F70D0207":MBEDTLS_MD_SHA1
mbedtls_oid_get_md_hmac - SHA224
depends_on:PSA_WANT_ALG_SHA_224
mbedtls_oid_get_md_hmac:"2A864886F70D0208":MBEDTLS_MD_SHA224
mbedtls_oid_get_md_hmac - SHA256
depends_on:PSA_WANT_ALG_SHA_256
mbedtls_oid_get_md_hmac:"2A864886F70D0209":MBEDTLS_MD_SHA256
mbedtls_oid_get_md_hmac - SHA384
depends_on:PSA_WANT_ALG_SHA_384
mbedtls_oid_get_md_hmac:"2A864886F70D020A":MBEDTLS_MD_SHA384
mbedtls_oid_get_md_hmac - SHA512
depends_on:PSA_WANT_ALG_SHA_512
mbedtls_oid_get_md_hmac:"2A864886F70D020B":MBEDTLS_MD_SHA512
mbedtls_oid_get_md_hmac - SHA3_224
depends_on:PSA_WANT_ALG_SHA3_224
mbedtls_oid_get_md_hmac:"60864801650304020D":MBEDTLS_MD_SHA3_224
mbedtls_oid_get_md_hmac - SHA3_256
depends_on:PSA_WANT_ALG_SHA3_256
mbedtls_oid_get_md_hmac:"60864801650304020E":MBEDTLS_MD_SHA3_256
mbedtls_oid_get_md_hmac - SHA3_384
depends_on:PSA_WANT_ALG_SHA3_384
mbedtls_oid_get_md_hmac:"60864801650304020F":MBEDTLS_MD_SHA3_384
mbedtls_oid_get_md_hmac - SHA3_512
depends_on:PSA_WANT_ALG_SHA3_512
mbedtls_oid_get_md_hmac:"608648016503040210":MBEDTLS_MD_SHA3_512

120
tests/suites/test_suite_x509_oid.function Normal file
View File

@@ -0,0 +1,120 @@
/* BEGIN_HEADER */
#include "mbedtls/oid.h"
#include "mbedtls/asn1.h"
#include "mbedtls/asn1write.h"
#include "string.h"
/* END_HEADER */
/* BEGIN_DEPENDENCIES
* depends_on:MBEDTLS_OID_C:!MBEDTLS_X509_REMOVE_INFO
* END_DEPENDENCIES
*/
/* BEGIN_CASE */
void oid_get_certificate_policies(data_t *oid, char *result_str)
{
mbedtls_asn1_buf asn1_buf = { 0, 0, NULL };
int ret;
const char *desc;
asn1_buf.tag = MBEDTLS_ASN1_OID;
asn1_buf.p = oid->x;
asn1_buf.len = oid->len;
ret = mbedtls_oid_get_certificate_policies(&asn1_buf, &desc);
if (strlen(result_str) == 0) {
TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND);
} else {
TEST_ASSERT(ret == 0);
TEST_ASSERT(strcmp((char *) desc, result_str) == 0);
}
}
/* END_CASE */
/* BEGIN_CASE */
void oid_get_extended_key_usage(data_t *oid, char *result_str)
{
mbedtls_asn1_buf asn1_buf = { 0, 0, NULL };
int ret;
const char *desc;
asn1_buf.tag = MBEDTLS_ASN1_OID;
asn1_buf.p = oid->x;
asn1_buf.len = oid->len;
ret = mbedtls_oid_get_extended_key_usage(&asn1_buf, &desc);
if (strlen(result_str) == 0) {
TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND);
} else {
TEST_ASSERT(ret == 0);
TEST_ASSERT(strcmp((char *) desc, result_str) == 0);
}
}
/* END_CASE */
/* BEGIN_CASE */
void oid_get_x509_extension(data_t *oid, int exp_type)
{
mbedtls_asn1_buf ext_oid = { 0, 0, NULL };
int ret;
int ext_type;
ext_oid.tag = MBEDTLS_ASN1_OID;
ext_oid.p = oid->x;
ext_oid.len = oid->len;
ret = mbedtls_oid_get_x509_ext_type(&ext_oid, &ext_type);
if (exp_type == 0) {
TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND);
} else {
TEST_ASSERT(ret == 0);
TEST_ASSERT(ext_type == exp_type);
}
}
/* END_CASE */
/* BEGIN_CASE */
void oid_get_md_alg_id(data_t *oid, int exp_md_id)
{
mbedtls_asn1_buf md_oid = { 0, 0, NULL };
int ret;
mbedtls_md_type_t md_id = 0;
md_oid.tag = MBEDTLS_ASN1_OID;
md_oid.p = oid->x;
md_oid.len = oid->len;
ret = mbedtls_oid_get_md_alg(&md_oid, &md_id);
if (exp_md_id < 0) {
TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND);
TEST_ASSERT(md_id == 0);
} else {
TEST_ASSERT(ret == 0);
TEST_ASSERT((mbedtls_md_type_t) exp_md_id == md_id);
}
}
/* END_CASE */
/* BEGIN_CASE */
void mbedtls_oid_get_md_hmac(data_t *oid, int exp_md_id)
{
mbedtls_asn1_buf md_oid = { 0, 0, NULL };
int ret;
mbedtls_md_type_t md_id = 0;
md_oid.tag = MBEDTLS_ASN1_OID;
md_oid.p = oid->x;
md_oid.len = oid->len;
ret = mbedtls_oid_get_md_hmac(&md_oid, &md_id);
if (exp_md_id < 0) {
TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND);
TEST_ASSERT(md_id == 0);
} else {
TEST_ASSERT(ret == 0);
TEST_ASSERT((mbedtls_md_type_t) exp_md_id == md_id);
}
}
/* END_CASE */

1
tests/suites/test_suite_x509parse.function
View File

@@ -679,6 +679,7 @@ void x509_verify_restart(char *crt_file, char *ca_file,
TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0);
TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0);
psa_interruptible_set_max_ops(max_ops);
mbedtls_ecp_set_max_ops(max_ops);
cnt_restart = 0;