Merge changes to config examples and configuration issues
diff --git a/ChangeLog b/ChangeLog
index 3ca702d..a16a948 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,8 @@
* Support for parsing and verifying RSASSA-PSS signatures in the X.509
modules (certificates, CRLs and CSRs).
* Blowfish in the cipher layer now supports variable length keys.
+ * Add example config.h for PSK with CCM, optimized for low RAM usage.
+ * Optimize for RAM usage in example config.h for NSA Suite B profile.
Changes
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
new file mode 100644
index 0000000..f425391
--- /dev/null
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -0,0 +1,55 @@
+/*
+ * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
+ * Distinguishing features:
+ * - no bignum, no PK, no X509
+ * - fully modern and secure (provided the pre-shared keys have high entropy)
+ * - very low record overhead if using the CCM-8 suites
+ * - optimized for low RAM usage
+ *
+ * See README.txt for usage instructions.
+ */
+#ifndef POLARSSL_CONFIG_H
+#define POLARSSL_CONFIG_H
+
+/* System support */
+//#define POLARSSL_HAVE_IPV6 /* Optional */
+//#define POLARSSL_HAVE_TIME /* Optionnaly used in Hello messages */
+/* Other POLARSSL_HAVE_XXX flags irrelevant for this configuration */
+
+/* PolarSSL feature support */
+#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED
+#define POLARSSL_SSL_PROTO_TLS1_2
+
+/* PolarSSL modules */
+#define POLARSSL_AES_C
+#define POLARSSL_CCM_C
+#define POLARSSL_CIPHER_C
+#define POLARSSL_CTR_DRBG_C
+#define POLARSSL_ENTROPY_C
+#define POLARSSL_MD_C
+#define POLARSSL_NET_C
+#define POLARSSL_SHA256_C
+#define POLARSSL_SSL_CLI_C
+#define POLARSSL_SSL_SRV_C
+#define POLARSSL_SSL_TLS_C
+
+/* Save RAM at the expense of ROM */
+#define POLARSSL_AES_ROM_TABLES
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "platform_entropy_poll" source, but you may want to add other ones
+ * Minimum is 2 for the entropy test suite.
+ */
+#define ENTROPY_MAX_SOURCES 2
+
+/*
+ * Save RAM at the expense of interoperability: do this only if you control
+ * both ends of the connection! (See coments in "polarssl/ssl.h".)
+ * The optimal size here depends on the typical size of records.
+ */
+#define SSL_MAX_CONTENT_LEN 512
+
+#include "check_config.h"
+
+#endif /* POLARSSL_CONFIG_H */
diff --git a/configs/config-picocoin.h b/configs/config-picocoin.h
new file mode 100644
index 0000000..eeac5d0
--- /dev/null
+++ b/configs/config-picocoin.h
@@ -0,0 +1,53 @@
+/*
+ * Reduced configuration used by Picocoin.
+ *
+ * See README.txt for usage instructions.
+ *
+ * Distinguishing features:
+ * - no SSL/TLS;
+ * - no X.509;
+ * - ECDSA/PK and some other chosen crypto bits.
+ */
+
+#ifndef POLARSSL_CONFIG_H
+#define POLARSSL_CONFIG_H
+
+/* System support */
+#define POLARSSL_HAVE_LONGLONG
+#define POLARSSL_HAVE_ASM
+#define POLARSSL_HAVE_TIME
+#define POLARSSL_HAVE_IPV6
+
+/* PolarSSL feature support */
+#define POLARSSL_CIPHER_MODE_CBC
+#define POLARSSL_CIPHER_PADDING_PKCS7
+#define POLARSSL_ECP_DP_SECP256K1_ENABLED
+#define POLARSSL_ECDSA_DETERMINISTIC
+#define POLARSSL_PK_PARSE_EC_EXTENDED
+#define POLARSSL_ERROR_STRERROR_DUMMY
+#define POLARSSL_FS_IO
+
+/* PolarSSL modules */
+#define POLARSSL_AESNI_C
+#define POLARSSL_AES_C
+#define POLARSSL_ASN1_PARSE_C
+#define POLARSSL_ASN1_WRITE_C
+#define POLARSSL_BASE64_C
+#define POLARSSL_BIGNUM_C
+#define POLARSSL_ECDSA_C
+#define POLARSSL_ECP_C
+#define POLARSSL_ENTROPY_C
+#define POLARSSL_HMAC_DRBG_C
+#define POLARSSL_MD_C
+#define POLARSSL_OID_C
+#define POLARSSL_PADLOCK_C
+#define POLARSSL_PK_C
+#define POLARSSL_PK_PARSE_C
+#define POLARSSL_PK_WRITE_C
+#define POLARSSL_RIPEMD160_C
+#define POLARSSL_SHA1_C
+#define POLARSSL_SHA256_C
+
+#include "check_config.h"
+
+#endif /* POLARSSL_CONFIG_H */
diff --git a/configs/config-psk-rc4-tls1_0.h b/configs/config-psk-rc4-tls1_0.h
index 99942a6..c967b4c 100644
--- a/configs/config-psk-rc4-tls1_0.h
+++ b/configs/config-psk-rc4-tls1_0.h
@@ -2,15 +2,19 @@
* Custom compact configuration for TLS 1.0 with PSK and RC4
* Distinguishing features: no bignum, no PK, no X509.
*
+ * WARNING: RC4 is in the process of being deprecated!
+ * This configuration is kept for testing purposes only, DO NOT USE it!
+ * For a safe and lean PSK-based configuration, see config-ccm-psk-tls1_2.h
+ *
* See README.txt for usage instructions.
*/
-
#ifndef POLARSSL_CONFIG_H
#define POLARSSL_CONFIG_H
/* System support */
-#define POLARSSL_HAVE_TIME
-#define POLARSSL_HAVE_IPV6
+//#define POLARSSL_HAVE_IPV6 /* Optional */
+//#define POLARSSL_HAVE_TIME /* Optionnaly used in Hello messages */
+/* Other POLARSSL_HAVE_XXX flags irrelevant for this configuration */
/* PolarSSL feature support */
#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED
@@ -19,15 +23,12 @@
/* PolarSSL modules */
#define POLARSSL_AES_C
#define POLARSSL_ARC4_C
-#define POLARSSL_ASN1_PARSE_C
-#define POLARSSL_ASN1_WRITE_C
#define POLARSSL_CIPHER_C
#define POLARSSL_CTR_DRBG_C
#define POLARSSL_ENTROPY_C
#define POLARSSL_MD_C
#define POLARSSL_MD5_C
#define POLARSSL_NET_C
-#define POLARSSL_OID_C
#define POLARSSL_SHA1_C
#define POLARSSL_SHA256_C
#define POLARSSL_SSL_CLI_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index bac71e9..d10cf63 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -1,6 +1,14 @@
/*
* Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
*
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - optimized for low RAM usage
+ *
+ * Possible improvements:
+ * - if 128-bit security is enough, disable secp384r1 and SHA-512
+ * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
+ *
* See README.txt for usage instructions.
*/
@@ -48,8 +56,34 @@
#define POLARSSL_CERTS_C
#define POLARSSL_PEM_PARSE_C
-/* For testing with compat.sh */
-#define POLARSSL_FS_IO
+/* Save RAM at the expense of ROM */
+#define POLARSSL_AES_ROM_TABLES
+
+/* Save RAM by adjusting to our exact needs */
+#define POLARSSL_ECP_MAX_BITS 384
+#define POLARSSL_MPI_MAX_SIZE 48 // 384 bits is 48 bytes
+
+/* Save RAM at the expense of speed, see ecp.h */
+#define POLARSSL_ECP_WINDOW_SIZE 2
+#define POLARSSL_ECP_FIXED_POINT_OPTIM 0
+
+/* Uncomment for a significant speed benefit at the expense of some ROM */
+//#define POLARSSL_ECP_NIST_OPTIM
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "platform_entropy_poll" source, but you may want to add other ones.
+ * Minimum is 2 for the entropy test suite.
+ */
+#define ENTROPY_MAX_SOURCES 2
+
+/*
+ * Save RAM at the expense of interoperability: do this only if you control
+ * both ends of the connection! (See coments in "polarssl/ssl.h".)
+ * The minimum size here depends on the certificate chain used as well as the
+ * typical size of records.
+ */
+#define SSL_MAX_CONTENT_LEN 1024
#include "polarssl/check_config.h"
diff --git a/include/polarssl/cipher.h b/include/polarssl/cipher.h
index 5153461..84993f7 100644
--- a/include/polarssl/cipher.h
+++ b/include/polarssl/cipher.h
@@ -36,7 +36,7 @@
#include POLARSSL_CONFIG_FILE
#endif
-#if defined(POLARSSL_GCM_C)
+#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
#define POLARSSL_CIPHER_MODE_AEAD
#endif
@@ -534,25 +534,21 @@
*/
int cipher_reset( cipher_context_t *ctx );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
/**
* \brief Add additional data (for AEAD ciphers).
- * This function has no effect for non-AEAD ciphers.
- * For AEAD ciphers, it may or may not be called
- * repeatedly, and/or interleaved with calls to
- * cipher_udpate(), depending on the cipher.
- * E.g. for GCM is must be called exactly once, right
- * after cipher_reset().
+ * Currently only supported with GCM.
+ * Must be called exactly once, after cipher_reset().
*
* \param ctx generic cipher context
* \param ad Additional data to use.
* \param ad_len Length of ad.
*
- * \returns 0 on success, or a specific error code.
+ * \return 0 on success, or a specific error code.
*/
int cipher_update_ad( cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif /* POLARSSL_GCM_C */
/**
* \brief Generic cipher update function. Encrypts/decrypts
@@ -606,10 +602,10 @@
int cipher_finish( cipher_context_t *ctx,
unsigned char *output, size_t *olen );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
/**
* \brief Write tag for AEAD ciphers.
- * No effect for other ciphers.
+ * Currently only supported with GCM.
* Must be called after cipher_finish().
*
* \param ctx Generic cipher context
@@ -623,9 +619,8 @@
/**
* \brief Check tag for AEAD ciphers.
- * No effect for other ciphers.
- * Calling time depends on the cipher:
- * for GCM, must be called after cipher_finish().
+ * Currently only supported with GCM.
+ * Must be called after cipher_finish().
*
* \param ctx Generic cipher context
* \param tag Buffer holding the tag
@@ -635,7 +630,7 @@
*/
int cipher_check_tag( cipher_context_t *ctx,
const unsigned char *tag, size_t tag_len );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif /* POLARSSL_GCM_C */
/**
* \brief Generic all-in-one encryption/decryption
diff --git a/library/cipher.c b/library/cipher.c
index 558c4b3..16acd80 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -234,24 +234,22 @@
return( 0 );
}
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
int cipher_update_ad( cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len )
{
if( NULL == ctx || NULL == ctx->cipher_info )
return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
-#if defined(POLARSSL_GCM_C)
if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
{
return gcm_starts( (gcm_context *) ctx->cipher_ctx, ctx->operation,
ctx->iv, ctx->iv_size, ad, ad_len );
}
-#endif
return( 0 );
}
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif /* POLARSSL_GCM_C */
int cipher_update( cipher_context_t *ctx, const unsigned char *input,
size_t ilen, unsigned char *output, size_t *olen )
@@ -724,7 +722,7 @@
}
#endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
int cipher_write_tag( cipher_context_t *ctx,
unsigned char *tag, size_t tag_len )
{
@@ -734,10 +732,8 @@
if( POLARSSL_ENCRYPT != ctx->operation )
return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
-#if defined(POLARSSL_GCM_C)
if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
return gcm_finish( (gcm_context *) ctx->cipher_ctx, tag, tag_len );
-#endif
return( 0 );
}
@@ -753,7 +749,6 @@
return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
}
-#if defined(POLARSSL_GCM_C)
if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
{
unsigned char check_tag[16];
@@ -778,11 +773,10 @@
return( 0 );
}
-#endif /* POLARSSL_GCM_C */
return( 0 );
}
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif /* POLARSSL_GCM_C */
/*
* Packet-oriented wrapper for non-AEAD modes
diff --git a/library/pkparse.c b/library/pkparse.c
index 3c8063f..29217a2 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -62,12 +62,12 @@
#define polarssl_free free
#endif
+#if defined(POLARSSL_FS_IO)
/* Implementation that should never be optimized out by the compiler */
static void polarssl_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
-#if defined(POLARSSL_FS_IO)
/*
* Load all data from a file into a given buffer.
*/
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 2db5314..7463353 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1105,23 +1105,23 @@
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_CCM_C)
- { TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
- POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
+ { TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
+ POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
- { TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
- POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
+ { TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
+ POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
- { TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
- POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
+ { TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
+ POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
- { TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
- POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
+ { TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
+ POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
@@ -1241,23 +1241,23 @@
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_CCM_C)
- { TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
- POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
+ { TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
+ POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
- { TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
- POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
+ { TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
+ POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
- { TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
- POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
+ { TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
+ POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
- { TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
- POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
+ { TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
+ POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d3096ab..035cf39 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -148,8 +148,10 @@
size_t *olen )
{
unsigned char *p = buf;
- unsigned char *sig_alg_list = buf + 6;
size_t sig_alg_len = 0;
+#if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
+ unsigned char *sig_alg_list = buf + 6;
+#endif
*olen = 0;
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index c35736f..983b64e 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -63,8 +63,13 @@
#define DFL_FILENAME "keyfile.key"
#define DFL_DEBUG_LEVEL 0
#define DFL_OUTPUT_MODE OUTPUT_MODE_NONE
+#if defined(POLARSSL_PEM_WRITE_C)
#define DFL_OUTPUT_FILENAME "keyfile.pem"
#define DFL_OUTPUT_FORMAT OUTPUT_FORMAT_PEM
+#else
+#define DFL_OUTPUT_FILENAME "keyfile.der"
+#define DFL_OUTPUT_FORMAT OUTPUT_FORMAT_DER
+#endif
/*
* global options
@@ -88,6 +93,7 @@
memset(output_buf, 0, 16000);
+#if defined(POLARSSL_PEM_WRITE_C)
if( opt.output_format == OUTPUT_FORMAT_PEM )
{
if( ( ret = pk_write_pubkey_pem( key, output_buf, 16000 ) ) != 0 )
@@ -96,6 +102,7 @@
len = strlen( (char *) output_buf );
}
else
+#endif
{
if( ( ret = pk_write_pubkey_der( key, output_buf, 16000 ) ) < 0 )
return( ret );
@@ -127,6 +134,8 @@
size_t len = 0;
memset(output_buf, 0, 16000);
+
+#if defined(POLARSSL_PEM_WRITE_C)
if( opt.output_format == OUTPUT_FORMAT_PEM )
{
if( ( ret = pk_write_key_pem( key, output_buf, 16000 ) ) != 0 )
@@ -135,6 +144,7 @@
len = strlen( (char *) output_buf );
}
else
+#endif
{
if( ( ret = pk_write_key_der( key, output_buf, 16000 ) ) < 0 )
return( ret );
@@ -157,14 +167,23 @@
return( 0 );
}
+#if defined(POLARSSL_PEM_WRITE_C)
+#define USAGE_OUT \
+ " output_file=%%s default: keyfile.pem\n" \
+ " output_format=pem|der default: pem\n"
+#else
+#define USAGE_OUT \
+ " output_file=%%s default: keyfile.der\n" \
+ " output_format=der default: der\n"
+#endif
+
#define USAGE \
"\n usage: key_app param=<>...\n" \
"\n acceptable parameters:\n" \
" mode=private|public default: none\n" \
" filename=%%s default: keyfile.key\n" \
" output_mode=private|public default: none\n" \
- " output_file=%%s default: keyfile.pem\n" \
- " output_format=pem|der default: pem\n" \
+ USAGE_OUT \
"\n"
int main( int argc, char *argv[] )
@@ -222,9 +241,12 @@
}
else if( strcmp( p, "output_format" ) == 0 )
{
+#if defined(POLARSSL_PEM_WRITE_C)
if( strcmp( q, "pem" ) == 0 )
opt.output_format = OUTPUT_FORMAT_PEM;
- else if( strcmp( q, "der" ) == 0 )
+ else
+#endif
+ if( strcmp( q, "der" ) == 0 )
opt.output_format = OUTPUT_FORMAT_DER;
else
goto usage;
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 280ef3d..3af54f9 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -29,6 +29,22 @@
#include POLARSSL_CONFIG_FILE
#endif
+#if !defined(POLARSSL_ENTROPY_C) || \
+ !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_CLI_C) || \
+ !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C)
+#include <stdio.h>
+int main( int argc, char *argv[] )
+{
+ ((void) argc);
+ ((void) argv);
+
+ printf("POLARSSL_ENTROPY_C and/or "
+ "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_CLI_C and/or "
+ "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n");
+ return( 0 );
+}
+#else
+
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
@@ -304,20 +320,6 @@
" force_ciphersuite=<name> default: all enabled\n"\
" acceptable ciphersuite names:\n"
-#if !defined(POLARSSL_ENTROPY_C) || \
- !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_CLI_C) || \
- !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C)
-int main( int argc, char *argv[] )
-{
- ((void) argc);
- ((void) argv);
-
- printf("POLARSSL_ENTROPY_C and/or "
- "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_CLI_C and/or "
- "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n");
- return( 0 );
-}
-#else
int main( int argc, char *argv[] )
{
int ret = 0, len, server_fd, i, written, frags;
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index d617b3d..d5f01bc 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -29,6 +29,22 @@
#include POLARSSL_CONFIG_FILE
#endif
+#if !defined(POLARSSL_ENTROPY_C) || \
+ !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_SRV_C) || \
+ !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C)
+#include <stdio.h>
+int main( int argc, char *argv[] )
+{
+ ((void) argc);
+ ((void) argv);
+
+ printf("POLARSSL_ENTROPY_C and/or "
+ "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_SRV_C and/or "
+ "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n");
+ return( 0 );
+}
+#else
+
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) && defined(POLARSSL_FS_IO)
#define POLARSSL_SNI
#endif
@@ -312,21 +328,6 @@
" force_ciphersuite=<name> default: all enabled\n" \
" acceptable ciphersuite names:\n"
-#if !defined(POLARSSL_ENTROPY_C) || \
- !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_SRV_C) || \
- !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C)
-int main( int argc, char *argv[] )
-{
- ((void) argc);
- ((void) argv);
-
- printf("POLARSSL_ENTROPY_C and/or "
- "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_SRV_C and/or "
- "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n");
- return( 0 );
-}
-#else
-
/*
* Used by sni_parse and psk_parse to handle coma-separated lists
*/
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index 6f60925..9b09e34 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -16,7 +16,11 @@
'config-mini-tls1_1.h'
=> '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'',
'config-suite-b.h'
- => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM'",
+ => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p PolarSSL",
+ 'config-picocoin.h'
+ => 0,
+ 'config-ccm-psk-tls1_2.h'
+ => '-m tls1_2 -f \'TLS-PSK.*AES.*CCM\'',
);
# If no config-name is provided, use all known configs.
@@ -59,9 +63,17 @@
system( "make" ) and abort "Failed to build: $conf\n";
system( "make $test" ) and abort "Failed test suite: $conf\n";
- print "\nrunning compat.sh $args\n";
- system( "cd tests && ./compat.sh $args" )
- and abort "Failed compat.sh: $conf\n";
+
+ if( $args )
+ {
+ print "\nrunning compat.sh $args\n";
+ system( "cd tests && ./compat.sh $args" )
+ and abort "Failed compat.sh: $conf\n";
+ }
+ else
+ {
+ print "\nskipping compat.sh\n";
+ }
}
system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 09ae2e0..7c9c76d 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -60,7 +60,7 @@
TEST_ASSERT( cipher_reset( NULL ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
TEST_ASSERT( cipher_reset( &ctx ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( cipher_update_ad( NULL, buf, 0 )
== POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
TEST_ASSERT( cipher_update_ad( &ctx, buf, 0 )
@@ -77,7 +77,7 @@
TEST_ASSERT( cipher_finish( &ctx, buf, &olen )
== POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( cipher_write_tag( NULL, buf, olen )
== POLARSSL_ERR_CIPHER_BAD_INPUT_DATA );
TEST_ASSERT( cipher_write_tag( &ctx, buf, olen )
@@ -157,10 +157,10 @@
TEST_ASSERT( 0 == cipher_reset( &ctx_dec ) );
TEST_ASSERT( 0 == cipher_reset( &ctx_enc ) );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) );
TEST_ASSERT( 0 == cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* encode length number of bytes from inbuf */
TEST_ASSERT( 0 == cipher_update( &ctx_enc, inbuf, length, encbuf, &outlen ) );
@@ -174,9 +174,9 @@
TEST_ASSERT( 0 == cipher_finish( &ctx_enc, encbuf + outlen, &outlen ) );
total_len += outlen;
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
TEST_ASSERT( total_len == length ||
( total_len % cipher_get_block_size( &ctx_enc ) == 0 &&
@@ -195,9 +195,9 @@
TEST_ASSERT( 0 == cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) );
total_len += outlen;
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* check result */
TEST_ASSERT( total_len == length );
@@ -250,9 +250,9 @@
#endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */
TEST_ASSERT( 0 == cipher_set_iv( &ctx, iv, 16 ) );
TEST_ASSERT( 0 == cipher_reset( &ctx ) );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_update_ad( &ctx, NULL, 0 ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* encode length number of bytes from inbuf */
TEST_ASSERT( 0 == cipher_update( &ctx, inbuf, length, encbuf, &outlen ) );
@@ -297,9 +297,9 @@
TEST_ASSERT( 0 == cipher_reset( &ctx_dec ) );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_update_ad( &ctx_dec, NULL, 0 ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* decode 0-byte string */
TEST_ASSERT( 0 == cipher_update( &ctx_dec, encbuf, 0, decbuf, &outlen ) );
@@ -359,10 +359,10 @@
TEST_ASSERT( 0 == cipher_reset( &ctx_dec ) );
TEST_ASSERT( 0 == cipher_reset( &ctx_enc ) );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_update_ad( &ctx_dec, NULL, 0 ) );
TEST_ASSERT( 0 == cipher_update_ad( &ctx_enc, NULL, 0 ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* encode length number of bytes from inbuf */
TEST_ASSERT( 0 == cipher_update( &ctx_enc, inbuf, first_length, encbuf, &outlen ) );
@@ -416,7 +416,7 @@
unsigned char ad[200];
unsigned char tag[20];
size_t key_len, iv_len, cipher_len, clear_len;
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
size_t ad_len, tag_len;
#endif
cipher_context_t ctx;
@@ -435,7 +435,7 @@
iv_len = unhexify( iv, hex_iv );
cipher_len = unhexify( cipher, hex_cipher );
clear_len = unhexify( clear, hex_clear );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
ad_len = unhexify( ad, hex_ad );
tag_len = unhexify( tag, hex_tag );
#else
@@ -455,9 +455,9 @@
#endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */
TEST_ASSERT( 0 == cipher_set_iv( &ctx, iv, iv_len ) );
TEST_ASSERT( 0 == cipher_reset( &ctx ) );
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( 0 == cipher_update_ad( &ctx, ad, ad_len ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* decode buffer and check tag */
total_len = 0;
@@ -466,9 +466,9 @@
TEST_ASSERT( finish_result == cipher_finish( &ctx, output + outlen,
&outlen ) );
total_len += outlen;
-#if defined(POLARSSL_CIPHER_MODE_AEAD)
+#if defined(POLARSSL_GCM_C)
TEST_ASSERT( tag_result == cipher_check_tag( &ctx, tag, tag_len ) );
-#endif /* POLARSSL_CIPHER_MODE_AEAD */
+#endif
/* check plaintext only if everything went fine */
if( 0 == finish_result && 0 == tag_result )
diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data
index 501bdeb..b03549b 100644
--- a/tests/suites/test_suite_ecdsa.data
+++ b/tests/suites/test_suite_ecdsa.data
@@ -23,7 +23,7 @@
ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP256R1:"DC51D3866A15BACDE33D96F992FCA99DA7E6EF0934E7097559C27F1614C88A7F":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315"
ECDSA primitive rfc 4754 p384
-depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED
ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP384R1:"0BEB646634BA87735D77AE4809A0EBEA865535DE4C1E1DCB692E84708E81A5AF62E528C38B2A81B35309668D73524D9F":"96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922":"447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA":"B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA":"CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7":"FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3":"B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F"
ECDSA primitive rfc 4754 p521
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 278fa88..d871a8d 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -269,7 +269,7 @@
ecp_tls_read_group:"030017":0:256
ECP tls read group #5 (OK, buffer continues)
-depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED
ecp_tls_read_group:"0300180000":0:384
ECP tls write-read group #1
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index 2ea9409..e172315 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -9,7 +9,7 @@
* END_DEPENDENCIES
*/
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C */
void pk_write_pubkey_check( char *key_file )
{
pk_context key;
@@ -40,7 +40,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C */
void pk_write_key_check( char *key_file )
{
pk_context key;
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 9fd3adc..500df35 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -142,7 +142,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_USE_C */
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */
void x509_dn_gets( char *crt_file, char *entity, char *result_str )
{
x509_crt crt;
@@ -169,7 +169,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_USE_C */
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */
void x509_time_expired( char *crt_file, char *entity, int result )
{
x509_crt crt;
@@ -189,7 +189,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_USE_C */
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */
void x509_time_future( char *crt_file, char *entity, int result )
{
x509_crt crt;
@@ -316,7 +316,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */
void x509_oid_desc( char *oid_str, char *ref_desc )
{
x509_buf oid;
@@ -341,7 +341,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */
void x509_oid_numstr( char *oid_str, char *numstr, int blen, int ret )
{
x509_buf oid;