On the CI, the git version when running on
Ubuntu 16.04 is 2.7 and it does not support
the "--recurse-submodules" option of
"git ls-files" thus do not use it.
Another argument to not use it is that
when TF-PSA-Crypto will be a submodule of
mbedtls we will not want check_files.py to
check the TF-PSA-Crypto files as well.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
- rewrite output file (do not append)
- remove useless "os" import
- move pylint for main() function
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
With the robustness fix:
`PASSED (125 suites, 26639 tests run)`
Without the robustness fix:
`FAILED (125 suites, 26639 tests run)`
Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
When trying to decrypt data with an invalid key, we found that `mbedtls`
returned `0x6200` (`-25088`), which means "_CIPHER - Input data contains
invalid padding and is rejected_" from `mbedtls_cipher_finish`, but it also
set the output len as `18446744073709551516`.
In case we detect an error with padding, we leave the output len zero'ed
and return `MBEDTLS_ERR_CIPHER_INVALID_PADDING`. I believe that the current
test cases are sufficient, as they fail if I return the alternative code
`MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA`, so they do already expect a padding
failure, but now we don't change the output len in the error case.
Here's a reference for the way `openssl` checks the padding length:
- 1848c561ec/crypto/evp/evp_enc.c (L1023)
- b554eef43b
Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
This allows many tests to pass with the system openssl and gnutls-*. As
before, not all test cases will pass due to differences between versions and
build options.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some OpenSSL or GnuTLS interoperability test cases fail if the other
implementation is recent enough to support TLS 1.3. Force those test cases
to use TLS 1.2 so that the script works with more recent $OPENSSL or
$GNUTLS_CLI or $GNUTLS_SERV than our official CI versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This should be CRYPTO_CLIENT and not CRYPTO_C as this function
can be used even when CRYPTO_C is not defined.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
A bug existed previously where this guarantee was not met,
causing some issues in multi-threaded code.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
If psa_get_and_lock_key_slot fails, the slot must be wiped.
This fixes a bug where a pointer to some valid key slot can
be incorrectly returned
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
- Embed input arguments inside the script so as to simplify the
calls in Makefiles/CMakeLists.
- add a new "--list-dependencies" command line option to print
out the list of dependencies.
- Modify tests/Makefile accordinlgy.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
ssl-opt.sh uses a 3-byte PSK in many test cases. Unfortunately GnuTLS >=3.4.0
rejects a PSK that is less than 4 bytes long:
> Error setting the PSK credentials: The request is invalid.
Use a longer PSK throughout ssl-opt. Only the test cases involving GnuTLS
need to change, but it's easier to do a global search-and-replace, and it's
easier to not have to worry about mismatches in constructed test cases
later, so replace everything.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When given a PSK key but no username, gnutls-cli prompts for a password.
Prevent that by passing --pskusername with the same identity that
ssl_server2 uses by default.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
