Merge pull request #9390 from eleuzi01/backport-9327
[Backport 3.6] Remove hacks about asm vs constant-flow testing
diff --git a/BRANCHES.md b/BRANCHES.md
index bcceda8..9d5d779 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -107,9 +107,9 @@
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6)
maintained until March 2027, see
- <https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0>.
+ <https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.1>.
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until the end of 2024, see
- <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.8>.
+ <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.9>.
Users are urged to always use the latest version of a maintained branch.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 10f4f53..51944fa 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -40,12 +40,12 @@
if(TEST_CPP)
project("Mbed TLS"
LANGUAGES C CXX
- VERSION 3.6.0
+ VERSION 3.6.1
)
else()
project("Mbed TLS"
LANGUAGES C
- VERSION 3.6.0
+ VERSION 3.6.1
)
endif()
@@ -204,7 +204,7 @@
# note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
OUTPUT_VARIABLE GCC_VERSION)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes")
if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat=2 -Wno-format-nonliteral")
endif()
@@ -238,7 +238,7 @@
endif(CMAKE_COMPILER_IS_GNU)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
set(CMAKE_C_FLAGS_RELEASE "-O2")
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
@@ -281,6 +281,15 @@
endif(CMAKE_COMPILER_IS_IAR)
endif(MBEDTLS_FATAL_WARNINGS)
+if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
+ set(CMAKE_CXX_STANDARD 11)
+ set(CMAKE_CXX_STANDARD_REQUIRED ON)
+ set(CMAKE_CXX_EXTENSIONS OFF)
+ if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
+ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pedantic")
+ endif()
+endif()
+
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
@@ -440,7 +449,7 @@
write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion
- VERSION 3.6.0)
+ VERSION 3.6.1)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
diff --git a/ChangeLog b/ChangeLog
index b691a0f..8eb43fe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,188 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS 3.6.1 branch released 2024-08-30
+
+API changes
+ * The experimental functions psa_generate_key_ext() and
+ psa_key_derivation_output_key_ext() are no longer declared when compiling
+ in C++. This resolves a build failure under C++ compilers that do not
+ support flexible array members (a C99 feature not adopted by C++).
+ Fixes #9020.
+
+Default behavior changes
+ * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
+ !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
+ corresponding PSA mechanism is enabled, since the server provides the
+ crypto. Fixes #9126.
+ * A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled.
+ This can happen even if TLS 1.3 is offered but eventually not selected
+ in the protocol version negotiation.
+ * By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now
+ disabled at runtime. Applications that were using TLS 1.3 tickets
+ signalled by MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return values now
+ need to enable the handling of TLS 1.3 tickets through the new
+ mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() API.
+
+New deprecations
+ * The experimental functions psa_generate_key_ext() and
+ psa_key_derivation_output_key_ext() are deprecated in favor of
+ psa_generate_key_custom() and psa_key_derivation_output_key_custom().
+ They have almost exactly the same interface, but the variable-length
+ data is passed in a separate parameter instead of a flexible array
+ member.
+ * The following cryptographic mechanisms are planned to be removed
+ in Mbed TLS 4.0:
+ - DES (including 3DES).
+ - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
+ (OAEP, PSS, and PKCS#1v1.5 signature are staying.)
+ - Finite-field Diffie-Hellman with custom groups.
+ (RFC 7919 groups remain supported.)
+ - Elliptic curves of size 225 bits or less.
+ * The following cipher suites are planned to be removed from (D)TLS 1.2
+ in Mbed TLS 4.0:
+ - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using
+ RSA decryption.
+ (RSA signatures, i.e. TLS_ECDHE_RSA_*, are staying.)
+ - TLS_ECDH_*, i.e. cipher suites using static ECDH.
+ (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
+ - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman.
+ (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
+ - TLS_*CBC*, i.e. all cipher suites using CBC.
+ * The following low-level application interfaces are planned to be removed
+ from the public API in Mbed TLS 4.0:
+ - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
+ - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
+ - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
+ cipher.h, cmac.h, gcm.h, poly1305.h;
+ - Private key encryption mechanisms: pkcs5.h, pkcs12.h.
+ - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
+ ecp.h, rsa.h.
+ The cryptographic mechanisms remain present, but they will only be
+ accessible via the PSA API (psa_xxx functions introduced gradually
+ starting with Mbed TLS 2.17) and, where relevant, `pk.h`.
+ For guidance on migrating application code to the PSA API, please consult
+ the PSA transition guide (docs/psa-transition.md).
+ * The following integration interfaces are planned to be removed
+ in Mbed TLS 4.0:
+ - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
+ Use PSA transparent drivers instead.
+ - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
+ Use PSA opaque drivers instead.
+
+Features
+ * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
+ the number of volatile PSA keys is virtually unlimited, at the expense
+ of increased code size. This option is off by default, but enabled in
+ the default mbedtls_config.h. Fixes #9216.
+
+Security
+ * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
+ not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
+ MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
+ CVE-2024-45157
+ * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
+ mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
+ largest supported curve. In some configurations with PSA disabled,
+ all values of bits are affected. This never happens in internal library
+ calls, but can affect applications that call these functions directly.
+ CVE-2024-45158
+ * With TLS 1.3, when a server enables optional authentication of the
+ client, if the client-provided certificate does not have appropriate values
+ in keyUsage or extKeyUsage extensions, then the return value of
+ mbedtls_ssl_get_verify_result() would incorrectly have the
+ MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits
+ clear. As a result, an attacker that had a certificate valid for uses other
+ than TLS client authentication could be able to use it for TLS client
+ authentication anyway. Only TLS 1.3 servers were affected, and only with
+ optional authentication (required would abort the handshake with a fatal
+ alert).
+ CVE-2024-45159
+
+Bugfix
+ * Fix TLS 1.3 client build and runtime when support for session tickets is
+ disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
+ * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
+ * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
+ as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
+ * Fix undefined behaviour (incrementing a NULL pointer by zero length) when
+ passing in zero length additional data to multipart AEAD.
+ * Fix rare concurrent access bug where attempting to operate on a
+ non-existent key while concurrently creating a new key could potentially
+ corrupt the key store.
+ * Fix error handling when creating a key in a dynamic secure element
+ (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
+ the creation could return PSA_SUCCESS but using or destroying the key
+ would not work. Fixes #8537.
+ * Fix issue of redefinition warning messages for _GNU_SOURCE in
+ entropy_poll.c and sha_256.c. There was a build warning during
+ building for linux platform.
+ Resolves #9026
+ * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
+ * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
+ CMAC is enabled, but no built-in unauthenticated cipher is enabled.
+ Fixes #9209.
+ * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled.
+ Fixes #9029.
+ * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes
+ long. Credit to Cryptofuzz. Fixes #9314.
+ * Fix interference between PSA volatile keys and built-in keys
+ when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
+ MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096.
+ * Document and enforce the limitation of mbedtls_psa_register_se_key()
+ to persistent keys. Resolves #9253.
+ * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
+ but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
+ * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
+ MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
+ * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled,
+ some code was defining 0-size arrays, resulting in compilation errors.
+ Fixed by disabling the offending code in configurations without PSA
+ Crypto, where it never worked. Fixes #9311.
+ * Fix unintended performance regression when using short RSA public keys.
+ Fixes #9232.
+ * Fixes an issue where some TLS 1.2 clients could not connect to an
+ Mbed TLS 3.6.0 server, due to incorrect handling of
+ legacy_compression_methods in the ClientHello.
+ Fixes #8995, #9243.
+ * Fix TLS connections failing when the handshake selects TLS 1.3
+ in an application that does not call psa_crypto_init().
+ Fixes #9072.
+ * Fix TLS connection failure in applications using an Mbed TLS client in
+ the default configuration connecting to a TLS 1.3 server sending tickets.
+ See the documentation of
+ mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more
+ information.
+ Fixes #8749.
+ * Fix a memory leak that could occur when failing to process an RSA
+ key through some PSA functions due to low memory conditions.
+ * Fixed a regression introduced in 3.6.0 where the CA callback set with
+ mbedtls_ssl_conf_ca_cb() would stop working when connections were
+ upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS
+ 1.3.
+ * Fixed a regression introduced in 3.6.0 where clients that relied on
+ optional/none authentication mode, by calling mbedtls_ssl_conf_authmode()
+ with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop
+ working when connections were upgraded to TLS 1.3. Fixed by adding
+ support for optional/none with TLS 1.3 as well. Note that the TLS 1.3
+ standard makes server authentication mandatory; users are advised not to
+ use authmode none, and to carefully check the results when using optional
+ mode.
+ * Fixed a regression introduced in 3.6.0 where context-specific certificate
+ verify callbacks, set with mbedtls_ssl_set_verify() as opposed to
+ mbedtls_ssl_conf_verify(), would stop working when connections were
+ upgraded to TLS 1.3. Fixed by adding support for context-specific verify
+ callback in TLS 1.3.
+
+Changes
+ * Warn if mbedtls/check_config.h is included manually, as this can
+ lead to spurious errors. Error if a *adjust*.h header is included
+ manually, as this can lead to silently inconsistent configurations,
+ potentially resulting in buffer overflows.
+ When migrating from Mbed TLS 2.x, if you had a custom config.h that
+ included check_config.h, remove this inclusion from the Mbed TLS 3.x
+ configuration file (renamed to mbedtls_config.h). This change was made
+ in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
+
= Mbed TLS 3.6.0 branch released 2024-03-28
API changes
diff --git a/ChangeLog.d/9126.txt b/ChangeLog.d/9126.txt
deleted file mode 100644
index 22939df..0000000
--- a/ChangeLog.d/9126.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Default behavior changes
- * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
- !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
- corresponding PSA mechanism is enabled, since the server provides the
- crypto. Fixes #9126.
diff --git a/ChangeLog.d/asn1-missing-guard-in-rsa.txt b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
deleted file mode 100644
index bb5b470..0000000
--- a/ChangeLog.d/asn1-missing-guard-in-rsa.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
- as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
diff --git a/ChangeLog.d/check-config.txt b/ChangeLog.d/check-config.txt
deleted file mode 100644
index 8570a11..0000000
--- a/ChangeLog.d/check-config.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Changes
- * Warn if mbedtls/check_config.h is included manually, as this can
- lead to spurious errors. Error if a *adjust*.h header is included
- manually, as this can lead to silently inconsistent configurations,
- potentially resulting in buffer overflows.
- When migrating from Mbed TLS 2.x, if you had a custom config.h that
- included check_config.h, remove this inclusion from the Mbed TLS 3.x
- configuration file (renamed to mbedtls_config.h). This change was made
- in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
diff --git a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
deleted file mode 100644
index 11e7d25..0000000
--- a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
diff --git a/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt b/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt
deleted file mode 100644
index 8a406a1..0000000
--- a/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix rare concurrent access bug where attempting to operate on a
- non-existent key while concurrently creating a new key could potentially
- corrupt the key store.
diff --git a/ChangeLog.d/fix-psa-cmac.txt b/ChangeLog.d/fix-psa-cmac.txt
deleted file mode 100644
index e3c8aec..0000000
--- a/ChangeLog.d/fix-psa-cmac.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
- CMAC is enabled, but no built-in unauthenticated cipher is enabled.
- Fixes #9209.
diff --git a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
deleted file mode 100644
index b5c2650..0000000
--- a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix issue of redefinition warning messages for _GNU_SOURCE in
- entropy_poll.c and sha_256.c. There was a build warning during
- building for linux platform.
- Resolves #9026
diff --git a/ChangeLog.d/fix-secure-element-key-creation.txt b/ChangeLog.d/fix-secure-element-key-creation.txt
deleted file mode 100644
index 23a46c0..0000000
--- a/ChangeLog.d/fix-secure-element-key-creation.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix error handling when creating a key in a dynamic secure element
- (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
- the creation could return PSA_SUCCESS but using or destroying the key
- would not work. Fixes #8537.
diff --git a/ChangeLog.d/fix-test-suite-pk-warnings.txt b/ChangeLog.d/fix-test-suite-pk-warnings.txt
deleted file mode 100644
index 2604219..0000000
--- a/ChangeLog.d/fix-test-suite-pk-warnings.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled.
- Fixes #9029.
diff --git a/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt b/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt
deleted file mode 100644
index e4726a4..0000000
--- a/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix undefined behaviour (incrementing a NULL pointer by zero length) when
- passing in zero length additional data to multipart AEAD.
diff --git a/ChangeLog.d/pk-norsa-warning.txt b/ChangeLog.d/pk-norsa-warning.txt
deleted file mode 100644
index d00aa8a..0000000
--- a/ChangeLog.d/pk-norsa-warning.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
diff --git a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt
deleted file mode 100644
index 39e03b9..0000000
--- a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes
- long. Credit to Cryptofuzz. Fixes #9314.
diff --git a/ChangeLog.d/tls13-without-tickets.txt b/ChangeLog.d/tls13-without-tickets.txt
deleted file mode 100644
index 8ceef21..0000000
--- a/ChangeLog.d/tls13-without-tickets.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix TLS 1.3 client build and runtime when support for session tickets is
- disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
diff --git a/docs/architecture/psa-keystore-design.md b/docs/architecture/psa-keystore-design.md
index 54ba8ac..cdd2cac 100644
--- a/docs/architecture/psa-keystore-design.md
+++ b/docs/architecture/psa-keystore-design.md
@@ -67,7 +67,7 @@
There are three variants of the key store implementation, responding to different needs.
* Hybrid key store ([static key slots](#static-key-store) with dynamic key data): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Key material is allocated on the heap. This is the historical implementation. It remains the default in the Mbed TLS 3.6 long-time support (LTS) branch when using a handwritten `mbedtls_config.h`, as is common on resource-constrained platforms, because the alternatives have tradeoffs (key size limit and larger RAM usage at rest for the static key store, larger code size and more risk due to code complexity for the dynamic key store).
-* Fully [static key store](#static-key-store) (since Mbed TLS 3.6.1): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Each key slot contains the key representation directly, and the key representation must be no more than `MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE` bytes. This is intended for very constrained devices that do not have a heap.
+* Fully [static key store](#static-key-store) (since Mbed TLS 3.6.2): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Each key slot contains the key representation directly, and the key representation must be no more than `MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE` bytes. This is intended for very constrained devices that do not have a heap.
* [Dynamic key store](#dynamic-key-store) (since Mbed TLS 3.6.1): the key store is dynamically allocated as multiple slices on the heap, with a size that adjusts to the application's usage. Key material is allocated on the heap. Compared to the hybrid key store, the code size and RAM consumption are larger. This is intended for higher-end devices where applications are not expected to have a highly predicatable resource usage. This is the default implementation when using the default `mbedtls_config.h` file, as is common on platforms such as Linux, starting with Mbed TLS 3.6.1.
#### Future improvement: merging the key store variants
@@ -95,7 +95,7 @@
The static key store is the historical implementation. The key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. This value is an upper bound for the total number of volatile keys plus loaded keys.
-Since Mbed TLS 3.6.1, there are two variants for the static key store: a hybrid variant (default), and a fully-static variant enabled by the configuration option `MBEDTLS_PSA_STATIC_KEY_SLOTS`. The two variants have the same key store management: the only difference is in how the memory for key data is managed. With fully static key slots, the key data is directly inside the slot, and limited to `MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE` bytes. With the hybrid key store, the slot contains a pointer to the key data, which is allocated on the heap.
+Since Mbed TLS 3.6.2, there are two variants for the static key store: a hybrid variant (default), and a fully-static variant enabled by the configuration option `MBEDTLS_PSA_STATIC_KEY_SLOTS`. The two variants have the same key store management: the only difference is in how the memory for key data is managed. With fully static key slots, the key data is directly inside the slot, and limited to `MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE` bytes. With the hybrid key store, the slot contains a pointer to the key data, which is allocated on the heap.
#### Volatile key identifiers in the static key store
@@ -113,6 +113,8 @@
The dynamic key store allows a large number of keys, at the expense of more complex memory management.
+The dynamic key store was added in Mbed TLS 3.6.1. It is enabled by `MBEDTLS_PSA_KEY_STORE_DYNAMIC`, which is enabled by default since Mbed TLS 3.6.1.
+
#### Dynamic key slot performance characteristics
Key management and key access have $O(1)$ amortized performance, and mostly $O(1)$ performance for actions involving keys. More precisely:
diff --git a/docs/psa-transition.md b/docs/psa-transition.md
index bbb7da2..952cb1c 100644
--- a/docs/psa-transition.md
+++ b/docs/psa-transition.md
@@ -779,7 +779,7 @@
The easiest way to create a key pair object is by randomly generating it with [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5). Compared with the low-level functions from the legacy API (`mbedtls_rsa_gen_key`, `mbedtls_ecp_gen_privkey`, `mbedtls_ecp_gen_keypair`, `mbedtls_ecp_gen_keypair_base`, `mbedtls_ecdsa_genkey`), this directly creates an object that can be used with high-level APIs, but removes some of the flexibility. Note that if you want to export the generated private key, you must pass the flag [`PSA_KEY_USAGE_EXPORT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga7dddccdd1303176e87a4d20c87b589ed) to [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de); exporting the public key with [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) is always permitted.
-For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_ext`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga6776360ae8046a4456a5f990f997da58) to select a different public exponent. As of Mbed TLS 3.6.0, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers.
+For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_custom`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#ga0415617443afe42a712027bbb8ad89f0) to select a different public exponent. As of Mbed TLS 3.6.1, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers.
To create a key object from existing material, use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b). This function has the same basic goal as the PK parse functions (`mbedtls_pk_parse_key`, `mbedtls_pk_parse_public_key`, `mbedtls_pk_parse_subpubkey`), but only supports a single format that just contains the number(s) that make up the key, with very little metadata. The table below summarizes the PSA import/export format for key pairs and public keys; see the documentation of [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) for more details.
@@ -939,7 +939,7 @@
The equivalent of `mbedtls_pk_verify` or `mbedtls_pk_verify_ext` to verify an already calculated hash is [`psa_verify_hash`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__asymmetric/#group__asymmetric_1gae2ffbf01e5266391aff22b101a49f5f5).
The key must be a public key (or a key pair) allowing the usage `PSA_KEY_USAGE_VERIFY_HASH` (see “[Public-key cryptography policies](#public-key-cryptography-policies)”).
-This is also the equivalent of the type-specific functions `mbedtls_rsa_pkcs1_verify`, `mbedtls_rsa_rsassa_pkcs1_v15_verify`, `mbedtls_rsa_rsassa_pss_verify`, `mbedtls_rsa_rsassa_pss_verify_ext`, `mbedtls_ecdsa_verify` amd `mbedtls_ecdsa_read_signature`. Note that the PSA API uses the raw format for ECDSA signatures, not the ASN.1 format; see “[ECDSA signature](#ecdsa-signature)” for more details.
+This is also the equivalent of the type-specific functions `mbedtls_rsa_pkcs1_verify`, `mbedtls_rsa_rsassa_pkcs1_v15_verify`, `mbedtls_rsa_rsassa_pss_verify`, `mbedtls_rsa_rsassa_pss_verify_ext`, `mbedtls_ecdsa_verify` and `mbedtls_ecdsa_read_signature`. Note that the PSA API uses the raw format for ECDSA signatures, not the ASN.1 format; see “[ECDSA signature](#ecdsa-signature)” for more details.
Generally, `psa_sign_hash` and `psa_verify_hash` require the input to have the correct length for the hash (this has historically not always been enforced in the corresponding legacy APIs).
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 3eb5f75..740bb19 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -10,7 +10,7 @@
*/
/**
- * @mainpage Mbed TLS v3.6.0 API Documentation
+ * @mainpage Mbed TLS v3.6.1 API Documentation
*
* This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index c4505ac..2a82820 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -1,4 +1,4 @@
-PROJECT_NAME = "Mbed TLS v3.6.0"
+PROJECT_NAME = "Mbed TLS v3.6.1"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
diff --git a/framework b/framework
index 331565b..94599c0 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 331565b041f794df2da76394b3b0039abce30355
+Subproject commit 94599c0e3b5036e086446a51a3f79640f70f22f6
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 71d7b97..8367cd3 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -880,7 +880,7 @@
mbedtls_mpi_sint b);
/**
- * \brief Perform a sliding-window exponentiation: X = A^E mod N
+ * \brief Perform a modular exponentiation: X = A^E mod N
*
* \param X The destination MPI. This must point to an initialized MPI.
* This must not alias E or N.
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index cf38f90..8242ec6 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -26,16 +26,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 3
#define MBEDTLS_VERSION_MINOR 6
-#define MBEDTLS_VERSION_PATCH 0
+#define MBEDTLS_VERSION_PATCH 1
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x03060000
-#define MBEDTLS_VERSION_STRING "3.6.0"
-#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.0"
+#define MBEDTLS_VERSION_NUMBER 0x03060100
+#define MBEDTLS_VERSION_STRING "3.6.1"
+#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.1"
/* Macros for build-time platform detection */
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index 7a375d8..3ba987e 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -428,7 +428,7 @@
/* psa_util file features some ECDSA conversion functions, to convert between
* legacy's ASN.1 DER format and PSA's raw one. */
-#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \
+#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
(defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
#endif
diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h
index c00756d..0b7cce1 100644
--- a/include/mbedtls/ctr_drbg.h
+++ b/include/mbedtls/ctr_drbg.h
@@ -32,12 +32,27 @@
#include "mbedtls/build_info.h"
-/* In case AES_C is defined then it is the primary option for backward
- * compatibility purposes. If that's not available, PSA is used instead */
-#if defined(MBEDTLS_AES_C)
-#include "mbedtls/aes.h"
-#else
+/* The CTR_DRBG implementation can either directly call the low-level AES
+ * module (gated by MBEDTLS_AES_C) or call the PSA API to perform AES
+ * operations. Calling the AES module directly is the default, both for
+ * maximum backward compatibility and because it's a bit more efficient
+ * (less glue code).
+ *
+ * When MBEDTLS_AES_C is disabled, the CTR_DRBG module calls PSA crypto and
+ * thus benefits from the PSA AES accelerator driver.
+ * It is technically possible to enable MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO
+ * to use PSA even when MBEDTLS_AES_C is enabled, but there is very little
+ * reason to do so other than testing purposes and this is not officially
+ * supported.
+ */
+#if !defined(MBEDTLS_AES_C)
+#define MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
#include "psa/crypto.h"
+#else
+#include "mbedtls/aes.h"
#endif
#include "entropy.h"
@@ -157,7 +172,7 @@
#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1) / 2
#endif
-#if !defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
typedef struct mbedtls_ctr_drbg_psa_context {
mbedtls_svc_key_id_t key_id;
psa_cipher_operation_t operation;
@@ -189,10 +204,10 @@
* This is the maximum number of requests
* that can be made between reseedings. */
-#if defined(MBEDTLS_AES_C)
- mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
mbedtls_ctr_drbg_psa_context MBEDTLS_PRIVATE(psa_ctx); /*!< The PSA context. */
+#else
+ mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */
#endif
/*
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index c59dd68..bd3f71d 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1415,6 +1415,23 @@
//#define MBEDTLS_PSA_CRYPTO_SPM
/**
+ * \def MBEDTLS_PSA_KEY_STORE_DYNAMIC
+ *
+ * Dynamically resize the PSA key store to accommodate any number of
+ * volatile keys (until the heap memory is exhausted).
+ *
+ * If this option is disabled, the key store has a fixed size
+ * #MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys
+ * together.
+ *
+ * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ */
+#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
+
+/**
* Uncomment to enable p256-m. This is an alternative implementation of
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
* Compared to the default implementation:
@@ -1781,8 +1798,9 @@
* Requires: MBEDTLS_PSA_CRYPTO_C
*
* \note TLS 1.3 uses PSA crypto for cryptographic operations that are
- * directly performed by TLS 1.3 code. As a consequence, you must
- * call psa_crypto_init() before the first TLS 1.3 handshake.
+ * directly performed by TLS 1.3 code. As a consequence, when TLS 1.3
+ * is enabled, a TLS handshake may call psa_crypto_init(), even
+ * if it ends up negotiating a different TLS version.
*
* \note Cryptographic operations performed indirectly via another module
* (X.509, PK) or by code shared with TLS 1.2 (record protection,
@@ -4016,22 +4034,38 @@
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
* PSA crypto subsystem.
*
- * If this option is unset:
- * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG.
- * - Otherwise, the PSA subsystem uses HMAC_DRBG with either
- * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and
- * on unspecified heuristics.
+ * If this option is unset, the library chooses a hash (currently between
+ * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
+ * unspecified heuristics.
+ *
+ * \note The PSA crypto subsystem uses the first available mechanism amongst
+ * the following:
+ * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
+ * if #MBEDTLS_CTR_DRBG_C is enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
+ *
+ * A future version may reevaluate the prioritization of DRBG mechanisms.
*/
//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
/** \def MBEDTLS_PSA_KEY_SLOT_COUNT
- * Restrict the PSA library to supporting a maximum amount of simultaneously
- * loaded keys. A loaded key is a key stored by the PSA Crypto core as a
- * volatile key, or a persistent key which is loaded temporarily by the
- * library as part of a crypto operation in flight.
*
- * If this option is unset, the library will fall back to a default value of
- * 32 keys.
+ * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled,
+ * the maximum amount of PSA keys simultaneously in memory. This counts all
+ * volatile keys, plus loaded persistent keys.
+ *
+ * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
+ * the maximum number of loaded persistent keys.
+ *
+ * Currently, persistent keys do not need to be loaded all the time while
+ * a multipart operation is in progress, only while the operation is being
+ * set up. This may change in future versions of the library.
+ *
+ * Currently, the library traverses of the whole table on each access to a
+ * persistent key. Therefore large values may cause poor performance.
+ *
+ * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
*/
//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 4b59e78..42fffbf 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -83,10 +83,7 @@
/** Processing of the Certificate handshake message failed. */
#define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00
/* Error space gap */
-/**
- * Received NewSessionTicket Post Handshake Message.
- * This error code is experimental and may be changed or removed without notice.
- */
+/** A TLS 1.3 NewSessionTicket message has been received. */
#define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00
/** Not possible to read early data */
#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80
@@ -324,6 +321,9 @@
#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0
#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1
+#define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED 0
+#define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED 1
+
#define MBEDTLS_SSL_PRESET_DEFAULT 0
#define MBEDTLS_SSL_PRESET_SUITEB 2
@@ -1446,6 +1446,12 @@
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_CLI_C)
+ /** Encodes two booleans, one stating whether TLS 1.2 session tickets are
+ * enabled or not, the other one whether the handling of TLS 1.3
+ * NewSessionTicket messages is enabled or not. They are respectively set
+ * by mbedtls_ssl_conf_session_tickets() and
+ * mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets().
+ */
uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */
#endif
@@ -4465,21 +4471,50 @@
void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
#endif /* MBEDTLS_SSL_SRV_C */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
- defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
/**
- * \brief Enable / Disable session tickets (client only).
- * (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ * \brief Enable / Disable TLS 1.2 session tickets (client only,
+ * TLS 1.2 only). Enabled by default.
*
* \note On server, use \c mbedtls_ssl_conf_session_tickets_cb().
*
* \param conf SSL configuration
- * \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
- * MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
+ * \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ * #MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
*/
void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
-#endif /* MBEDTLS_SSL_SESSION_TICKETS &&
- MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/**
+ * \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages
+ * (client only, TLS 1.3 only).
+ *
+ * The handling of TLS 1.3 NewSessionTicket messages is disabled by
+ * default.
+ *
+ * In TLS 1.3, servers may send a NewSessionTicket message at any time,
+ * and may send multiple NewSessionTicket messages. By default, TLS 1.3
+ * clients ignore NewSessionTicket messages.
+ *
+ * To support session tickets in TLS 1.3 clients, call this function
+ * with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When
+ * this is enabled, when a client receives a NewSessionTicket message,
+ * the next call to a message processing functions (notably
+ * mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return
+ * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then
+ * call mbedtls_ssl_get_session() to retrieve the session ticket before
+ * calling the same message processing function again.
+ *
+ * \param conf SSL configuration
+ * \param signal_new_session_tickets Enable or disable
+ * (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or
+ * #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
+ mbedtls_ssl_config *conf, int signal_new_session_tickets);
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SRV_C) && \
@@ -4887,6 +4922,10 @@
* \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
* and the client did not demonstrate reachability yet - in
* this case you must stop using the context (see below).
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3
+ * NewSessionTicket message has been received. See the
+ * documentation of mbedtls_ssl_read() for more information
+ * about this error code.
* \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
* defined in RFC 8446 (TLS 1.3 specification), has been
* received as part of the handshake. This is server specific
@@ -4903,6 +4942,7 @@
* #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
@@ -4923,10 +4963,13 @@
* currently being processed might or might not contain further
* DTLS records.
*
- * \note If the context is configured to allow TLS 1.3, or if
- * #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
* subsystem must have been initialized by calling
* psa_crypto_init() before calling this function.
+ * Otherwise, the handshake may call psa_crypto_init()
+ * if a negotiation involving TLS 1.3 takes place (this may
+ * be the case even if TLS 1.3 is offered but eventually
+ * not selected).
*/
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);
@@ -4974,6 +5017,7 @@
* #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using
* the SSL context for reading or writing, and either free it
* or call \c mbedtls_ssl_session_reset() on it before
@@ -5042,6 +5086,17 @@
* \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
* side of a DTLS connection and the client is initiating a
* new connection using the same source port. See below.
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3
+ * NewSessionTicket message has been received.
+ * This error code is only returned on the client side. It is
+ * only returned if handling of TLS 1.3 NewSessionTicket
+ * messages has been enabled through
+ * mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets().
+ * This error code indicates that a TLS 1.3 NewSessionTicket
+ * message has been received and parsed successfully by the
+ * client. The ticket data can be retrieved from the SSL
+ * context by calling mbedtls_ssl_get_session(). It remains
+ * available until the next call to mbedtls_ssl_read().
* \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
* defined in RFC 8446 (TLS 1.3 specification), has been
* received as part of the handshake. This is server specific
@@ -5059,6 +5114,7 @@
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
* #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or
+ * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
@@ -5124,6 +5180,10 @@
* operation is in progress (see mbedtls_ecp_set_max_ops()) -
* in this case you must call this function again to complete
* the handshake when you're done attending other tasks.
+ * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3
+ * NewSessionTicket message has been received. See the
+ * documentation of mbedtls_ssl_read() for more information
+ * about this error code.
* \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
* defined in RFC 8446 (TLS 1.3 specification), has been
* received as part of the handshake. This is server specific
@@ -5140,6 +5200,7 @@
* #MBEDTLS_ERR_SSL_WANT_WRITE,
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
* you must stop using the SSL context for reading or writing,
* and either free it or call \c mbedtls_ssl_session_reset()
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 3525da2..2bbcea3 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -119,8 +119,8 @@
* value in the structure.
* The persistent key will be written to storage when the attribute
* structure is passed to a key creation function such as
- * psa_import_key(), psa_generate_key(), psa_generate_key_ext(),
- * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext()
+ * psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
+ * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
* or psa_copy_key().
*
* This function may be declared as `static` (i.e. without external
@@ -129,6 +129,9 @@
*
* \param[out] attributes The attribute structure to write to.
* \param key The persistent identifier for the key.
+ * This can be any value in the range from
+ * #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX
+ * inclusive.
*/
static void psa_set_key_id(psa_key_attributes_t *attributes,
mbedtls_svc_key_id_t key);
@@ -164,8 +167,8 @@
* value in the structure.
* The persistent key will be written to storage when the attribute
* structure is passed to a key creation function such as
- * psa_import_key(), psa_generate_key(), psa_generate_key_ext(),
- * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext()
+ * psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
+ * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
* or psa_copy_key().
*
* This function may be declared as `static` (i.e. without external
@@ -3234,7 +3237,7 @@
* of or after providing inputs. For some algorithms, this step is mandatory
* because the output depends on the maximum capacity.
* -# To derive a key, call psa_key_derivation_output_key() or
- * psa_key_derivation_output_key_ext().
+ * psa_key_derivation_output_key_custom().
* To derive a byte string for a different purpose, call
* psa_key_derivation_output_bytes().
* Successive calls to these functions use successive output bytes
@@ -3457,7 +3460,7 @@
* \note Once all inputs steps are completed, the operations will allow:
* - psa_key_derivation_output_bytes() if each input was either a direct input
* or a key with #PSA_KEY_USAGE_DERIVE set;
- * - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext()
+ * - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom()
* if the input for step
* #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
* was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
@@ -3707,9 +3710,9 @@
* on the derived key based on the attributes and strength of the secret key.
*
* \note This function is equivalent to calling
- * psa_key_derivation_output_key_ext()
- * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
- * and `params_data_length == 0` (i.e. `params->data` is empty).
+ * psa_key_derivation_output_key_custom()
+ * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
+ * and `custom_data_length == 0` (i.e. `custom_data` is empty).
*
* \param[in] attributes The attributes for the new key.
* If the key type to be created is
@@ -3781,6 +3784,85 @@
* the policy must be the same as in the current
* operation.
* \param[in,out] operation The key derivation operation object to read from.
+ * \param[in] custom Customization parameters for the key generation.
+ * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
+ * with \p custom_data_length = 0,
+ * this function is equivalent to
+ * psa_key_derivation_output_key().
+ * \param[in] custom_data Variable-length data associated with \c custom.
+ * \param custom_data_length
+ * Length of `custom_data` in bytes.
+ * \param[out] key On success, an identifier for the newly created
+ * key. For persistent keys, this is the key
+ * identifier defined in \p attributes.
+ * \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * If the key is persistent, the key material and the key's metadata
+ * have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * This is an attempt to create a persistent key, and there is
+ * already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_DATA
+ * There was not enough data to create the desired key.
+ * Note that in this case, no output is written to the output buffer.
+ * The operation's capacity is set to 0, thus subsequent calls to
+ * this function will not succeed, even with a smaller output buffer.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * The key type or key size is not supported, either by the
+ * implementation in general or in this particular location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The provided key attributes are not valid for the operation.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The #PSA_KEY_DERIVATION_INPUT_SECRET or
+ * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
+ * key; or one of the inputs was a key whose policy didn't allow
+ * #PSA_KEY_USAGE_DERIVE.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be active and completed
+ * all required input steps), or the library has not been previously
+ * initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_key_derivation_output_key_custom(
+ const psa_key_attributes_t *attributes,
+ psa_key_derivation_operation_t *operation,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
+ mbedtls_svc_key_id_t *key);
+
+#ifndef __cplusplus
+/* Omitted when compiling in C++, because one of the parameters is a
+ * pointer to a struct with a flexible array member, and that is not
+ * standard C++.
+ * https://github.com/Mbed-TLS/mbedtls/issues/9020
+ */
+/** Derive a key from an ongoing key derivation operation with custom
+ * production parameters.
+ *
+ * \note
+ * This is a deprecated variant of psa_key_derivation_output_key_custom().
+ * It is equivalent except that the associated variable-length data
+ * is passed in `params->data` instead of a separate parameter.
+ * This function will be removed in a future version of Mbed TLS.
+ *
+ * \param[in] attributes The attributes for the new key.
+ * If the key type to be created is
+ * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
+ * the policy must be the same as in the current
+ * operation.
+ * \param[in,out] operation The key derivation operation object to read from.
* \param[in] params Customization parameters for the key derivation.
* When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
* with \p params_data_length = 0,
@@ -3840,6 +3922,7 @@
const psa_key_production_parameters_t *params,
size_t params_data_length,
mbedtls_svc_key_id_t *key);
+#endif /* !__cplusplus */
/** Compare output data from a key derivation operation to an expected value.
*
@@ -3927,7 +4010,7 @@
* operation. The value of this key was likely
* computed by a previous call to
* psa_key_derivation_output_key() or
- * psa_key_derivation_output_key_ext().
+ * psa_key_derivation_output_key_custom().
*
* \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_SIGNATURE
@@ -4095,9 +4178,9 @@
* between 2^{n-1} and 2^n where n is the bit size specified in the
* attributes.
*
- * \note This function is equivalent to calling psa_generate_key_ext()
- * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
- * and `params_data_length == 0` (i.e. `params->data` is empty).
+ * \note This function is equivalent to calling psa_generate_key_custom()
+ * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
+ * and `custom_data_length == 0` (i.e. `custom_data` is empty).
*
* \param[in] attributes The attributes for the new key.
* \param[out] key On success, an identifier for the newly created
@@ -4137,7 +4220,7 @@
* See the description of psa_generate_key() for the operation of this
* function with the default production parameters. In addition, this function
* supports the following production customizations, described in more detail
- * in the documentation of ::psa_key_production_parameters_t:
+ * in the documentation of ::psa_custom_key_parameters_t:
*
* - RSA keys: generation with a custom public exponent.
*
@@ -4145,6 +4228,64 @@
* versions of Mbed TLS.
*
* \param[in] attributes The attributes for the new key.
+ * \param[in] custom Customization parameters for the key generation.
+ * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
+ * with \p custom_data_length = 0,
+ * this function is equivalent to
+ * psa_generate_key().
+ * \param[in] custom_data Variable-length data associated with \c custom.
+ * \param custom_data_length
+ * Length of `custom_data` in bytes.
+ * \param[out] key On success, an identifier for the newly created
+ * key. For persistent keys, this is the key
+ * identifier defined in \p attributes.
+ * \c 0 on failure.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * If the key is persistent, the key material and the key's metadata
+ * have been saved to persistent storage.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * This is an attempt to create a persistent key, and there is
+ * already a persistent key with the given identifier.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
+ mbedtls_svc_key_id_t *key);
+
+#ifndef __cplusplus
+/* Omitted when compiling in C++, because one of the parameters is a
+ * pointer to a struct with a flexible array member, and that is not
+ * standard C++.
+ * https://github.com/Mbed-TLS/mbedtls/issues/9020
+ */
+/**
+ * \brief Generate a key or key pair using custom production parameters.
+ *
+ * \note
+ * This is a deprecated variant of psa_key_derivation_output_key_custom().
+ * It is equivalent except that the associated variable-length data
+ * is passed in `params->data` instead of a separate parameter.
+ * This function will be removed in a future version of Mbed TLS.
+ *
+ * \param[in] attributes The attributes for the new key.
* \param[in] params Customization parameters for the key generation.
* When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
* with \p params_data_length = 0,
@@ -4184,6 +4325,7 @@
const psa_key_production_parameters_t *params,
size_t params_data_length,
mbedtls_svc_key_id_t *key);
+#endif /* !__cplusplus */
/**@}*/
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 6ed1f6c..0cf42c6 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -154,6 +154,14 @@
* specified in \p attributes.
*
* \param[in] attributes The attributes of the existing key.
+ * - The lifetime must be a persistent lifetime
+ * in a secure element. Volatile lifetimes are
+ * not currently supported.
+ * - The key identifier must be in the valid
+ * range for persistent keys.
+ * - The key type and size must be specified and
+ * must be consistent with the key material
+ * in the secure element.
*
* \retval #PSA_SUCCESS
* The key was successfully registered.
@@ -479,7 +487,7 @@
* #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
* with any other set of implementation-chosen key identifiers.
*
- * This value is part of the library's ABI since changing it would invalidate
+ * This value is part of the library's API since changing it would invalidate
* the values of built-in key identifiers in applications.
*/
#define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t) 0x7fff0000)
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 3913551..362e921 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -223,9 +223,34 @@
return v;
}
-struct psa_key_production_parameters_s {
+struct psa_custom_key_parameters_s {
/* Future versions may add other fields in this structure. */
uint32_t flags;
+};
+
+/** The default production parameters for key generation or key derivation.
+ *
+ * Calling psa_generate_key_custom() or psa_key_derivation_output_key_custom()
+ * with `custom=PSA_CUSTOM_KEY_PARAMETERS_INIT` and `custom_data_length=0` is
+ * equivalent to calling psa_generate_key() or psa_key_derivation_output_key()
+ * respectively.
+ */
+#define PSA_CUSTOM_KEY_PARAMETERS_INIT { 0 }
+
+#ifndef __cplusplus
+/* Omitted when compiling in C++, because one of the parameters is a
+ * pointer to a struct with a flexible array member, and that is not
+ * standard C++.
+ * https://github.com/Mbed-TLS/mbedtls/issues/9020
+ */
+/* This is a deprecated variant of `struct psa_custom_key_parameters_s`.
+ * It has exactly the same layout, plus an extra field which is a flexible
+ * array member. Thus a `const struct psa_key_production_parameters_s *`
+ * can be passed to any function that reads a
+ * `const struct psa_custom_key_parameters_s *`.
+ */
+struct psa_key_production_parameters_s {
+ uint32_t flags;
uint8_t data[];
};
@@ -238,6 +263,7 @@
* respectively.
*/
#define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 }
+#endif /* !__cplusplus */
struct psa_key_policy_s {
psa_key_usage_t MBEDTLS_PRIVATE(usage);
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index c21bad8..f831486 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -457,6 +457,30 @@
/** \brief Custom parameters for key generation or key derivation.
*
+ * This is a structure type with at least the following field:
+ *
+ * - \c flags: an unsigned integer type. 0 for the default production parameters.
+ *
+ * Functions that take such a structure as input also take an associated
+ * input buffer \c custom_data of length \c custom_data_length.
+ *
+ * The interpretation of this structure and the associated \c custom_data
+ * parameter depend on the type of the created key.
+ *
+ * - #PSA_KEY_TYPE_RSA_KEY_PAIR:
+ * - \c flags: must be 0.
+ * - \c custom_data: the public exponent, in little-endian order.
+ * This must be an odd integer and must not be 1.
+ * Implementations must support 65537, should support 3 and may
+ * support other values.
+ * When not using a driver, Mbed TLS supports values up to \c INT_MAX.
+ * If this is empty, the default value 65537 is used.
+ * - Other key types: reserved for future use. \c flags must be 0.
+ */
+typedef struct psa_custom_key_parameters_s psa_custom_key_parameters_t;
+
+/** \brief Custom parameters for key generation or key derivation.
+ *
* This is a structure type with at least the following fields:
*
* - \c flags: an unsigned integer type. 0 for the default production parameters.
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 37a9724..e4d8f0d 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -197,11 +197,11 @@
endif()
if(CMAKE_COMPILER_IS_GNUCC)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations")
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
endif(CMAKE_COMPILER_IS_CLANG)
if(CMAKE_COMPILER_IS_MSVC)
@@ -300,7 +300,7 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.0 SOVERSION 16)
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.1 SOVERSION 16)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET ${everest_target})
@@ -312,11 +312,11 @@
endif()
add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.0 SOVERSION 7)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.1 SOVERSION 7)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.0 SOVERSION 21)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.1 SOVERSION 21)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/bignum.c b/library/bignum.c
index c45fd5b..4244909 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -27,6 +27,7 @@
#include "mbedtls/bignum.h"
#include "bignum_core.h"
+#include "bignum_internal.h"
#include "bn_mul.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@@ -1610,9 +1611,13 @@
return 0;
}
-int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
- const mbedtls_mpi *E, const mbedtls_mpi *N,
- mbedtls_mpi *prec_RR)
+/*
+ * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
+ * this function is not constant time with respect to the exponent (parameter E).
+ */
+static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *E, int E_public,
+ const mbedtls_mpi *N, mbedtls_mpi *prec_RR)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1695,7 +1700,11 @@
{
mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
- mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+ if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
+ mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+ } else {
+ mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+ }
mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
}
@@ -1720,6 +1729,20 @@
return ret;
}
+int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *E, const mbedtls_mpi *N,
+ mbedtls_mpi *prec_RR)
+{
+ return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR);
+}
+
+int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *E, const mbedtls_mpi *N,
+ mbedtls_mpi *prec_RR)
+{
+ return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_PUBLIC, N, prec_RR);
+}
+
/*
* Greatest common divisor: G = gcd(A, B) (HAC 14.54)
*/
diff --git a/library/bignum_core.c b/library/bignum_core.c
index 1a3e0b9..4231554 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -746,8 +746,94 @@
}
}
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
+int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1;
+#endif
+
+/*
+ * This function calculates the indices of the exponent where the exponentiation algorithm should
+ * start processing.
+ *
+ * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
+ * this function is not constant time with respect to the exponent (parameter E).
+ */
+static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E,
+ size_t E_limbs,
+ int E_public,
+ size_t *E_limb_index,
+ size_t *E_bit_index)
+{
+ if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
+ /*
+ * Skip leading zero bits.
+ */
+ size_t E_bits = mbedtls_mpi_core_bitlen(E, E_limbs);
+ if (E_bits == 0) {
+ /*
+ * If E is 0 mbedtls_mpi_core_bitlen() returns 0. Even if that is the case, we will want
+ * to represent it as a single 0 bit and as such the bitlength will be 1.
+ */
+ E_bits = 1;
+ }
+
+ *E_limb_index = E_bits / biL;
+ *E_bit_index = E_bits % biL;
+
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC;
+#endif
+ } else {
+ /*
+ * Here we need to be constant time with respect to E and can't do anything better than
+ * start at the first allocated bit.
+ */
+ *E_limb_index = E_limbs;
+ *E_bit_index = 0;
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ // Only mark the codepath safe if there wasn't an unsafe codepath before
+ if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) {
+ mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET;
+ }
+#endif
+ }
+}
+
+/*
+ * Warning! If the parameter window_public has MBEDTLS_MPI_IS_PUBLIC as its value, this function is
+ * not constant time with respect to the window parameter and consequently the exponent of the
+ * exponentiation (parameter E of mbedtls_mpi_core_exp_mod_optionally_safe).
+ */
+static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselect,
+ mbedtls_mpi_uint *Wtable,
+ size_t AN_limbs, size_t welem,
+ mbedtls_mpi_uint window,
+ int window_public)
+{
+ if (window_public == MBEDTLS_MPI_IS_PUBLIC) {
+ memcpy(Wselect, Wtable + window * AN_limbs, AN_limbs * ciL);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC;
+#endif
+ } else {
+ /* Select Wtable[window] without leaking window through
+ * memory access patterns. */
+ mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
+ AN_limbs, welem, window);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ // Only mark the codepath safe if there wasn't an unsafe codepath before
+ if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) {
+ mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET;
+ }
+#endif
+ }
+}
+
/* Exponentiation: X := A^E mod N.
*
+ * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
+ * this function is not constant time with respect to the exponent (parameter E).
+ *
* A must already be in Montgomery form.
*
* As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
@@ -758,16 +844,25 @@
* (The difference is that the body in our loop processes a single bit instead
* of a full window.)
*/
-void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
- const mbedtls_mpi_uint *A,
- const mbedtls_mpi_uint *N,
- size_t AN_limbs,
- const mbedtls_mpi_uint *E,
- size_t E_limbs,
- const mbedtls_mpi_uint *RR,
- mbedtls_mpi_uint *T)
+static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ const mbedtls_mpi_uint *E,
+ size_t E_limbs,
+ int E_public,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T)
{
- const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
+ /* We'll process the bits of E from most significant
+ * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
+ * (limb_index=0, E_bit_index=0). */
+ size_t E_limb_index;
+ size_t E_bit_index;
+ exp_mod_calc_first_bit_optionally_safe(E, E_limbs, E_public,
+ &E_limb_index, &E_bit_index);
+
+ const size_t wsize = exp_mod_get_window_size(E_limb_index * biL);
const size_t welem = ((size_t) 1) << wsize;
/* This is how we will use the temporary storage T, which must have space
@@ -786,7 +881,7 @@
const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N);
- /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */
+ /* Set Wtable[i] = A^i (in Montgomery representation) */
exp_mod_precompute_window(A, N, AN_limbs,
mm, RR,
welem, Wtable, temp);
@@ -798,11 +893,6 @@
/* X = 1 (in Montgomery presentation) initially */
memcpy(X, Wtable, AN_limbs * ciL);
- /* We'll process the bits of E from most significant
- * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
- * (limb_index=0, E_bit_index=0). */
- size_t E_limb_index = E_limbs;
- size_t E_bit_index = 0;
/* At any given time, window contains window_bits bits from E.
* window_bits can go up to wsize. */
size_t window_bits = 0;
@@ -828,10 +918,9 @@
* when we've finished processing the exponent. */
if (window_bits == wsize ||
(E_bit_index == 0 && E_limb_index == 0)) {
- /* Select Wtable[window] without leaking window through
- * memory access patterns. */
- mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
- AN_limbs, welem, window);
+
+ exp_mod_table_lookup_optionally_safe(Wselect, Wtable, AN_limbs, welem,
+ window, E_public);
/* Multiply X by the selected element. */
mbedtls_mpi_core_montmul(X, X, Wselect, AN_limbs, N, AN_limbs, mm,
temp);
@@ -841,6 +930,42 @@
} while (!(E_bit_index == 0 && E_limb_index == 0));
}
+void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ const mbedtls_mpi_uint *E, size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T)
+{
+ mbedtls_mpi_core_exp_mod_optionally_safe(X,
+ A,
+ N,
+ AN_limbs,
+ E,
+ E_limbs,
+ MBEDTLS_MPI_IS_SECRET,
+ RR,
+ T);
+}
+
+void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ const mbedtls_mpi_uint *E, size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T)
+{
+ mbedtls_mpi_core_exp_mod_optionally_safe(X,
+ A,
+ N,
+ AN_limbs,
+ E,
+ E_limbs,
+ MBEDTLS_MPI_IS_PUBLIC,
+ RR,
+ T);
+}
+
mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
mbedtls_mpi_uint c, /* doubles as carry */
diff --git a/library/bignum_core.h b/library/bignum_core.h
index 92c8d47..cf6485a 100644
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@@ -90,6 +90,27 @@
#define GET_BYTE(X, i) \
(((X)[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff)
+/* Constants to identify whether a value is public or secret. If a parameter is marked as secret by
+ * this constant, the function must be constant time with respect to the parameter.
+ *
+ * This is only needed for functions with the _optionally_safe postfix. All other functions have
+ * fixed behavior that can't be changed at runtime and are constant time with respect to their
+ * parameters as prescribed by their documentation or by conventions in their module's documentation.
+ *
+ * Parameters should be named X_public where X is the name of the
+ * corresponding input parameter.
+ *
+ * Implementation should always check using
+ * if (X_public == MBEDTLS_MPI_IS_PUBLIC) {
+ * // unsafe path
+ * } else {
+ * // safe path
+ * }
+ * not the other way round, in order to prevent misuse. (This is, if a value
+ * other than the two below is passed, default to the safe path.) */
+#define MBEDTLS_MPI_IS_PUBLIC 0x2a2a2a2a
+#define MBEDTLS_MPI_IS_SECRET 0
+
/** Count leading zero bits in a given integer.
*
* \warning The result is undefined if \p a == 0
@@ -605,6 +626,42 @@
size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
/**
+ * \brief Perform a modular exponentiation with public or secret exponent:
+ * X = A^E mod N, where \p A is already in Montgomery form.
+ *
+ * \warning This function is not constant time with respect to \p E (the exponent).
+ *
+ * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
+ * \p AN_limbs.
+ *
+ * \param[out] X The destination MPI, as a little endian array of length
+ * \p AN_limbs.
+ * \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
+ * Must be in Montgomery form.
+ * \param[in] N The modulus, as a little endian array of length \p AN_limbs.
+ * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR.
+ * \param[in] E The exponent, as a little endian array of length \p E_limbs.
+ * \param E_limbs The number of limbs in \p E.
+ * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little
+ * endian array of length \p AN_limbs.
+ * \param[in,out] T Temporary storage of at least the number of limbs returned
+ * by `mbedtls_mpi_core_exp_mod_working_limbs()`.
+ * Its initial content is unused and its final content is
+ * indeterminate.
+ * It must not alias or otherwise overlap any of the other
+ * parameters.
+ * It is up to the caller to zeroize \p T when it is no
+ * longer needed, and before freeing it if it was dynamically
+ * allocated.
+ */
+void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ const mbedtls_mpi_uint *E, size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T);
+
+/**
* \brief Perform a modular exponentiation with secret exponent:
* X = A^E mod N, where \p A is already in Montgomery form.
*
@@ -760,4 +817,17 @@
mbedtls_mpi_uint mm,
mbedtls_mpi_uint *T);
+/*
+ * Can't define thread local variables with our abstraction layer: do nothing if threading is on.
+ */
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+extern int mbedtls_mpi_optionally_safe_codepath;
+
+static inline void mbedtls_mpi_optionally_safe_codepath_reset(void)
+{
+ // Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
+ mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1;
+}
+#endif
+
#endif /* MBEDTLS_BIGNUM_CORE_H */
diff --git a/library/bignum_internal.h b/library/bignum_internal.h
new file mode 100644
index 0000000..aceaf55
--- /dev/null
+++ b/library/bignum_internal.h
@@ -0,0 +1,50 @@
+/**
+ * \file bignum_internal.h
+ *
+ * \brief Internal-only bignum public-key cryptosystem API.
+ *
+ * This file declares bignum-related functions that are to be used
+ * only from within the Mbed TLS library itself.
+ *
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BIGNUM_INTERNAL_H
+#define MBEDTLS_BIGNUM_INTERNAL_H
+
+/**
+ * \brief Perform a modular exponentiation: X = A^E mod N
+ *
+ * \warning This function is not constant time with respect to \p E (the exponent).
+ *
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * This must not alias E or N.
+ * \param A The base of the exponentiation.
+ * This must point to an initialized MPI.
+ * \param E The exponent MPI. This must point to an initialized MPI.
+ * \param N The base for the modular reduction. This must point to an
+ * initialized MPI.
+ * \param prec_RR A helper MPI depending solely on \p N which can be used to
+ * speed-up multiple modular exponentiations for the same value
+ * of \p N. This may be \c NULL. If it is not \c NULL, it must
+ * point to an initialized MPI. If it hasn't been used after
+ * the call to mbedtls_mpi_init(), this function will compute
+ * the helper value and store it in \p prec_RR for reuse on
+ * subsequent calls to this function. Otherwise, the function
+ * will assume that \p prec_RR holds the helper value set by a
+ * previous call to mbedtls_mpi_exp_mod(), and reuse it.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ * even, or if \c E is negative.
+ * \return Another negative error code on different kinds of failures.
+ *
+ */
+int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *E, const mbedtls_mpi *N,
+ mbedtls_mpi *prec_RR);
+
+#endif /* bignum_internal.h */
diff --git a/library/common.h b/library/common.h
index 3936ffd..7bb2674 100644
--- a/library/common.h
+++ b/library/common.h
@@ -352,17 +352,19 @@
#endif
/* Always provide a static assert macro, so it can be used unconditionally.
- * It will expand to nothing on some systems.
- * Can be used outside functions (but don't add a trailing ';' in that case:
- * the semicolon is included here to avoid triggering -Wextra-semi when
- * MBEDTLS_STATIC_ASSERT() expands to nothing).
- * Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
+ * It does nothing on systems where we don't know how to define a static assert.
+ */
+/* Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
* defines static_assert even with -std=c99, but then complains about it.
*/
#if defined(static_assert) && !defined(__FreeBSD__)
-#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg);
+#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg)
#else
-#define MBEDTLS_STATIC_ASSERT(expr, msg)
+/* Make sure `MBEDTLS_STATIC_ASSERT(expr, msg);` is valid both inside and
+ * outside a function. We choose a struct declaration, which can be repeated
+ * any number of times and does not need a matching definition. */
+#define MBEDTLS_STATIC_ASSERT(expr, msg) \
+ struct ISO_C_does_not_allow_extra_semicolon_outside_of_a_function
#endif
#if defined(__has_builtin)
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 66d9d28..b82044e 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -26,13 +26,13 @@
#endif
/* Using error translation functions from PSA to MbedTLS */
-#if !defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#endif
#include "mbedtls/platform.h"
-#if !defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
static psa_status_t ctr_drbg_setup_psa_context(mbedtls_ctr_drbg_psa_context *psa_ctx,
unsigned char *key, size_t key_len)
{
@@ -73,11 +73,11 @@
void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx)
{
memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context));
-#if defined(MBEDTLS_AES_C)
- mbedtls_aes_init(&ctx->aes_ctx);
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
ctx->psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
ctx->psa_ctx.operation = psa_cipher_operation_init();
+#else
+ mbedtls_aes_init(&ctx->aes_ctx);
#endif
/* Indicate that the entropy nonce length is not set explicitly.
* See mbedtls_ctr_drbg_set_nonce_len(). */
@@ -102,10 +102,10 @@
mbedtls_mutex_free(&ctx->mutex);
}
#endif
-#if defined(MBEDTLS_AES_C)
- mbedtls_aes_free(&ctx->aes_ctx);
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
+#else
+ mbedtls_aes_free(&ctx->aes_ctx);
#endif
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context));
ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
@@ -168,15 +168,15 @@
unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
unsigned char *p, *iv;
int ret = 0;
-#if defined(MBEDTLS_AES_C)
- mbedtls_aes_context aes_ctx;
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
psa_status_t status;
size_t tmp_len;
mbedtls_ctr_drbg_psa_context psa_ctx;
psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_ctx.operation = psa_cipher_operation_init();
+#else
+ mbedtls_aes_context aes_ctx;
#endif
int i, j;
@@ -209,19 +209,19 @@
key[i] = i;
}
-#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
+ status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key));
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#else
mbedtls_aes_init(&aes_ctx);
if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key,
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
goto exit;
}
-#else
- status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key));
- if (status != PSA_SUCCESS) {
- ret = psa_generic_status_to_mbedtls(status);
- goto exit;
- }
#endif
/*
@@ -238,18 +238,18 @@
use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ?
MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
- chain, chain)) != 0) {
- goto exit;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
status = psa_cipher_update(&psa_ctx.operation, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE,
chain, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
if (status != PSA_SUCCESS) {
ret = psa_generic_status_to_mbedtls(status);
goto exit;
}
+#else
+ if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+ chain, chain)) != 0) {
+ goto exit;
+ }
#endif
}
@@ -264,12 +264,7 @@
/*
* Do final encryption with reduced data
*/
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
- MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
- goto exit;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
ctr_drbg_destroy_psa_contex(&psa_ctx);
status = ctr_drbg_setup_psa_context(&psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
@@ -277,32 +272,37 @@
ret = psa_generic_status_to_mbedtls(status);
goto exit;
}
+#else
+ if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ goto exit;
+ }
#endif
iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
p = output;
for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
- iv, iv)) != 0) {
- goto exit;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
status = psa_cipher_update(&psa_ctx.operation, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE,
iv, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
if (status != PSA_SUCCESS) {
ret = psa_generic_status_to_mbedtls(status);
goto exit;
}
+#else
+ if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+ iv, iv)) != 0) {
+ goto exit;
+ }
#endif
memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE);
p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
}
exit:
-#if defined(MBEDTLS_AES_C)
- mbedtls_aes_free(&aes_ctx);
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
ctr_drbg_destroy_psa_contex(&psa_ctx);
+#else
+ mbedtls_aes_free(&aes_ctx);
#endif
/*
* tidy up the stack
@@ -336,7 +336,7 @@
unsigned char *p = tmp;
int j;
int ret = 0;
-#if !defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
psa_status_t status;
size_t tmp_len;
#endif
@@ -352,18 +352,18 @@
/*
* Crypt counter block
*/
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
- ctx->counter, p)) != 0) {
- goto exit;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
p, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
if (status != PSA_SUCCESS) {
ret = psa_generic_status_to_mbedtls(status);
goto exit;
}
+#else
+ if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+ ctx->counter, p)) != 0) {
+ goto exit;
+ }
#endif
p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
@@ -374,12 +374,7 @@
/*
* Update key and counter
*/
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
- MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
- goto exit;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
@@ -387,6 +382,11 @@
ret = psa_generic_status_to_mbedtls(status);
goto exit;
}
+#else
+ if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ goto exit;
+ }
#endif
memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
MBEDTLS_CTR_DRBG_BLOCKSIZE);
@@ -564,12 +564,7 @@
good_nonce_len(ctx->entropy_len));
/* Initialize with an empty key. */
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
- MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
- return ret;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
psa_status_t status;
status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, key, MBEDTLS_CTR_DRBG_KEYSIZE);
@@ -577,6 +572,11 @@
ret = psa_generic_status_to_mbedtls(status);
return status;
}
+#else
+ if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ return ret;
+ }
#endif
/* Do the initial seeding. */
@@ -655,12 +655,7 @@
/*
* Crypt counter block
*/
-#if defined(MBEDTLS_AES_C)
- if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
- ctx->counter, locals.tmp)) != 0) {
- goto exit;
- }
-#else
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
psa_status_t status;
size_t tmp_len;
@@ -670,6 +665,11 @@
ret = psa_generic_status_to_mbedtls(status);
goto exit;
}
+#else
+ if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+ ctx->counter, locals.tmp)) != 0) {
+ goto exit;
+ }
#endif
use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 8100afc..c4f41db 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1210,15 +1210,15 @@
case PSA_SLOT_PENDING_DELETION:
/* In this state psa_wipe_key_slot() must only be called if the
* caller is the last reader. */
- if (slot->registered_readers != 1) {
- MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1);
+ if (slot->var.occupied.registered_readers != 1) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1);
status = PSA_ERROR_CORRUPTION_DETECTED;
}
break;
case PSA_SLOT_FILLING:
/* In this state registered_readers must be 0. */
- if (slot->registered_readers != 0) {
- MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0);
+ if (slot->var.occupied.registered_readers != 0) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0);
status = PSA_ERROR_CORRUPTION_DETECTED;
}
break;
@@ -1232,6 +1232,11 @@
status = PSA_ERROR_CORRUPTION_DETECTED;
}
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ size_t slice_index = slot->slice_index;
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+
/* Multipart operations may still be using the key. This is safe
* because all multipart operation objects are independent from
* the key slot: if they need to access the key after the setup
@@ -1242,6 +1247,17 @@
* zeroize because the metadata is not particularly sensitive.
* This memset also sets the slot's state to PSA_SLOT_EMPTY. */
memset(slot, 0, sizeof(*slot));
+
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ /* If the slot is already corrupted, something went deeply wrong,
+ * like a thread still using the slot or a stray pointer leading
+ * to the slot's memory being used for another object. Let the slot
+ * leak rather than make the corruption worse. */
+ if (status == PSA_SUCCESS) {
+ status = psa_free_key_slot(slice_index, slot);
+ }
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
return status;
}
@@ -1753,8 +1769,6 @@
psa_se_drv_table_entry_t **p_drv)
{
psa_status_t status;
- psa_key_id_t volatile_key_id;
- psa_key_slot_t *slot;
(void) method;
*p_drv = NULL;
@@ -1764,11 +1778,16 @@
return status;
}
+ int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime);
+ psa_key_id_t volatile_key_id;
+
#if defined(MBEDTLS_THREADING_C)
PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
&mbedtls_threading_key_slot_mutex));
#endif
- status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+ status = psa_reserve_free_key_slot(
+ key_is_volatile ? &volatile_key_id : NULL,
+ p_slot);
#if defined(MBEDTLS_THREADING_C)
PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
&mbedtls_threading_key_slot_mutex));
@@ -1776,7 +1795,7 @@
if (status != PSA_SUCCESS) {
return status;
}
- slot = *p_slot;
+ psa_key_slot_t *slot = *p_slot;
/* We're storing the declared bit-size of the key. It's up to each
* creation mechanism to verify that this information is correct.
@@ -1787,7 +1806,7 @@
* definition. */
slot->attr = *attributes;
- if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+ if (key_is_volatile) {
#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
slot->attr.id = volatile_key_id;
#else
@@ -2149,6 +2168,14 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+ /* Not usable with volatile keys, even with an appropriate location,
+ * due to the API design.
+ * https://github.com/Mbed-TLS/mbedtls/issues/9253
+ */
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
&slot, &driver);
if (status != PSA_SUCCESS) {
@@ -6412,27 +6439,28 @@
return status;
}
-static const psa_key_production_parameters_t default_production_parameters =
- PSA_KEY_PRODUCTION_PARAMETERS_INIT;
+static const psa_custom_key_parameters_t default_custom_production =
+ PSA_CUSTOM_KEY_PARAMETERS_INIT;
-int psa_key_production_parameters_are_default(
- const psa_key_production_parameters_t *params,
- size_t params_data_length)
+int psa_custom_key_parameters_are_default(
+ const psa_custom_key_parameters_t *custom,
+ size_t custom_data_length)
{
- if (params->flags != 0) {
+ if (custom->flags != 0) {
return 0;
}
- if (params_data_length != 0) {
+ if (custom_data_length != 0) {
return 0;
}
return 1;
}
-psa_status_t psa_key_derivation_output_key_ext(
+psa_status_t psa_key_derivation_output_key_custom(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- const psa_key_production_parameters_t *params,
- size_t params_data_length,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
mbedtls_svc_key_id_t *key)
{
psa_status_t status;
@@ -6447,7 +6475,8 @@
return PSA_ERROR_INVALID_ARGUMENT;
}
- if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+ (void) custom_data; /* We only accept 0-length data */
+ if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
@@ -6482,14 +6511,29 @@
return status;
}
+psa_status_t psa_key_derivation_output_key_ext(
+ const psa_key_attributes_t *attributes,
+ psa_key_derivation_operation_t *operation,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ return psa_key_derivation_output_key_custom(
+ attributes, operation,
+ (const psa_custom_key_parameters_t *) params,
+ params->data, params_data_length,
+ key);
+}
+
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
mbedtls_svc_key_id_t *key)
{
- return psa_key_derivation_output_key_ext(attributes, operation,
- &default_production_parameters, 0,
- key);
+ return psa_key_derivation_output_key_custom(attributes, operation,
+ &default_custom_production,
+ NULL, 0,
+ key);
}
@@ -7863,15 +7907,18 @@
psa_status_t psa_generate_key_internal(
const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params, size_t params_data_length,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t type = attributes->type;
/* Only used for RSA */
- (void) params;
- (void) params_data_length;
+ (void) custom;
+ (void) custom_data;
+ (void) custom_data_length;
if (key_type_is_raw_bytes(type)) {
status = psa_generate_random_internal(key_buffer, key_buffer_size);
@@ -7889,7 +7936,7 @@
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
return mbedtls_psa_rsa_generate_key(attributes,
- params, params_data_length,
+ custom_data, custom_data_length,
key_buffer,
key_buffer_size,
key_buffer_length);
@@ -7921,10 +7968,11 @@
return PSA_SUCCESS;
}
-psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params,
- size_t params_data_length,
- mbedtls_svc_key_id_t *key)
+psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
+ mbedtls_svc_key_id_t *key)
{
psa_status_t status;
psa_key_slot_t *slot = NULL;
@@ -7946,12 +7994,12 @@
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
- if (params->flags != 0) {
+ if (custom->flags != 0) {
return PSA_ERROR_INVALID_ARGUMENT;
}
} else
#endif
- if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+ if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
@@ -7992,7 +8040,8 @@
}
status = psa_driver_wrapper_generate_key(attributes,
- params, params_data_length,
+ custom,
+ custom_data, custom_data_length,
slot->key.data, slot->key.bytes,
&slot->key.bytes);
if (status != PSA_SUCCESS) {
@@ -8010,12 +8059,25 @@
return status;
}
+psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ return psa_generate_key_custom(
+ attributes,
+ (const psa_custom_key_parameters_t *) params,
+ params->data, params_data_length,
+ key);
+}
+
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
mbedtls_svc_key_id_t *key)
{
- return psa_generate_key_ext(attributes,
- &default_production_parameters, 0,
- key);
+ return psa_generate_key_custom(attributes,
+ &default_custom_production,
+ NULL, 0,
+ key);
}
/****************************************************************/
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 9462d2e..21e7559 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -59,6 +59,8 @@
* and metadata for one key.
*/
typedef struct {
+ /* This field is accessed in a lot of places. Putting it first
+ * reduces the code size. */
psa_key_attributes_t attr;
/*
@@ -78,35 +80,77 @@
* slots that are in a suitable state for the function.
* For example, psa_get_and_lock_key_slot_in_memory, which finds a slot
* containing a given key ID, will only check slots whose state variable is
- * PSA_SLOT_FULL. */
+ * PSA_SLOT_FULL.
+ */
psa_key_slot_state_t state;
- /*
- * Number of functions registered as reading the material in the key slot.
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ /* The index of the slice containing this slot.
+ * This field must be filled if the slot contains a key
+ * (including keys being created or destroyed), and can be either
+ * filled or 0 when the slot is free.
*
- * Library functions must not write directly to registered_readers
- *
- * A function must call psa_register_read(slot) before reading the current
- * contents of the slot for an operation.
- * They then must call psa_unregister_read(slot) once they have finished
- * reading the current contents of the slot. If the key slot mutex is not
- * held (when mutexes are enabled), this call must be done via a call to
- * psa_unregister_read_under_mutex(slot).
- * A function must call psa_key_slot_has_readers(slot) to check if
- * the slot is in use for reading.
- *
- * This counter is used to prevent resetting the key slot while the library
- * may access it. For example, such control is needed in the following
- * scenarios:
- * . In case of key slot starvation, all key slots contain the description
- * of a key, and the library asks for the description of a persistent
- * key not present in the key slots, the key slots currently accessed by
- * the library cannot be reclaimed to free a key slot to load the
- * persistent key.
- * . In case of a multi-threaded application where one thread asks to close
- * or purge or destroy a key while it is in use by the library through
- * another thread. */
- size_t registered_readers;
+ * In most cases, the slice index can be deduced from the key identifer.
+ * We keep it in a separate field for robustness (it reduces the chance
+ * that a coding mistake in the key store will result in accessing the
+ * wrong slice), and also so that it's available even on code paths
+ * during creation or destruction where the key identifier might not be
+ * filled in.
+ * */
+ uint8_t slice_index;
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+ union {
+ struct {
+ /* The index of the next slot in the free list for this
+ * slice, relative * to the next array element.
+ *
+ * That is, 0 means the next slot, 1 means the next slot
+ * but one, etc. -1 would mean the slot itself. -2 means
+ * the previous slot, etc.
+ *
+ * If this is beyond the array length, the free list ends with the
+ * current element.
+ *
+ * The reason for this strange encoding is that 0 means the next
+ * element. This way, when we allocate a slice and initialize it
+ * to all-zero, the slice is ready for use, with a free list that
+ * consists of all the slots in order.
+ */
+ int32_t next_free_relative_to_next;
+ } free;
+
+ struct {
+ /*
+ * Number of functions registered as reading the material in the key slot.
+ *
+ * Library functions must not write directly to registered_readers
+ *
+ * A function must call psa_register_read(slot) before reading
+ * the current contents of the slot for an operation.
+ * They then must call psa_unregister_read(slot) once they have
+ * finished reading the current contents of the slot. If the key
+ * slot mutex is not held (when mutexes are enabled), this call
+ * must be done via a call to
+ * psa_unregister_read_under_mutex(slot).
+ * A function must call psa_key_slot_has_readers(slot) to check if
+ * the slot is in use for reading.
+ *
+ * This counter is used to prevent resetting the key slot while
+ * the library may access it. For example, such control is needed
+ * in the following scenarios:
+ * . In case of key slot starvation, all key slots contain the
+ * description of a key, and the library asks for the
+ * description of a persistent key not present in the
+ * key slots, the key slots currently accessed by the
+ * library cannot be reclaimed to free a key slot to load
+ * the persistent key.
+ * . In case of a multi-threaded application where one thread
+ * asks to close or purge or destroy a key while it is in use
+ * by the library through another thread. */
+ size_t registered_readers;
+ } occupied;
+ } var;
/* Dynamically allocated key data buffer.
* Format as specified in psa_export_key(). */
@@ -169,7 +213,7 @@
*/
static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot)
{
- return slot->registered_readers > 0;
+ return slot->var.occupied.registered_readers > 0;
}
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@@ -343,17 +387,18 @@
const uint8_t *key_buffer, size_t key_buffer_size,
uint8_t *data, size_t data_size, size_t *data_length);
-/** Whether a key production parameters structure is the default.
+/** Whether a key custom production parameters structure is the default.
*
- * Calls to a key generation driver with non-default production parameters
+ * Calls to a key generation driver with non-default custom production parameters
* require a driver supporting custom production parameters.
*
- * \param[in] params The key production parameters to check.
- * \param params_data_length Size of `params->data` in bytes.
+ * \param[in] custom The key custom production parameters to check.
+ * \param custom_data_length Size of the associated variable-length data
+ * in bytes.
*/
-int psa_key_production_parameters_are_default(
- const psa_key_production_parameters_t *params,
- size_t params_data_length);
+int psa_custom_key_parameters_are_default(
+ const psa_custom_key_parameters_t *custom,
+ size_t custom_data_length);
/**
* \brief Generate a key.
@@ -362,9 +407,9 @@
* entry point.
*
* \param[in] attributes The attributes for the key to generate.
- * \param[in] params The production parameters from
- * psa_generate_key_ext().
- * \param params_data_length The size of `params->data` in bytes.
+ * \param[in] custom Custom parameters for the key generation.
+ * \param[in] custom_data Variable-length data associated with \c custom.
+ * \param custom_data_length Length of `custom_data` in bytes.
* \param[out] key_buffer Buffer where the key data is to be written.
* \param[in] key_buffer_size Size of \p key_buffer in bytes.
* \param[out] key_buffer_length On success, the number of bytes written in
@@ -379,8 +424,9 @@
* The size of \p key_buffer is too small.
*/
psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params,
- size_t params_data_length,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
uint8_t *key_buffer,
size_t key_buffer_size,
size_t *key_buffer_length);
diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h
index 533fb2e..5b51631 100644
--- a/library/psa_crypto_random_impl.h
+++ b/library/psa_crypto_random_impl.h
@@ -21,13 +21,10 @@
#include "mbedtls/entropy.h"
/* Choose a DRBG based on configuration and availability */
-#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
-
-#include "mbedtls/hmac_drbg.h"
-
-#elif defined(MBEDTLS_CTR_DRBG_C)
+#if defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/ctr_drbg.h"
+#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
#elif defined(MBEDTLS_HMAC_DRBG_C)
@@ -49,17 +46,11 @@
#error "No hash algorithm available for HMAC_DBRG."
#endif
-#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
#error "No DRBG module available for the psa_crypto module."
-#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
-#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
#if defined(MBEDTLS_CTR_DRBG_C)
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
index 2f613b3..38dc3b8 100644
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@@ -197,16 +197,14 @@
status = mbedtls_psa_rsa_load_representation(
attributes->type, key_buffer, key_buffer_size, &rsa);
- if (status != PSA_SUCCESS) {
- return status;
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
+ rsa,
+ data,
+ data_size,
+ data_length);
}
- status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
- rsa,
- data,
- data_size,
- data_length);
-
mbedtls_rsa_free(rsa);
mbedtls_free(rsa);
@@ -241,7 +239,7 @@
psa_status_t mbedtls_psa_rsa_generate_key(
const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params, size_t params_data_length,
+ const uint8_t *custom_data, size_t custom_data_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
psa_status_t status;
@@ -249,8 +247,8 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int exponent = 65537;
- if (params_data_length != 0) {
- status = psa_rsa_read_exponent(params->data, params_data_length,
+ if (custom_data_length != 0) {
+ status = psa_rsa_read_exponent(custom_data, custom_data_length,
&exponent);
if (status != PSA_SUCCESS) {
return status;
@@ -264,6 +262,7 @@
(unsigned int) attributes->bits,
exponent);
if (ret != 0) {
+ mbedtls_rsa_free(&rsa);
return mbedtls_to_psa_error(ret);
}
@@ -330,7 +329,7 @@
key_buffer_size,
&rsa);
if (status != PSA_SUCCESS) {
- return status;
+ goto exit;
}
status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h
index ffeef26..1a78000 100644
--- a/library/psa_crypto_rsa.h
+++ b/library/psa_crypto_rsa.h
@@ -105,17 +105,11 @@
/**
* \brief Generate an RSA key.
*
- * \note The signature of the function is that of a PSA driver generate_key
- * entry point.
- *
* \param[in] attributes The attributes for the RSA key to generate.
- * \param[in] params Production parameters for the key
- * generation. This function only uses
- * `params->data`,
- * which contains the public exponent.
+ * \param[in] custom_data The public exponent to use.
* This can be a null pointer if
* \c params_data_length is 0.
- * \param params_data_length Length of `params->data` in bytes.
+ * \param custom_data_length Length of \p custom_data in bytes.
* This can be 0, in which case the
* public exponent will be 65537.
* \param[out] key_buffer Buffer where the key data is to be written.
@@ -132,7 +126,7 @@
*/
psa_status_t mbedtls_psa_rsa_generate_key(
const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params, size_t params_data_length,
+ const uint8_t *custom_data, size_t custom_data_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
/** Sign an already-calculated hash with an RSA private key.
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index 9986a44..9850d8c 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -27,8 +27,166 @@
#include "mbedtls/threading.h"
#endif
+
+
+/* Make sure we have distinct ranges of key identifiers for distinct
+ * purposes. */
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MIN < PSA_KEY_ID_USER_MAX,
+ "Empty user key ID range");
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN < PSA_KEY_ID_VENDOR_MAX,
+ "Empty vendor key ID range");
+MBEDTLS_STATIC_ASSERT(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN < MBEDTLS_PSA_KEY_ID_BUILTIN_MAX,
+ "Empty builtin key ID range");
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MIN < PSA_KEY_ID_VOLATILE_MAX,
+ "Empty volatile key ID range");
+
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MAX < PSA_KEY_ID_VENDOR_MIN ||
+ PSA_KEY_ID_VENDOR_MAX < PSA_KEY_ID_USER_MIN,
+ "Overlap between user key IDs and vendor key IDs");
+
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN <= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN &&
+ MBEDTLS_PSA_KEY_ID_BUILTIN_MAX <= PSA_KEY_ID_VENDOR_MAX,
+ "Builtin key identifiers are not in the vendor range");
+
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN <= PSA_KEY_ID_VOLATILE_MIN &&
+ PSA_KEY_ID_VOLATILE_MAX <= PSA_KEY_ID_VENDOR_MAX,
+ "Volatile key identifiers are not in the vendor range");
+
+MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MAX < MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ||
+ MBEDTLS_PSA_KEY_ID_BUILTIN_MAX < PSA_KEY_ID_VOLATILE_MIN,
+ "Overlap between builtin key IDs and volatile key IDs");
+
+
+
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+
+/* Dynamic key store.
+ *
+ * The key store consists of multiple slices.
+ *
+ * The volatile keys are stored in variable-sized tables called slices.
+ * Slices are allocated on demand and deallocated when possible.
+ * The size of slices increases exponentially, so the average overhead
+ * (number of slots that are allocated but not used) is roughly
+ * proportional to the number of keys (with a factor that grows
+ * when the key store is fragmented).
+ *
+ * One slice is dedicated to the cache of persistent and built-in keys.
+ * For simplicity, they are separated from volatile keys. This cache
+ * slice has a fixed size and has the slice index KEY_SLOT_CACHE_SLICE_INDEX,
+ * located after the slices for volatile keys.
+ */
+
+/* Size of the last slice containing the cache of persistent and built-in keys. */
+#define PERSISTENT_KEY_CACHE_COUNT MBEDTLS_PSA_KEY_SLOT_COUNT
+
+/* Volatile keys are stored in slices 0 through
+ * (KEY_SLOT_VOLATILE_SLICE_COUNT - 1) inclusive.
+ * Each slice is twice the size of the previous slice.
+ * Volatile key identifiers encode the slice number as follows:
+ * bits 30..31: 0b10 (mandated by the PSA Crypto specification).
+ * bits 25..29: slice index (0...KEY_SLOT_VOLATILE_SLICE_COUNT-1)
+ * bits 0..24: slot index in slice
+ */
+#define KEY_ID_SLOT_INDEX_WIDTH 25u
+#define KEY_ID_SLICE_INDEX_WIDTH 5u
+
+#define KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH 16u
+#define KEY_SLOT_VOLATILE_SLICE_COUNT 22u
+#define KEY_SLICE_COUNT (KEY_SLOT_VOLATILE_SLICE_COUNT + 1u)
+#define KEY_SLOT_CACHE_SLICE_INDEX KEY_SLOT_VOLATILE_SLICE_COUNT
+
+
+/* Check that the length of the largest slice (calculated as
+ * KEY_SLICE_LENGTH_MAX below) does not overflow size_t. We use
+ * an indirect method in case the calculation of KEY_SLICE_LENGTH_MAX
+ * itself overflows uintmax_t: if (BASE_LENGTH << c)
+ * overflows size_t then BASE_LENGTH > SIZE_MAX >> c.
+ */
+#if (KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH > \
+ SIZE_MAX >> (KEY_SLOT_VOLATILE_SLICE_COUNT - 1))
+#error "Maximum slice length overflows size_t"
+#endif
+
+#if KEY_ID_SLICE_INDEX_WIDTH + KEY_ID_SLOT_INDEX_WIDTH > 30
+#error "Not enough room in volatile key IDs for slice index and slot index"
+#endif
+#if KEY_SLOT_VOLATILE_SLICE_COUNT > (1 << KEY_ID_SLICE_INDEX_WIDTH)
+#error "Too many slices to fit the slice index in a volatile key ID"
+#endif
+#define KEY_SLICE_LENGTH_MAX \
+ (KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH << (KEY_SLOT_VOLATILE_SLICE_COUNT - 1))
+#if KEY_SLICE_LENGTH_MAX > 1 << KEY_ID_SLOT_INDEX_WIDTH
+#error "Not enough room in volatile key IDs for a slot index in the largest slice"
+#endif
+#if KEY_ID_SLICE_INDEX_WIDTH > 8
+#error "Slice index does not fit in uint8_t for psa_key_slot_t::slice_index"
+#endif
+
+
+/* Calculate the volatile key id to use for a given slot.
+ * This function assumes valid parameter values. */
+static psa_key_id_t volatile_key_id_of_index(size_t slice_idx,
+ size_t slot_idx)
+{
+ /* We assert above that the slice and slot indexes fit in separate
+ * bit-fields inside psa_key_id_t, which is a 32-bit type per the
+ * PSA Cryptography specification. */
+ return (psa_key_id_t) (0x40000000u |
+ (slice_idx << KEY_ID_SLOT_INDEX_WIDTH) |
+ slot_idx);
+}
+
+/* Calculate the slice containing the given volatile key.
+ * This function assumes valid parameter values. */
+static size_t slice_index_of_volatile_key_id(psa_key_id_t key_id)
+{
+ size_t mask = (1LU << KEY_ID_SLICE_INDEX_WIDTH) - 1;
+ return (key_id >> KEY_ID_SLOT_INDEX_WIDTH) & mask;
+}
+
+/* Calculate the index of the slot containing the given volatile key.
+ * This function assumes valid parameter values. */
+static size_t slot_index_of_volatile_key_id(psa_key_id_t key_id)
+{
+ return key_id & ((1LU << KEY_ID_SLOT_INDEX_WIDTH) - 1);
+}
+
+/* In global_data.first_free_slot_index, use this special value to
+ * indicate that the slice is full. */
+#define FREE_SLOT_INDEX_NONE ((size_t) -1)
+
+#if defined(MBEDTLS_TEST_HOOKS)
+size_t psa_key_slot_volatile_slice_count(void)
+{
+ return KEY_SLOT_VOLATILE_SLICE_COUNT;
+}
+#endif
+
+#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+/* Static key store.
+ *
+ * All the keys (volatile or persistent) are in a single slice.
+ * We only use slices as a concept to allow some differences between
+ * static and dynamic key store management to be buried in auxiliary
+ * functions.
+ */
+
+#define PERSISTENT_KEY_CACHE_COUNT MBEDTLS_PSA_KEY_SLOT_COUNT
+#define KEY_SLICE_COUNT 1u
+#define KEY_SLOT_CACHE_SLICE_INDEX 0
+
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+
typedef struct {
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ psa_key_slot_t *key_slices[KEY_SLICE_COUNT];
+ size_t first_free_slot_index[KEY_SLOT_VOLATILE_SLICE_COUNT];
+#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
uint8_t key_slots_initialized;
} psa_global_data_t;
@@ -51,6 +209,125 @@
return initialized;
}
+
+
+/** The length of the given slice in the key slot table.
+ *
+ * \param slice_idx The slice number. It must satisfy
+ * 0 <= slice_idx < KEY_SLICE_COUNT.
+ *
+ * \return The number of elements in the given slice.
+ */
+static inline size_t key_slice_length(size_t slice_idx);
+
+/** Get a pointer to the slot where the given volatile key is located.
+ *
+ * \param key_id The key identifier. It must be a valid volatile key
+ * identifier.
+ * \return A pointer to the only slot that the given key
+ * can be in. Note that the slot may be empty or
+ * contain a different key.
+ */
+static inline psa_key_slot_t *get_volatile_key_slot(psa_key_id_t key_id);
+
+/** Get a pointer to an entry in the persistent key cache.
+ *
+ * \param slot_idx The index in the table. It must satisfy
+ * 0 <= slot_idx < PERSISTENT_KEY_CACHE_COUNT.
+ * \return A pointer to the slot containing the given
+ * persistent key cache entry.
+ */
+static inline psa_key_slot_t *get_persistent_key_slot(size_t slot_idx);
+
+/** Get a pointer to a slot given by slice and index.
+ *
+ * \param slice_idx The slice number. It must satisfy
+ * 0 <= slice_idx < KEY_SLICE_COUNT.
+ * \param slot_idx An index in the given slice. It must satisfy
+ * 0 <= slot_idx < key_slice_length(slice_idx).
+ *
+ * \return A pointer to the given slot.
+ */
+static inline psa_key_slot_t *get_key_slot(size_t slice_idx, size_t slot_idx);
+
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+
+#if defined(MBEDTLS_TEST_HOOKS)
+size_t (*mbedtls_test_hook_psa_volatile_key_slice_length)(size_t slice_idx) = NULL;
+#endif
+
+static inline size_t key_slice_length(size_t slice_idx)
+{
+ if (slice_idx == KEY_SLOT_CACHE_SLICE_INDEX) {
+ return PERSISTENT_KEY_CACHE_COUNT;
+ } else {
+#if defined(MBEDTLS_TEST_HOOKS)
+ if (mbedtls_test_hook_psa_volatile_key_slice_length != NULL) {
+ return mbedtls_test_hook_psa_volatile_key_slice_length(slice_idx);
+ }
+#endif
+ return KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH << slice_idx;
+ }
+}
+
+static inline psa_key_slot_t *get_volatile_key_slot(psa_key_id_t key_id)
+{
+ size_t slice_idx = slice_index_of_volatile_key_id(key_id);
+ if (slice_idx >= KEY_SLOT_VOLATILE_SLICE_COUNT) {
+ return NULL;
+ }
+ size_t slot_idx = slot_index_of_volatile_key_id(key_id);
+ if (slot_idx >= key_slice_length(slice_idx)) {
+ return NULL;
+ }
+ psa_key_slot_t *slice = global_data.key_slices[slice_idx];
+ if (slice == NULL) {
+ return NULL;
+ }
+ return &slice[slot_idx];
+}
+
+static inline psa_key_slot_t *get_persistent_key_slot(size_t slot_idx)
+{
+ return &global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX][slot_idx];
+}
+
+static inline psa_key_slot_t *get_key_slot(size_t slice_idx, size_t slot_idx)
+{
+ return &global_data.key_slices[slice_idx][slot_idx];
+}
+
+#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+static inline size_t key_slice_length(size_t slice_idx)
+{
+ (void) slice_idx;
+ return ARRAY_LENGTH(global_data.key_slots);
+}
+
+static inline psa_key_slot_t *get_volatile_key_slot(psa_key_id_t key_id)
+{
+ MBEDTLS_STATIC_ASSERT(ARRAY_LENGTH(global_data.key_slots) <=
+ PSA_KEY_ID_VOLATILE_MAX - PSA_KEY_ID_VOLATILE_MIN + 1,
+ "The key slot array is larger than the volatile key ID range");
+ return &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN];
+}
+
+static inline psa_key_slot_t *get_persistent_key_slot(size_t slot_idx)
+{
+ return &global_data.key_slots[slot_idx];
+}
+
+static inline psa_key_slot_t *get_key_slot(size_t slice_idx, size_t slot_idx)
+{
+ (void) slice_idx;
+ return &global_data.key_slots[slot_idx];
+}
+
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+
+
int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok)
{
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
@@ -112,12 +389,13 @@
psa_key_slot_t *slot = NULL;
if (psa_key_id_is_volatile(key_id)) {
- slot = &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN];
+ slot = get_volatile_key_slot(key_id);
/* Check if both the PSA key identifier key_id and the owner
* identifier of key match those of the key slot. */
- if ((slot->state == PSA_SLOT_FULL) &&
- (mbedtls_svc_key_id_equal(key, slot->attr.id))) {
+ if (slot != NULL &&
+ slot->state == PSA_SLOT_FULL &&
+ mbedtls_svc_key_id_equal(key, slot->attr.id)) {
status = PSA_SUCCESS;
} else {
status = PSA_ERROR_DOES_NOT_EXIST;
@@ -127,8 +405,8 @@
return PSA_ERROR_INVALID_HANDLE;
}
- for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
- slot = &global_data.key_slots[slot_idx];
+ for (slot_idx = 0; slot_idx < PERSISTENT_KEY_CACHE_COUNT; slot_idx++) {
+ slot = get_persistent_key_slot(slot_idx);
/* Only consider slots which are in a full state. */
if ((slot->state == PSA_SLOT_FULL) &&
(mbedtls_svc_key_id_equal(key, slot->attr.id))) {
@@ -151,29 +429,169 @@
psa_status_t psa_initialize_key_slots(void)
{
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX] =
+ mbedtls_calloc(PERSISTENT_KEY_CACHE_COUNT,
+ sizeof(*global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX]));
+ if (global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX] == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
/* Nothing to do: program startup and psa_wipe_all_key_slots() both
* guarantee that the key slots are initialized to all-zero, which
* means that all the key slots are in a valid, empty state. The global
* data mutex is already held when calling this function, so no need to
* lock it here, to set the flag. */
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
global_data.key_slots_initialized = 1;
return PSA_SUCCESS;
}
void psa_wipe_all_key_slots(void)
{
- size_t slot_idx;
-
- for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
- psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
- slot->registered_readers = 1;
- slot->state = PSA_SLOT_PENDING_DELETION;
- (void) psa_wipe_key_slot(slot);
+ for (size_t slice_idx = 0; slice_idx < KEY_SLICE_COUNT; slice_idx++) {
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ if (global_data.key_slices[slice_idx] == NULL) {
+ continue;
+ }
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+ for (size_t slot_idx = 0; slot_idx < key_slice_length(slice_idx); slot_idx++) {
+ psa_key_slot_t *slot = get_key_slot(slice_idx, slot_idx);
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ /* When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled, calling
+ * psa_wipe_key_slot() on an unused slot is useless, but it
+ * happens to work (because we flip the state to PENDING_DELETION).
+ *
+ * When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
+ * psa_wipe_key_slot() needs to have a valid slice_index
+ * field, but that value might not be correct in a
+ * free slot, so we must not call it.
+ *
+ * Bypass the call to psa_wipe_key_slot() if the slot is empty,
+ * but only if MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, to save
+ * a few bytes of code size otherwise.
+ */
+ if (slot->state == PSA_SLOT_EMPTY) {
+ continue;
+ }
+#endif
+ slot->var.occupied.registered_readers = 1;
+ slot->state = PSA_SLOT_PENDING_DELETION;
+ (void) psa_wipe_key_slot(slot);
+ }
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ mbedtls_free(global_data.key_slices[slice_idx]);
+ global_data.key_slices[slice_idx] = NULL;
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
}
+
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ for (size_t slice_idx = 0; slice_idx < KEY_SLOT_VOLATILE_SLICE_COUNT; slice_idx++) {
+ global_data.first_free_slot_index[slice_idx] = 0;
+ }
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
/* The global data mutex is already held when calling this function. */
global_data.key_slots_initialized = 0;
}
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+
+static psa_status_t psa_allocate_volatile_key_slot(psa_key_id_t *key_id,
+ psa_key_slot_t **p_slot)
+{
+ size_t slice_idx;
+ for (slice_idx = 0; slice_idx < KEY_SLOT_VOLATILE_SLICE_COUNT; slice_idx++) {
+ if (global_data.first_free_slot_index[slice_idx] != FREE_SLOT_INDEX_NONE) {
+ break;
+ }
+ }
+ if (slice_idx == KEY_SLOT_VOLATILE_SLICE_COUNT) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ if (global_data.key_slices[slice_idx] == NULL) {
+ global_data.key_slices[slice_idx] =
+ mbedtls_calloc(key_slice_length(slice_idx),
+ sizeof(psa_key_slot_t));
+ if (global_data.key_slices[slice_idx] == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ }
+ psa_key_slot_t *slice = global_data.key_slices[slice_idx];
+
+ size_t slot_idx = global_data.first_free_slot_index[slice_idx];
+ *key_id = volatile_key_id_of_index(slice_idx, slot_idx);
+
+ psa_key_slot_t *slot = &slice[slot_idx];
+ size_t next_free = slot_idx + 1 + slot->var.free.next_free_relative_to_next;
+ if (next_free >= key_slice_length(slice_idx)) {
+ next_free = FREE_SLOT_INDEX_NONE;
+ }
+ global_data.first_free_slot_index[slice_idx] = next_free;
+ /* The .next_free field is not meaningful when the slot is not free,
+ * so give it the same content as freshly initialized memory. */
+ slot->var.free.next_free_relative_to_next = 0;
+
+ psa_status_t status = psa_key_slot_state_transition(slot,
+ PSA_SLOT_EMPTY,
+ PSA_SLOT_FILLING);
+ if (status != PSA_SUCCESS) {
+ /* The only reason for failure is if the slot state was not empty.
+ * This indicates that something has gone horribly wrong.
+ * In this case, we leave the slot out of the free list, and stop
+ * modifying it. This minimizes any further corruption. The slot
+ * is a memory leak, but that's a lesser evil. */
+ return status;
+ }
+
+ *p_slot = slot;
+ /* We assert at compile time that the slice index fits in uint8_t. */
+ slot->slice_index = (uint8_t) slice_idx;
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_free_key_slot(size_t slice_idx,
+ psa_key_slot_t *slot)
+{
+
+ if (slice_idx == KEY_SLOT_CACHE_SLICE_INDEX) {
+ /* This is a cache entry. We don't maintain a free list, so
+ * there's nothing to do. */
+ return PSA_SUCCESS;
+ }
+ if (slice_idx >= KEY_SLOT_VOLATILE_SLICE_COUNT) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ psa_key_slot_t *slice = global_data.key_slices[slice_idx];
+ psa_key_slot_t *slice_end = slice + key_slice_length(slice_idx);
+ if (slot < slice || slot >= slice_end) {
+ /* The slot isn't actually in the slice! We can't detect that
+ * condition for sure, because the pointer comparison itself is
+ * undefined behavior in that case. That same condition makes the
+ * subtraction to calculate the slot index also UB.
+ * Give up now to avoid causing further corruption.
+ */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ size_t slot_idx = slot - slice;
+
+ size_t next_free = global_data.first_free_slot_index[slice_idx];
+ if (next_free >= key_slice_length(slice_idx)) {
+ /* The slot was full. The newly freed slot thus becomes the
+ * end of the free list. */
+ next_free = key_slice_length(slice_idx);
+ }
+ global_data.first_free_slot_index[slice_idx] = slot_idx;
+ slot->var.free.next_free_relative_to_next =
+ (int32_t) next_free - (int32_t) slot_idx - 1;
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
psa_key_slot_t **p_slot)
{
@@ -186,9 +604,19 @@
goto error;
}
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ if (volatile_key_id != NULL) {
+ return psa_allocate_volatile_key_slot(volatile_key_id, p_slot);
+ }
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+ /* With a dynamic key store, allocate an entry in the cache slice,
+ * applicable only to non-volatile keys that get cached in RAM.
+ * With a static key store, allocate an entry in the sole slice,
+ * applicable to all keys. */
selected_slot = unused_persistent_key_slot = NULL;
- for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
- psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+ for (slot_idx = 0; slot_idx < PERSISTENT_KEY_CACHE_COUNT; slot_idx++) {
+ psa_key_slot_t *slot = get_key_slot(KEY_SLOT_CACHE_SLICE_INDEX, slot_idx);
if (slot->state == PSA_SLOT_EMPTY) {
selected_slot = slot;
break;
@@ -226,8 +654,18 @@
goto error;
}
- *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN +
- ((psa_key_id_t) (selected_slot - global_data.key_slots));
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ selected_slot->slice_index = KEY_SLOT_CACHE_SLICE_INDEX;
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+#if !defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ if (volatile_key_id != NULL) {
+ /* Refresh slot_idx, for when the slot is not the original
+ * selected_slot but rather unused_persistent_key_slot. */
+ slot_idx = selected_slot - global_data.key_slots;
+ *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + slot_idx;
+ }
+#endif
*p_slot = selected_slot;
return PSA_SUCCESS;
@@ -236,7 +674,6 @@
error:
*p_slot = NULL;
- *volatile_key_id = 0;
return status;
}
@@ -395,9 +832,8 @@
/* Loading keys from storage requires support for such a mechanism */
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
- psa_key_id_t volatile_key_id;
- status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+ status = psa_reserve_free_key_slot(NULL, p_slot);
if (status != PSA_SUCCESS) {
#if defined(MBEDTLS_THREADING_C)
PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
@@ -465,12 +901,12 @@
/* If we are the last reader and the slot is marked for deletion,
* we must wipe the slot here. */
if ((slot->state == PSA_SLOT_PENDING_DELETION) &&
- (slot->registered_readers == 1)) {
+ (slot->var.occupied.registered_readers == 1)) {
return psa_wipe_key_slot(slot);
}
if (psa_key_slot_has_readers(slot)) {
- slot->registered_readers--;
+ slot->var.occupied.registered_readers--;
return PSA_SUCCESS;
}
@@ -604,7 +1040,7 @@
return status;
}
- if (slot->registered_readers == 1) {
+ if (slot->var.occupied.registered_readers == 1) {
status = psa_wipe_key_slot(slot);
} else {
status = psa_unregister_read(slot);
@@ -639,7 +1075,7 @@
}
if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
- (slot->registered_readers == 1)) {
+ (slot->var.occupied.registered_readers == 1)) {
status = psa_wipe_key_slot(slot);
} else {
status = psa_unregister_read(slot);
@@ -654,34 +1090,39 @@
void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats)
{
- size_t slot_idx;
-
memset(stats, 0, sizeof(*stats));
- for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
- const psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
- if (psa_key_slot_has_readers(slot)) {
- ++stats->locked_slots;
- }
- if (slot->state == PSA_SLOT_EMPTY) {
- ++stats->empty_slots;
+ for (size_t slice_idx = 0; slice_idx < KEY_SLICE_COUNT; slice_idx++) {
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ if (global_data.key_slices[slice_idx] == NULL) {
continue;
}
- if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
- ++stats->volatile_slots;
- } else {
- psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
- ++stats->persistent_slots;
- if (id > stats->max_open_internal_key_id) {
- stats->max_open_internal_key_id = id;
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+ for (size_t slot_idx = 0; slot_idx < key_slice_length(slice_idx); slot_idx++) {
+ const psa_key_slot_t *slot = get_key_slot(slice_idx, slot_idx);
+ if (slot->state == PSA_SLOT_EMPTY) {
+ ++stats->empty_slots;
+ continue;
}
- }
- if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) !=
- PSA_KEY_LOCATION_LOCAL_STORAGE) {
- psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
- ++stats->external_slots;
- if (id > stats->max_open_external_key_id) {
- stats->max_open_external_key_id = id;
+ if (psa_key_slot_has_readers(slot)) {
+ ++stats->locked_slots;
+ }
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+ ++stats->volatile_slots;
+ } else {
+ psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+ ++stats->persistent_slots;
+ if (id > stats->max_open_internal_key_id) {
+ stats->max_open_internal_key_id = id;
+ }
+ }
+ if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) !=
+ PSA_KEY_LOCATION_LOCAL_STORAGE) {
+ psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+ ++stats->external_slots;
+ if (id > stats->max_open_external_key_id) {
+ stats->max_open_external_key_id = id;
+ }
}
}
}
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
index a84be7d..af1208e 100644
--- a/library/psa_crypto_slot_management.h
+++ b/library/psa_crypto_slot_management.h
@@ -15,20 +15,26 @@
/** Range of volatile key identifiers.
*
- * The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
+ * The first #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
* range of key identifiers are reserved for volatile key identifiers.
- * A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
- * index of the key slot containing the volatile key definition.
+ *
+ * If \c id is a a volatile key identifier, #PSA_KEY_ID_VOLATILE_MIN - \c id
+ * indicates the key slot containing the volatile key definition. See
+ * psa_crypto_slot_management.c for details.
*/
/** The minimum value for a volatile key identifier.
*/
-#define PSA_KEY_ID_VOLATILE_MIN (PSA_KEY_ID_VENDOR_MAX - \
- MBEDTLS_PSA_KEY_SLOT_COUNT + 1)
+#define PSA_KEY_ID_VOLATILE_MIN PSA_KEY_ID_VENDOR_MIN
/** The maximum value for a volatile key identifier.
*/
-#define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+#define PSA_KEY_ID_VOLATILE_MAX (MBEDTLS_PSA_KEY_ID_BUILTIN_MIN - 1)
+#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+#define PSA_KEY_ID_VOLATILE_MAX \
+ (PSA_KEY_ID_VOLATILE_MIN + MBEDTLS_PSA_KEY_SLOT_COUNT - 1)
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
/** Test whether a key identifier is a volatile key identifier.
*
@@ -94,6 +100,24 @@
*/
psa_status_t psa_initialize_key_slots(void);
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+/* Allow test code to customize the key slice length. We use this in tests
+ * that exhaust the key store to reach a full key store in reasonable time
+ * and memory.
+ *
+ * The length of each slice must be between 1 and
+ * (1 << KEY_ID_SLOT_INDEX_WIDTH) inclusive.
+ *
+ * The length for a given slice index must not change while
+ * the key store is initialized.
+ */
+extern size_t (*mbedtls_test_hook_psa_volatile_key_slice_length)(
+ size_t slice_idx);
+
+/* The number of volatile key slices. */
+size_t psa_key_slot_volatile_slice_count(void);
+#endif
+
/** Delete all data from key slots in memory.
* This function is not thread safe, it wipes every key slot regardless of
* state and reader count. It should only be called when no slot is in use.
@@ -113,13 +137,22 @@
* If multi-threading is enabled, the caller must hold the
* global key slot mutex.
*
- * \param[out] volatile_key_id On success, volatile key identifier
- * associated to the returned slot.
+ * \param[out] volatile_key_id - If null, reserve a cache slot for
+ * a persistent or built-in key.
+ * - If non-null, allocate a slot for
+ * a volatile key. On success,
+ * \p *volatile_key_id is the
+ * identifier corresponding to the
+ * returned slot. It is the caller's
+ * responsibility to set this key identifier
+ * in the attributes.
* \param[out] p_slot On success, a pointer to the slot.
*
* \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* There were no free key slots.
+ * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, there was not
+ * enough memory to allocate more slots.
* \retval #PSA_ERROR_BAD_STATE \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* This function attempted to operate on a key slot which was in an
@@ -128,6 +161,29 @@
psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
psa_key_slot_t **p_slot);
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+/** Return a key slot to the free list.
+ *
+ * Call this function when a slot obtained from psa_reserve_free_key_slot()
+ * is no longer in use.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param slice_idx The slice containing the slot.
+ * This is `slot->slice_index` when the slot
+ * is obtained from psa_reserve_free_key_slot().
+ * \param slot The key slot.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * This function attempted to operate on a key slot which was in an
+ * unexpected state.
+ */
+psa_status_t psa_free_key_slot(size_t slice_idx,
+ psa_key_slot_t *slot);
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
/** Change the state of a key slot.
*
* This function changes the state of the key slot from expected_state to
@@ -174,10 +230,10 @@
static inline psa_status_t psa_register_read(psa_key_slot_t *slot)
{
if ((slot->state != PSA_SLOT_FULL) ||
- (slot->registered_readers >= SIZE_MAX)) {
+ (slot->var.occupied.registered_readers >= SIZE_MAX)) {
return PSA_ERROR_CORRUPTION_DETECTED;
}
- slot->registered_readers++;
+ slot->var.occupied.registered_readers++;
return PSA_SUCCESS;
}
diff --git a/library/psa_util.c b/library/psa_util.c
index 4ccc5b0..679d00e 100644
--- a/library/psa_util.c
+++ b/library/psa_util.c
@@ -443,6 +443,9 @@
if (raw_len != (2 * coordinate_len)) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
+ if (coordinate_len > sizeof(r)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
/* Since raw and der buffers might overlap, dump r and s before starting
* the conversion. */
@@ -561,6 +564,9 @@
if (raw_size < coordinate_size * 2) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
+ if (2 * coordinate_size > sizeof(raw_tmp)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
/* Check that the provided input DER buffer has the right header. */
ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len,
diff --git a/library/rsa.c b/library/rsa.c
index 7eb4a25..557faaf 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -29,6 +29,7 @@
#include "mbedtls/rsa.h"
#include "bignum_core.h"
+#include "bignum_internal.h"
#include "rsa_alt_helpers.h"
#include "rsa_internal.h"
#include "mbedtls/oid.h"
@@ -1259,7 +1260,7 @@
}
olen = ctx->len;
- MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod_unsafe(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
cleanup:
diff --git a/library/sha256.c b/library/sha256.c
index 8b2c345..159accc 100644
--- a/library/sha256.c
+++ b/library/sha256.c
@@ -152,7 +152,9 @@
return 1;
}
#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
+#endif
#include <Windows.h>
#include <processthreadsapi.h>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index a8807f6..9866879 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1507,7 +1507,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
#endif
@@ -1674,18 +1674,53 @@
}
/*
- * Check usage of a certificate wrt extensions:
- * keyUsage, extendedKeyUsage (later), and nSCertType (later).
+ * Verify a certificate.
*
- * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
- * check a cert we received from them)!
+ * [in/out] ssl: misc. things read
+ * ssl->session_negotiate->verify_result updated
+ * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED}
+ * [in] chain: the certificate chain to verify (ie the peer's chain)
+ * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite;
+ * for TLS 1.3, may be left NULL.
+ * [in] rs_ctx: restart context if restartable ECC is in use;
+ * leave NULL for no restartable behaviour.
+ *
+ * Return:
+ * - 0 if the handshake should continue. Depending on the
+ * authmode it means:
+ * - REQUIRED: the certificate was found to be valid, trusted & acceptable.
+ * ssl->session_negotiate->verify_result is 0.
+ * - OPTIONAL: the certificate may or may not be acceptable, but
+ * ssl->session_negotiate->verify_result was updated with the result.
+ * - NONE: the certificate wasn't even checked.
+ * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if
+ * the certificate was found to be invalid/untrusted/unacceptable and the
+ * handshake should be aborted (can only happen with REQUIRED).
+ * - another error code if another error happened (out-of-memory, etc.)
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
+ int authmode,
+ mbedtls_x509_crt *chain,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
+ void *rs_ctx);
+
+/*
+ * Check usage of a certificate wrt usage extensions:
+ * keyUsage and extendedKeyUsage.
+ * (Note: nSCertType is deprecated and not standard, we don't check it.)
+ *
+ * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL.
+ *
+ * Note: recv_endpoint is the receiver's endpoint.
*
* Return 0 if everything is OK, -1 if not.
*/
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
- int cert_endpoint,
+ int recv_endpoint,
+ mbedtls_ssl_protocol_version tls_version,
uint32_t *flags);
#endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -1891,6 +1926,26 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+/** \brief Initialize the PSA crypto subsystem if necessary.
+ *
+ * Call this function before doing any cryptography in a TLS 1.3 handshake.
+ *
+ * This is necessary in Mbed TLS 3.x for backward compatibility.
+ * Up to Mbed TLS 3.5, in the default configuration, you could perform
+ * a TLS connection with default parameters without having called
+ * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and
+ * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if
+ * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default
+ * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled
+ * by default, and the TLS 1.3 layer uses PSA crypto. This means that
+ * applications that are not otherwise using PSA crypto and that worked
+ * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to
+ * a peer that supports TLS 1.3. See
+ * https://github.com/Mbed-TLS/mbedtls/issues/9072
+ */
+int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl);
+
extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN];
MBEDTLS_CHECK_RETURN_CRITICAL
@@ -2914,8 +2969,37 @@
{
session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
}
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
+
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
+ (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
+#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
+ (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
+
+static inline int mbedtls_ssl_conf_get_session_tickets(
+ const mbedtls_ssl_config *conf)
+{
+ return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
+ MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
+ MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(
+ const mbedtls_ssl_config *conf)
+{
+ return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
+ MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED :
+ MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
#endif
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 2bdad84..ef722d7 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5595,13 +5595,19 @@
if (ssl_tls13_is_new_session_ticket(ssl)) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
- ssl->keep_current_message = 1;
+ if (mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(ssl->conf) ==
+ MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED) {
+ ssl->keep_current_message = 1;
- mbedtls_ssl_handshake_set_state(ssl,
- MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
- return MBEDTLS_ERR_SSL_WANT_READ;
+ mbedtls_ssl_handshake_set_state(ssl,
+ MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, handling disabled."));
+ return 0;
+ }
#else
- MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported."));
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, not supported."));
return 0;
#endif
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d6077a2..c773365 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1354,29 +1354,6 @@
return ret;
}
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- /* RFC 8446 section 4.4.3
- *
- * If the verification fails, the receiver MUST terminate the handshake with
- * a "decrypt_error" alert.
- *
- * If the client is configured as TLS 1.3 only with optional verify, return
- * bad config.
- *
- */
- if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
- (mbedtls_ssl_context *) ssl) &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
- ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
- MBEDTLS_SSL_DEBUG_MSG(
- 1, ("Optional verify auth mode "
- "is not available for TLS 1.3 client"));
- return MBEDTLS_ERR_SSL_BAD_CONFIG;
- }
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
@@ -3009,11 +2986,24 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_CLI_C)
+
void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
{
- conf->session_tickets = use_tickets;
+ conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
+ conf->session_tickets |= (use_tickets != 0) <<
+ MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
}
-#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
+ mbedtls_ssl_config *conf, int signal_new_session_tickets)
+{
+ conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
+ conf->session_tickets |= (signal_new_session_tickets != 0) <<
+ MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
@@ -5878,7 +5868,33 @@
if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+ mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message
+ * handling is disabled by default in Mbed TLS 3.6.x for backward
+ * compatibility with client applications developed using Mbed TLS 3.5
+ * or earlier with the default configuration.
+ *
+ * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was
+ * disabled, and a Mbed TLS client with the default configuration would
+ * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable
+ * server.
+ *
+ * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus
+ * an Mbed TLS client with the default configuration establishes a
+ * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If
+ * following the handshake the TLS 1.3 server sends NewSessionTicket
+ * messages and the Mbed TLS client processes them, this results in
+ * Mbed TLS high level APIs (mbedtls_ssl_read(),
+ * mbedtls_ssl_handshake(), ...) to eventually return an
+ * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code
+ * (see the documentation of mbedtls_ssl_read() for more information on
+ * that error code). Applications unaware of that TLS 1.3 specific non
+ * fatal error code are then failing.
+ */
+ mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
+ conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED);
+#endif
#endif
}
#endif
@@ -6358,71 +6374,6 @@
}
#endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
- const mbedtls_ssl_ciphersuite_t *ciphersuite,
- int cert_endpoint,
- uint32_t *flags)
-{
- int ret = 0;
- unsigned int usage = 0;
- const char *ext_oid;
- size_t ext_len;
-
- if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
- /* Server part of the key exchange */
- switch (ciphersuite->key_exchange) {
- case MBEDTLS_KEY_EXCHANGE_RSA:
- case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
- usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
- break;
-
- case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
- usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
- break;
-
- case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
- case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
- usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
- break;
-
- /* Don't use default: we want warnings when adding new values */
- case MBEDTLS_KEY_EXCHANGE_NONE:
- case MBEDTLS_KEY_EXCHANGE_PSK:
- case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
- case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
- usage = 0;
- }
- } else {
- /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
- usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
- }
-
- if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
- *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
- ret = -1;
- }
-
- if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
- ext_oid = MBEDTLS_OID_SERVER_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
- } else {
- ext_oid = MBEDTLS_OID_CLIENT_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
- }
-
- if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
- *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
- ret = -1;
- }
-
- return ret;
-}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
const mbedtls_md_type_t md,
@@ -7941,196 +7892,6 @@
return SSL_CERTIFICATE_EXPECTED;
}
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
- int authmode,
- mbedtls_x509_crt *chain,
- void *rs_ctx)
-{
- int ret = 0;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
- ssl->handshake->ciphersuite_info;
- int have_ca_chain = 0;
-
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
- void *p_vrfy;
-
- if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
- return 0;
- }
-
- if (ssl->f_vrfy != NULL) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
- f_vrfy = ssl->f_vrfy;
- p_vrfy = ssl->p_vrfy;
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
- f_vrfy = ssl->conf->f_vrfy;
- p_vrfy = ssl->conf->p_vrfy;
- }
-
- /*
- * Main check: verify certificate
- */
-#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
- if (ssl->conf->f_ca_cb != NULL) {
- ((void) rs_ctx);
- have_ca_chain = 1;
-
- MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
- ret = mbedtls_x509_crt_verify_with_ca_cb(
- chain,
- ssl->conf->f_ca_cb,
- ssl->conf->p_ca_cb,
- ssl->conf->cert_profile,
- ssl->hostname,
- &ssl->session_negotiate->verify_result,
- f_vrfy, p_vrfy);
- } else
-#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
- {
- mbedtls_x509_crt *ca_chain;
- mbedtls_x509_crl *ca_crl;
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if (ssl->handshake->sni_ca_chain != NULL) {
- ca_chain = ssl->handshake->sni_ca_chain;
- ca_crl = ssl->handshake->sni_ca_crl;
- } else
-#endif
- {
- ca_chain = ssl->conf->ca_chain;
- ca_crl = ssl->conf->ca_crl;
- }
-
- if (ca_chain != NULL) {
- have_ca_chain = 1;
- }
-
- ret = mbedtls_x509_crt_verify_restartable(
- chain,
- ca_chain, ca_crl,
- ssl->conf->cert_profile,
- ssl->hostname,
- &ssl->session_negotiate->verify_result,
- f_vrfy, p_vrfy, rs_ctx);
- }
-
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
- }
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
- if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
- return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
- }
-#endif
-
- /*
- * Secondary checks: always done, but change 'ret' only if it was 0
- */
-
-#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
- {
- const mbedtls_pk_context *pk = &chain->pk;
-
- /* If certificate uses an EC key, make sure the curve is OK.
- * This is a public key, so it can't be opaque, so can_do() is a good
- * enough check to ensure pk_ec() is safe to use here. */
- if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
- /* and in the unlikely case the above assumption no longer holds
- * we are making sure that pk_ec() here does not return a NULL
- */
- mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
- if (grp_id == MBEDTLS_ECP_DP_NONE) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
- if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
- ssl->session_negotiate->verify_result |=
- MBEDTLS_X509_BADCERT_BAD_KEY;
-
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
- if (ret == 0) {
- ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
- }
- }
- }
-#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
-
- if (mbedtls_ssl_check_cert_usage(chain,
- ciphersuite_info,
- !ssl->conf->endpoint,
- &ssl->session_negotiate->verify_result) != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
- if (ret == 0) {
- ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
- }
-
- /* mbedtls_x509_crt_verify_with_profile is supposed to report a
- * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
- * with details encoded in the verification flags. All other kinds
- * of error codes, including those from the user provided f_vrfy
- * functions, are treated as fatal and lead to a failure of
- * ssl_parse_certificate even if verification was optional. */
- if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
- (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
- ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
- ret = 0;
- }
-
- if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
- ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
- }
-
- if (ret != 0) {
- uint8_t alert;
-
- /* The certificate may have been rejected for several reasons.
- Pick one and send the corresponding alert. Which alert to send
- may be a subject of debate in some cases. */
- if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
- alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
- alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
- alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
- alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
- } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
- alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
- } else {
- alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
- }
- mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- alert);
- }
-
-#if defined(MBEDTLS_DEBUG_C)
- if (ssl->session_negotiate->verify_result != 0) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
- (unsigned int) ssl->session_negotiate->verify_result));
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
- }
-#endif /* MBEDTLS_DEBUG_C */
-
- return ret;
-}
-
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
@@ -8187,6 +7948,7 @@
{
int ret = 0;
int crt_expected;
+ /* Authmode: precedence order is SNI if used else configuration */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
? ssl->handshake->sni_authmode
@@ -8266,8 +8028,9 @@
}
#endif
- ret = ssl_parse_certificate_verify(ssl, authmode,
- chain, rs_ctx);
+ ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
+ ssl->handshake->ciphersuite_info,
+ rs_ctx);
if (ret != 0) {
goto exit;
}
@@ -9933,4 +9696,274 @@
return 0;
}
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
+
+/*
+ * The following functions are used by 1.2 and 1.3, client and server.
+ */
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite,
+ int recv_endpoint,
+ mbedtls_ssl_protocol_version tls_version,
+ uint32_t *flags)
+{
+ int ret = 0;
+ unsigned int usage = 0;
+ const char *ext_oid;
+ size_t ext_len;
+
+ /*
+ * keyUsage
+ */
+
+ /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
+ * to check what a compliant client will think while choosing which cert
+ * to send to the client. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ /* TLS 1.2 server part of the key exchange */
+ switch (ciphersuite->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
+ break;
+
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+ break;
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
+ break;
+
+ /* Don't use default: we want warnings when adding new values */
+ case MBEDTLS_KEY_EXCHANGE_NONE:
+ case MBEDTLS_KEY_EXCHANGE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+ usage = 0;
+ }
+ } else
+#endif
+ {
+ /* This is either TLS 1.3 authentication, which always uses signatures,
+ * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
+ * options we implement, both using signatures. */
+ (void) tls_version;
+ (void) ciphersuite;
+ usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+ }
+
+ if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+ ret = -1;
+ }
+
+ /*
+ * extKeyUsage
+ */
+
+ if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ ext_oid = MBEDTLS_OID_SERVER_AUTH;
+ ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
+ } else {
+ ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+ ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
+ }
+
+ if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
+ ret = -1;
+ }
+
+ return ret;
+}
+
+int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
+ int authmode,
+ mbedtls_x509_crt *chain,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
+ void *rs_ctx)
+{
+ if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+ return 0;
+ }
+
+ /*
+ * Primary check: use the appropriate X.509 verification function
+ */
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+ void *p_vrfy;
+ if (ssl->f_vrfy != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
+ f_vrfy = ssl->f_vrfy;
+ p_vrfy = ssl->p_vrfy;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
+ f_vrfy = ssl->conf->f_vrfy;
+ p_vrfy = ssl->conf->p_vrfy;
+ }
+
+ int ret = 0;
+ int have_ca_chain_or_callback = 0;
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ if (ssl->conf->f_ca_cb != NULL) {
+ ((void) rs_ctx);
+ have_ca_chain_or_callback = 1;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
+ ret = mbedtls_x509_crt_verify_with_ca_cb(
+ chain,
+ ssl->conf->f_ca_cb,
+ ssl->conf->p_ca_cb,
+ ssl->conf->cert_profile,
+ ssl->hostname,
+ &ssl->session_negotiate->verify_result,
+ f_vrfy, p_vrfy);
+ } else
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+ {
+ mbedtls_x509_crt *ca_chain;
+ mbedtls_x509_crl *ca_crl;
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_ca_chain != NULL) {
+ ca_chain = ssl->handshake->sni_ca_chain;
+ ca_crl = ssl->handshake->sni_ca_crl;
+ } else
+#endif
+ {
+ ca_chain = ssl->conf->ca_chain;
+ ca_crl = ssl->conf->ca_crl;
+ }
+
+ if (ca_chain != NULL) {
+ have_ca_chain_or_callback = 1;
+ }
+
+ ret = mbedtls_x509_crt_verify_restartable(
+ chain,
+ ca_chain, ca_crl,
+ ssl->conf->cert_profile,
+ ssl->hostname,
+ &ssl->session_negotiate->verify_result,
+ f_vrfy, p_vrfy, rs_ctx);
+ }
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+
+ /*
+ * Secondary checks: always done, but change 'ret' only if it was 0
+ */
+
+ /* With TLS 1.2 and ECC certs, check that the curve used by the
+ * certificate is on our list of acceptable curves.
+ *
+ * With TLS 1.3 this is not needed because the curve is part of the
+ * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
+ * we validate the signature made with the key associated to this cert.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
+ if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
+ ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
+ if (ret == 0) {
+ ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
+ if (mbedtls_ssl_check_cert_usage(chain,
+ ciphersuite_info,
+ ssl->conf->endpoint,
+ ssl->tls_version,
+ &ssl->session_negotiate->verify_result) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
+ if (ret == 0) {
+ ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+ }
+
+ /* With authmode optional, we want to keep going if the certificate was
+ * unacceptable, but still fail on other errors (out of memory etc),
+ * including fatal errors from the f_vrfy callback.
+ *
+ * The only acceptable errors are:
+ * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
+ * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
+ * Anything else is a fatal error. */
+ if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+ (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
+ ret = 0;
+ }
+
+ /* Return a specific error as this is a user error: inconsistent
+ * configuration - can't verify without trust anchors. */
+ if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
+ ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+ }
+
+ if (ret != 0) {
+ uint8_t alert;
+
+ /* The certificate may have been rejected for several reasons.
+ Pick one and send the corresponding alert. Which alert to send
+ may be a subject of debate in some cases. */
+ if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
+ alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
+ alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
+ } else {
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
+ }
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ alert);
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ if (ssl->session_negotiate->verify_result != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
+ (unsigned int) ssl->session_negotiate->verify_result));
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
+ }
+#endif /* MBEDTLS_DEBUG_C */
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index eac6a3a..9b2da5a 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -364,7 +364,8 @@
*olen = 0;
- if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
+ if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+ MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
return 0;
}
@@ -787,7 +788,8 @@
const unsigned char *buf,
size_t len)
{
- if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+ if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
+ MBEDTLS_SSL_SESSION_TICKETS_DISABLED) ||
len != 0) {
MBEDTLS_SSL_DEBUG_MSG(1,
("non-matching session ticket extension"));
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index b5b975f..03722ac 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -756,7 +756,9 @@
* and decrypting with the same RSA key.
*/
if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
- MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_VERSION_TLS1_2,
+ &flags) != 0) {
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
"(extended) key usage extension"));
continue;
@@ -3921,7 +3923,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
- uint8_t ecpoint_len;
+ size_t ecpoint_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 162e3a3..b63b5e6 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1141,6 +1141,11 @@
*out_len = 0;
+ ret = mbedtls_ssl_tls13_crypto_init(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
/* Write supported_versions extension
*
* Supported Versions Extension is mandatory with TLS 1.3.
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 8ac6579..b6d0978 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -27,7 +27,6 @@
#include "psa/crypto.h"
#include "psa_util_internal.h"
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
@@ -37,7 +36,16 @@
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif
+
+int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl)
+{
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ (void) ssl; // unused when debugging is disabled
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_crypto_init", status);
+ }
+ return PSA_TO_MBEDTLS_ERR(status);
+}
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
@@ -472,6 +480,7 @@
mbedtls_free(ssl->session_negotiate->peer_cert);
}
+ /* This is used by ssl_tls13_validate_certificate() */
if (certificate_list_len == 0) {
ssl->session_negotiate->peer_cert = NULL;
ret = 0;
@@ -627,25 +636,13 @@
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
{
- int ret = 0;
- int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
- mbedtls_x509_crt *ca_chain;
- mbedtls_x509_crl *ca_crl;
- const char *ext_oid;
- size_t ext_len;
- uint32_t verify_result = 0;
-
- /* If SNI was used, overwrite authentication mode
- * from the configuration. */
-#if defined(MBEDTLS_SSL_SRV_C)
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
- authmode = ssl->handshake->sni_authmode;
- } else
-#endif
- authmode = ssl->conf->authmode;
- }
+ /* Authmode: precedence order is SNI if used else configuration */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+ ? ssl->handshake->sni_authmode
+ : ssl->conf->authmode;
+#else
+ const int authmode = ssl->conf->authmode;
#endif
/*
@@ -677,6 +674,11 @@
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_CLI_C)
+ /* Regardless of authmode, the server is not allowed to send an empty
+ * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The
+ * server's certificate_list MUST always be non-empty.") With authmode
+ * optional/none, we continue the handshake if we can't validate the
+ * server's cert, but we still break it if no certificate was sent. */
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
@@ -685,114 +687,9 @@
#endif /* MBEDTLS_SSL_CLI_C */
}
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if (ssl->handshake->sni_ca_chain != NULL) {
- ca_chain = ssl->handshake->sni_ca_chain;
- ca_crl = ssl->handshake->sni_ca_crl;
- } else
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
- {
- ca_chain = ssl->conf->ca_chain;
- ca_crl = ssl->conf->ca_crl;
- }
-
- /*
- * Main check: verify certificate
- */
- ret = mbedtls_x509_crt_verify_with_profile(
- ssl->session_negotiate->peer_cert,
- ca_chain, ca_crl,
- ssl->conf->cert_profile,
- ssl->hostname,
- &verify_result,
- ssl->conf->f_vrfy, ssl->conf->p_vrfy);
-
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
- }
-
- /*
- * Secondary checks: always done, but change 'ret' only if it was 0
- */
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ext_oid = MBEDTLS_OID_SERVER_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
- } else {
- ext_oid = MBEDTLS_OID_CLIENT_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
- }
-
- if ((mbedtls_x509_crt_check_key_usage(
- ssl->session_negotiate->peer_cert,
- MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) ||
- (mbedtls_x509_crt_check_extended_key_usage(
- ssl->session_negotiate->peer_cert,
- ext_oid, ext_len) != 0)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
- if (ret == 0) {
- ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
- }
-
- /* mbedtls_x509_crt_verify_with_profile is supposed to report a
- * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
- * with details encoded in the verification flags. All other kinds
- * of error codes, including those from the user provided f_vrfy
- * functions, are treated as fatal and lead to a failure of
- * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
- */
- if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
- (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
- ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
- ret = 0;
- }
-
- if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
- ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
- }
-
- if (ret != 0) {
- /* The certificate may have been rejected for several reasons.
- Pick one and send the corresponding alert. Which alert to send
- may be a subject of debate in some cases. */
- if (verify_result & MBEDTLS_X509_BADCERT_OTHER) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
- } else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret);
- } else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE |
- MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
- MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
- MBEDTLS_X509_BADCERT_BAD_PK |
- MBEDTLS_X509_BADCERT_BAD_KEY)) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
- } else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
- } else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
- } else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
- MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret);
- } else {
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
- }
- }
-
-#if defined(MBEDTLS_DEBUG_C)
- if (verify_result != 0) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
- (unsigned int) verify_result));
- } else {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
- }
-#endif /* MBEDTLS_DEBUG_C */
-
- ssl->session_negotiate->verify_result = verify_result;
- return ret;
+ return mbedtls_ssl_verify_certificate(ssl, authmode,
+ ssl->session_negotiate->peer_cert,
+ NULL, NULL);
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
MBEDTLS_CHECK_RETURN_CRITICAL
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index f5ef920..693edc7 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1355,19 +1355,23 @@
* compression methods and the length of the extensions.
*
* cipher_suites cipher_suites_len bytes
- * legacy_compression_methods 2 bytes
- * extensions_len 2 bytes
+ * legacy_compression_methods length 1 byte
*/
- MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 1);
p += cipher_suites_len;
cipher_suites_end = p;
+ /* Check if we have enough data for legacy_compression_methods
+ * and the length of the extensions (2 bytes).
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p + 1, end, p[0] + 2);
+
/*
* Search for the supported versions extension and parse it to determine
* if the client supports TLS 1.3.
*/
ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
- ssl, p + 2, end,
+ ssl, p + 1 + p[0], end,
&supported_versions_data, &supported_versions_data_end);
if (ret < 0) {
MBEDTLS_SSL_DEBUG_RET(1,
@@ -1408,6 +1412,12 @@
ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
ssl->session_negotiate->endpoint = ssl->conf->endpoint;
+ /* Before doing any crypto, make sure we can. */
+ ret = mbedtls_ssl_tls13_crypto_init(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
/*
* We are negotiating the version 1.3 of the protocol. Do what we have
* postponed: copy of the client random bytes, copy of the legacy session
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 2fd56fb..53cdcf0 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -48,7 +48,9 @@
#if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
+#endif
#include <windows.h>
#else
#include <time.h>
diff --git a/programs/cipher/cipher_aead_demo.c b/programs/cipher/cipher_aead_demo.c
index 853ec20..83fcce5 100644
--- a/programs/cipher/cipher_aead_demo.c
+++ b/programs/cipher/cipher_aead_demo.c
@@ -79,7 +79,7 @@
const unsigned char key_bytes[32] = { 0x2a };
/* Print the contents of a buffer in hex */
-void print_buf(const char *title, unsigned char *buf, size_t len)
+static void print_buf(const char *title, unsigned char *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
diff --git a/programs/fuzz/common.h b/programs/fuzz/common.h
index 094383c..88dceac 100644
--- a/programs/fuzz/common.h
+++ b/programs/fuzz/common.h
@@ -23,3 +23,6 @@
int dummy_entropy(void *data, unsigned char *output, size_t len);
int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
uint32_t timeout);
+
+/* Implemented in the fuzz_*.c sources and required by onefile.c */
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c
index 2056913..38b4dc1 100644
--- a/programs/fuzz/fuzz_pkcs7.c
+++ b/programs/fuzz/fuzz_pkcs7.c
@@ -1,5 +1,6 @@
#include <stdint.h>
#include "mbedtls/pkcs7.h"
+#include "common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c
index 0b153b1..b2500e5 100644
--- a/programs/fuzz/fuzz_pubkey.c
+++ b/programs/fuzz/fuzz_pubkey.c
@@ -1,6 +1,7 @@
#include <stdint.h>
#include <stdlib.h>
#include "mbedtls/pk.h"
+#include "common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c
index 151db92..e8dacd9 100644
--- a/programs/fuzz/fuzz_x509crl.c
+++ b/programs/fuzz/fuzz_x509crl.c
@@ -1,5 +1,6 @@
#include <stdint.h>
#include "mbedtls/x509_crl.h"
+#include "common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c
index 3eee072..74d3b07 100644
--- a/programs/fuzz/fuzz_x509crt.c
+++ b/programs/fuzz/fuzz_x509crt.c
@@ -1,5 +1,6 @@
#include <stdint.h>
#include "mbedtls/x509_crt.h"
+#include "common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c
index 7946e57..4c123f8 100644
--- a/programs/fuzz/fuzz_x509csr.c
+++ b/programs/fuzz/fuzz_x509csr.c
@@ -1,5 +1,6 @@
#include <stdint.h>
#include "mbedtls/x509_csr.h"
+#include "common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
diff --git a/programs/fuzz/onefile.c b/programs/fuzz/onefile.c
index 3b2709f..2d4330a 100644
--- a/programs/fuzz/onefile.c
+++ b/programs/fuzz/onefile.c
@@ -1,14 +1,13 @@
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
+#include "common.h"
/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway
* in case it contains platform-specific #defines related to malloc or
* stdio functions. */
#include "mbedtls/build_info.h"
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
-
int main(int argc, char **argv)
{
FILE *fp;
diff --git a/programs/hash/md_hmac_demo.c b/programs/hash/md_hmac_demo.c
index 581816a..494e9ef 100644
--- a/programs/hash/md_hmac_demo.c
+++ b/programs/hash/md_hmac_demo.c
@@ -57,7 +57,7 @@
const unsigned char key_bytes[32] = { 0 };
/* Print the contents of a buffer in hex */
-void print_buf(const char *title, unsigned char *buf, size_t len)
+static void print_buf(const char *title, unsigned char *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
@@ -87,7 +87,7 @@
* This function demonstrates computation of the HMAC of two messages using
* the multipart API.
*/
-int hmac_demo(void)
+static int hmac_demo(void)
{
int ret;
const mbedtls_md_type_t alg = MBEDTLS_MD_SHA256;
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index 194a5cb..83d7b71 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -39,8 +39,8 @@
#define DEV_RANDOM_THRESHOLD 32
-int dev_random_entropy_poll(void *data, unsigned char *output,
- size_t len, size_t *olen)
+static int dev_random_entropy_poll(void *data, unsigned char *output,
+ size_t len, size_t *olen)
{
FILE *file;
size_t ret, left = len;
diff --git a/programs/psa/aead_demo.c b/programs/psa/aead_demo.c
index 619166d..2d99e3c 100644
--- a/programs/psa/aead_demo.c
+++ b/programs/psa/aead_demo.c
@@ -82,7 +82,7 @@
const unsigned char key_bytes[32] = { 0x2a };
/* Print the contents of a buffer in hex */
-void print_buf(const char *title, uint8_t *buf, size_t len)
+static void print_buf(const char *title, uint8_t *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
diff --git a/programs/psa/hmac_demo.c b/programs/psa/hmac_demo.c
index 2055054..683f3e5 100644
--- a/programs/psa/hmac_demo.c
+++ b/programs/psa/hmac_demo.c
@@ -59,7 +59,7 @@
const unsigned char key_bytes[32] = { 0 };
/* Print the contents of a buffer in hex */
-void print_buf(const char *title, uint8_t *buf, size_t len)
+static void print_buf(const char *title, uint8_t *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
@@ -90,7 +90,7 @@
* This function demonstrates computation of the HMAC of two messages using
* the multipart API.
*/
-psa_status_t hmac_demo(void)
+static psa_status_t hmac_demo(void)
{
psa_status_t status;
const psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);
diff --git a/programs/psa/psa_constant_names.c b/programs/psa/psa_constant_names.c
index 0baf4a0..7905b52 100644
--- a/programs/psa/psa_constant_names.c
+++ b/programs/psa/psa_constant_names.c
@@ -192,7 +192,7 @@
TYPE_STATUS,
} signed_value_type;
-int process_signed(signed_value_type type, long min, long max, char **argp)
+static int process_signed(signed_value_type type, long min, long max, char **argp)
{
for (; *argp != NULL; argp++) {
char buffer[200];
@@ -231,7 +231,7 @@
TYPE_KEY_USAGE,
} unsigned_value_type;
-int process_unsigned(unsigned_value_type type, unsigned long max, char **argp)
+static int process_unsigned(unsigned_value_type type, unsigned long max, char **argp)
{
for (; *argp != NULL; argp++) {
char buffer[200];
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 43133d9..025f3c5 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -82,6 +82,7 @@
#define DFL_CID_VALUE_RENEGO NULL
#define DFL_RECONNECT_HARD 0
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
+#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED
#define DFL_ALPN_STRING NULL
#define DFL_GROUPS NULL
#define DFL_SIG_ALGS NULL
@@ -198,7 +199,8 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#define USAGE_TICKETS \
- " tickets=%%d default: 1 (enabled)\n"
+ " tickets=%%d default: 1 (enabled)\n" \
+ " new_session_tickets=%%d default: 1 (enabled)\n"
#else
#define USAGE_TICKETS ""
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
@@ -514,7 +516,8 @@
int reco_delay; /* delay in seconds before resuming session */
int reco_mode; /* how to keep the session around */
int reconnect_hard; /* unexpectedly reconnect from the same port */
- int tickets; /* enable / disable session tickets */
+ int tickets; /* enable / disable session tickets (TLS 1.2) */
+ int new_session_tickets; /* enable / disable new session tickets (TLS 1.3) */
const char *groups; /* list of supported groups */
const char *sig_algs; /* supported TLS 1.3 signature algorithms */
const char *alpn_string; /* ALPN supported protocols */
@@ -597,8 +600,8 @@
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-int report_cid_usage(mbedtls_ssl_context *ssl,
- const char *additional_description)
+static int report_cid_usage(mbedtls_ssl_context *ssl,
+ const char *additional_description)
{
int ret;
unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
@@ -818,8 +821,6 @@
psa_key_attributes_t key_attributes;
#endif
psa_status_t status;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
- psa_status_t status;
#endif
rng_context_t rng;
@@ -894,7 +895,15 @@
memset((void *) alpn_list, 0, sizeof(alpn_list));
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* For builds with TLS 1.3 enabled but not MBEDTLS_USE_PSA_CRYPTO,
+ * we deliberately do not call psa_crypto_init() here, to test that
+ * the library is backward-compatible with versions prior to 3.6.0
+ * where calling psa_crypto_init() was not required to open a TLS
+ * connection in the default configuration. See
+ * https://github.com/Mbed-TLS/mbedtls/issues/9072 and
+ * mbedtls_ssl_tls13_crypto_init().
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
@@ -963,6 +972,7 @@
opt.reco_mode = DFL_RECO_MODE;
opt.reconnect_hard = DFL_RECONNECT_HARD;
opt.tickets = DFL_TICKETS;
+ opt.new_session_tickets = DFL_NEW_SESSION_TICKETS;
opt.alpn_string = DFL_ALPN_STRING;
opt.groups = DFL_GROUPS;
opt.sig_algs = DFL_SIG_ALGS;
@@ -1220,6 +1230,11 @@
if (opt.tickets < 0) {
goto usage;
}
+ } else if (strcmp(p, "new_session_tickets") == 0) {
+ opt.new_session_tickets = atoi(q);
+ if (opt.new_session_tickets < 0) {
+ goto usage;
+ }
} else if (strcmp(p, "alpn") == 0) {
opt.alpn_string = q;
} else if (strcmp(p, "extended_ms") == 0) {
@@ -1930,7 +1945,11 @@
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_session_tickets(&conf, opt.tickets);
-#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
+ &conf, opt.new_session_tickets);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
if (opt.force_ciphersuite[0] != DFL_FORCE_CIPHER) {
mbedtls_ssl_conf_ciphersuites(&conf, opt.force_ciphersuite);
@@ -2204,7 +2223,9 @@
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n",
(unsigned int) -ret);
- if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
mbedtls_printf(
" Unable to verify the server's certificate. "
"Either it is invalid,\n"
@@ -2215,7 +2236,13 @@
"not using TLS 1.3.\n"
" For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`"
"or other folder that has root certificates\n");
+
+ flags = mbedtls_ssl_get_verify_result(&ssl);
+ char vrfy_buf[512];
+ x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
+ mbedtls_printf("%s\n", vrfy_buf);
}
+#endif
mbedtls_printf("\n");
goto exit;
}
@@ -3192,6 +3219,9 @@
/* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
* resources are freed by rng_free(). */
+ /* For builds with MBEDTLS_SSL_PROTO_TLS1_3, PSA may have been
+ * initialized under the hood by the TLS layer. See
+ * mbedtls_ssl_tls13_crypto_init(). */
#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \
!defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
mbedtls_psa_crypto_free();
diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c
index ee2cdb7..51e8781 100644
--- a/programs/ssl/ssl_context_info.c
+++ b/programs/ssl/ssl_context_info.c
@@ -111,12 +111,12 @@
/*
* Basic printing functions
*/
-void print_version(void)
+static void print_version(void)
{
printf("%s v%d.%d\n", PROG_NAME, VER_MAJOR, VER_MINOR);
}
-void print_usage(void)
+static void print_usage(void)
{
print_version();
printf("\nThis program is used to deserialize an Mbed TLS SSL session from the base64 code provided\n"
@@ -138,7 +138,7 @@
);
}
-void printf_dbg(const char *str, ...)
+static void printf_dbg(const char *str, ...)
{
if (debug) {
va_list args;
@@ -151,7 +151,7 @@
}
MBEDTLS_PRINTF_ATTRIBUTE(1, 2)
-void printf_err(const char *str, ...)
+static void printf_err(const char *str, ...)
{
va_list args;
va_start(args, str);
@@ -165,7 +165,7 @@
/*
* Exit from the program in case of error
*/
-void error_exit(void)
+static void error_exit(void)
{
if (NULL != b64_file) {
fclose(b64_file);
@@ -176,7 +176,7 @@
/*
* This function takes the input arguments of this program
*/
-void parse_arguments(int argc, char *argv[])
+static void parse_arguments(int argc, char *argv[])
{
int i = 1;
@@ -223,7 +223,7 @@
/*
* This function prints base64 code to the stdout
*/
-void print_b64(const uint8_t *b, size_t len)
+static void print_b64(const uint8_t *b, size_t len)
{
size_t i = 0;
const uint8_t *end = b + len;
@@ -247,8 +247,8 @@
* /p in_line number of bytes in one line
* /p prefix prefix for the new lines
*/
-void print_hex(const uint8_t *b, size_t len,
- const size_t in_line, const char *prefix)
+static void print_hex(const uint8_t *b, size_t len,
+ const size_t in_line, const char *prefix)
{
size_t i = 0;
const uint8_t *end = b + len;
@@ -271,7 +271,7 @@
/*
* Print the value of time_t in format e.g. 2020-01-23 13:05:59
*/
-void print_time(const uint64_t *time)
+static void print_time(const uint64_t *time)
{
#if defined(MBEDTLS_HAVE_TIME)
char buf[20];
@@ -292,7 +292,7 @@
/*
* Print the input string if the bit is set in the value
*/
-void print_if_bit(const char *str, int bit, int val)
+static void print_if_bit(const char *str, int bit, int val)
{
if (bit & val) {
printf("\t%s\n", str);
@@ -302,7 +302,7 @@
/*
* Return pointer to hardcoded "enabled" or "disabled" depending on the input value
*/
-const char *get_enabled_str(int is_en)
+static const char *get_enabled_str(int is_en)
{
return (is_en) ? "enabled" : "disabled";
}
@@ -310,7 +310,7 @@
/*
* Return pointer to hardcoded MFL string value depending on the MFL code at the input
*/
-const char *get_mfl_str(int mfl_code)
+static const char *get_mfl_str(int mfl_code)
{
switch (mfl_code) {
case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
@@ -343,7 +343,7 @@
* \retval number of bytes written in to the b64 buffer or 0 in case no more
* data was found
*/
-size_t read_next_b64_code(uint8_t **b64, size_t *max_len)
+static size_t read_next_b64_code(uint8_t **b64, size_t *max_len)
{
int valid_balance = 0; /* balance between valid and invalid characters */
size_t len = 0;
@@ -443,7 +443,7 @@
* /p ssl pointer to serialized certificate
* /p len number of bytes in the buffer
*/
-void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len)
+static void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len)
{
enum { STRLEN = 4096 };
mbedtls_x509_crt crt;
@@ -509,8 +509,8 @@
* /p len number of bytes in the buffer
* /p session_cfg_flag session configuration flags
*/
-void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len,
- int session_cfg_flag)
+static void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len,
+ int session_cfg_flag)
{
const struct mbedtls_ssl_ciphersuite_t *ciphersuite_info;
int ciphersuite_id;
@@ -746,7 +746,7 @@
* /p ssl pointer to serialized session
* /p len number of bytes in the buffer
*/
-void print_deserialized_ssl_context(const uint8_t *ssl, size_t len)
+static void print_deserialized_ssl_context(const uint8_t *ssl, size_t len)
{
const uint8_t *end = ssl + len;
uint32_t session_len;
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a5d2ed1..ed69590 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -756,7 +756,7 @@
sni_entry *next;
};
-void sni_free(sni_entry *head)
+static void sni_free(sni_entry *head)
{
sni_entry *cur = head, *next;
@@ -786,7 +786,7 @@
*
* Modifies the input string! This is not production quality!
*/
-sni_entry *sni_parse(char *sni_string)
+static sni_entry *sni_parse(char *sni_string)
{
sni_entry *cur = NULL, *new = NULL;
char *p = sni_string;
@@ -878,8 +878,8 @@
/*
* SNI callback.
*/
-int sni_callback(void *p_info, mbedtls_ssl_context *ssl,
- const unsigned char *name, size_t name_len)
+static int sni_callback(void *p_info, mbedtls_ssl_context *ssl,
+ const unsigned char *name, size_t name_len)
{
const sni_entry *cur = (const sni_entry *) p_info;
@@ -909,7 +909,7 @@
/*
* server certificate selection callback.
*/
-int cert_callback(mbedtls_ssl_context *ssl)
+static int cert_callback(mbedtls_ssl_context *ssl)
{
const sni_entry *cur = (sni_entry *) mbedtls_ssl_get_user_data_p(ssl);
if (cur != NULL) {
@@ -954,7 +954,7 @@
/*
* Free a list of psk_entry's
*/
-int psk_free(psk_entry *head)
+static int psk_free(psk_entry *head)
{
psk_entry *next;
@@ -985,7 +985,7 @@
*
* Modifies the input string! This is not production quality!
*/
-psk_entry *psk_parse(char *psk_string)
+static psk_entry *psk_parse(char *psk_string)
{
psk_entry *cur = NULL, *new = NULL;
char *p = psk_string;
@@ -1027,8 +1027,8 @@
/*
* PSK callback
*/
-int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
- const unsigned char *name, size_t name_len)
+static int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
+ const unsigned char *name, size_t name_len)
{
psk_entry *cur = (psk_entry *) p_info;
@@ -1055,7 +1055,7 @@
/* Interruption handler to ensure clean exit (for valgrind testing) */
#if !defined(_WIN32)
static int received_sigterm = 0;
-void term_handler(int sig)
+static void term_handler(int sig)
{
((void) sig);
received_sigterm = 1;
@@ -1105,11 +1105,11 @@
void *p_rng;
} ssl_async_key_context_t;
-int ssl_async_set_key(ssl_async_key_context_t *ctx,
- mbedtls_x509_crt *cert,
- mbedtls_pk_context *pk,
- int pk_take_ownership,
- unsigned delay)
+static int ssl_async_set_key(ssl_async_key_context_t *ctx,
+ mbedtls_x509_crt *cert,
+ mbedtls_pk_context *pk,
+ int pk_take_ownership,
+ unsigned delay)
{
if (ctx->slots_used >= sizeof(ctx->slots) / sizeof(*ctx->slots)) {
return -1;
@@ -1332,8 +1332,8 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-int report_cid_usage(mbedtls_ssl_context *ssl,
- const char *additional_description)
+static int report_cid_usage(mbedtls_ssl_context *ssl,
+ const char *additional_description)
{
int ret;
unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
@@ -1376,16 +1376,17 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_HAVE_TIME)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) && \
+ defined(MBEDTLS_HAVE_TIME)
static inline void put_unaligned_uint32(void *p, uint32_t x)
{
memcpy(p, &x, sizeof(x));
}
/* Functions for session ticket tests */
-int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session,
- unsigned char *start, const unsigned char *end,
- size_t *tlen, uint32_t *ticket_lifetime)
+static int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session,
+ unsigned char *start, const unsigned char *end,
+ size_t *tlen, uint32_t *ticket_lifetime)
{
int ret;
unsigned char *p = start;
@@ -1410,8 +1411,8 @@
return 0;
}
-int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
- unsigned char *buf, size_t len)
+static int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+ unsigned char *buf, size_t len)
{
int ret;
((void) p_ticket);
@@ -1467,9 +1468,9 @@
return ret;
}
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C && MBEDTLS_HAVE_TIME */
-int parse_cipher(char *buf)
+static int parse_cipher(char *buf)
{
if (strcmp(buf, "AES-128-CCM")) {
return MBEDTLS_CIPHER_AES_128_CCM;
@@ -1593,7 +1594,7 @@
int i;
char *p, *q;
const int *list;
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status;
#endif
unsigned char eap_tls_keymaterial[16];
@@ -1659,7 +1660,15 @@
mbedtls_ssl_cookie_init(&cookie_ctx);
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* For builds with TLS 1.3 enabled but not MBEDTLS_USE_PSA_CRYPTO,
+ * we deliberately do not call psa_crypto_init() here, to test that
+ * the library is backward-compatible with versions prior to 3.6.0
+ * where calling psa_crypto_init() was not required to open a TLS
+ * connection in the default configuration. See
+ * https://github.com/Mbed-TLS/mbedtls/issues/9072 and
+ * mbedtls_ssl_tls13_crypto_init().
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
@@ -3504,7 +3513,8 @@
(unsigned int) -ret);
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+ if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
char vrfy_buf[512];
flags = mbedtls_ssl_get_verify_result(&ssl);
@@ -4308,6 +4318,9 @@
/* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
* resources are freed by rng_free(). */
+ /* For builds with MBEDTLS_SSL_PROTO_TLS1_3, PSA may have been
+ * initialized under the hood by the TLS layer. See
+ * mbedtls_ssl_tls13_crypto_init(). */
#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \
&& !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
mbedtls_psa_crypto_free();
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 1ff2077..6d333e8 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -12,13 +12,13 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-void eap_tls_key_derivation(void *p_expkey,
- mbedtls_ssl_key_export_type secret_type,
- const unsigned char *secret,
- size_t secret_len,
- const unsigned char client_random[32],
- const unsigned char server_random[32],
- mbedtls_tls_prf_types tls_prf_type)
+static void eap_tls_key_derivation(void *p_expkey,
+ mbedtls_ssl_key_export_type secret_type,
+ const unsigned char *secret,
+ size_t secret_len,
+ const unsigned char client_random[32],
+ const unsigned char server_random[32],
+ mbedtls_tls_prf_types tls_prf_type)
{
eap_tls_keys *keys = (eap_tls_keys *) p_expkey;
@@ -36,13 +36,13 @@
keys->tls_prf_type = tls_prf_type;
}
-void nss_keylog_export(void *p_expkey,
- mbedtls_ssl_key_export_type secret_type,
- const unsigned char *secret,
- size_t secret_len,
- const unsigned char client_random[32],
- const unsigned char server_random[32],
- mbedtls_tls_prf_types tls_prf_type)
+static void nss_keylog_export(void *p_expkey,
+ mbedtls_ssl_key_export_type secret_type,
+ const unsigned char *secret,
+ size_t secret_len,
+ const unsigned char client_random[32],
+ const unsigned char server_random[32],
+ mbedtls_tls_prf_types tls_prf_type)
{
char nss_keylog_line[200];
size_t const client_random_len = 32;
@@ -106,13 +106,13 @@
}
#if defined(MBEDTLS_SSL_DTLS_SRTP)
-void dtls_srtp_key_derivation(void *p_expkey,
- mbedtls_ssl_key_export_type secret_type,
- const unsigned char *secret,
- size_t secret_len,
- const unsigned char client_random[32],
- const unsigned char server_random[32],
- mbedtls_tls_prf_types tls_prf_type)
+static void dtls_srtp_key_derivation(void *p_expkey,
+ mbedtls_ssl_key_export_type secret_type,
+ const unsigned char *secret,
+ size_t secret_len,
+ const unsigned char client_random[32],
+ const unsigned char server_random[32],
+ mbedtls_tls_prf_types tls_prf_type)
{
dtls_srtp_keys *keys = (dtls_srtp_keys *) p_expkey;
@@ -131,8 +131,8 @@
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
-int ssl_check_record(mbedtls_ssl_context const *ssl,
- unsigned char const *buf, size_t len)
+static int ssl_check_record(mbedtls_ssl_context const *ssl,
+ unsigned char const *buf, size_t len)
{
int my_ret = 0, ret_cr1, ret_cr2;
unsigned char *tmp_buf;
@@ -195,7 +195,7 @@
return my_ret;
}
-int recv_cb(void *ctx, unsigned char *buf, size_t len)
+static int recv_cb(void *ctx, unsigned char *buf, size_t len)
{
io_ctx_t *io_ctx = (io_ctx_t *) ctx;
size_t recv_len;
@@ -223,8 +223,8 @@
return (int) recv_len;
}
-int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
- uint32_t timeout)
+static int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
+ uint32_t timeout)
{
io_ctx_t *io_ctx = (io_ctx_t *) ctx;
int ret;
@@ -248,7 +248,7 @@
return (int) recv_len;
}
-int send_cb(void *ctx, unsigned char const *buf, size_t len)
+static int send_cb(void *ctx, unsigned char const *buf, size_t len)
{
io_ctx_t *io_ctx = (io_ctx_t *) ctx;
@@ -319,8 +319,8 @@
/** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function
* for more info.
*/
-int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
- uint32_t flags)
+static int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
+ uint32_t flags)
{
#if !defined(MBEDTLS_X509_REMOVE_INFO)
return mbedtls_x509_crt_verify_info(buf, size, prefix, flags);
@@ -352,7 +352,8 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_print_supported_sig_algs(void)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+static void mbedtls_print_supported_sig_algs(void)
{
mbedtls_printf("supported signature algorithms:\n");
mbedtls_printf("\trsa_pkcs1_sha256 ");
@@ -373,3 +374,4 @@
mbedtls_printf("ecdsa_sha1\n");
mbedtls_printf("\n");
}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
diff --git a/programs/test/metatest.c b/programs/test/metatest.c
index 75829ec..d876e9a 100644
--- a/programs/test/metatest.c
+++ b/programs/test/metatest.c
@@ -76,13 +76,13 @@
/* Test framework features */
/****************************************************************/
-void meta_test_fail(const char *name)
+static void meta_test_fail(const char *name)
{
(void) name;
mbedtls_test_fail("Forced test failure", __LINE__, __FILE__);
}
-void meta_test_not_equal(const char *name)
+static void meta_test_not_equal(const char *name)
{
int left = 20;
int right = 10;
@@ -94,7 +94,7 @@
;
}
-void meta_test_not_le_s(const char *name)
+static void meta_test_not_le_s(const char *name)
{
int left = 20;
int right = 10;
@@ -106,7 +106,7 @@
;
}
-void meta_test_not_le_u(const char *name)
+static void meta_test_not_le_u(const char *name)
{
size_t left = 20;
size_t right = 10;
@@ -122,16 +122,16 @@
/* Platform features */
/****************************************************************/
-void null_pointer_dereference(const char *name)
+static void null_pointer_dereference(const char *name)
{
(void) name;
volatile char *volatile p;
set_to_zero_but_the_compiler_does_not_know(&p, sizeof(p));
/* Undefined behavior (read from null data pointer) */
- mbedtls_printf("%p -> %u\n", p, (unsigned) *p);
+ mbedtls_printf("%p -> %u\n", (void *) p, (unsigned) *p);
}
-void null_pointer_call(const char *name)
+static void null_pointer_call(const char *name)
{
(void) name;
unsigned(*volatile p)(void);
@@ -148,7 +148,7 @@
/* Memory */
/****************************************************************/
-void read_after_free(const char *name)
+static void read_after_free(const char *name)
{
(void) name;
volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
@@ -158,7 +158,7 @@
mbedtls_printf("%u\n", (unsigned) *p);
}
-void double_free(const char *name)
+static void double_free(const char *name)
{
(void) name;
volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
@@ -168,7 +168,7 @@
free_but_the_compiler_does_not_know((void *) p);
}
-void read_uninitialized_stack(const char *name)
+static void read_uninitialized_stack(const char *name)
{
(void) name;
char buf[1];
@@ -182,7 +182,7 @@
}
}
-void memory_leak(const char *name)
+static void memory_leak(const char *name)
{
(void) name;
volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
@@ -196,7 +196,7 @@
* %(start), %(offset) and %(count) are decimal integers.
* %(direction) is either the character 'r' for read or 'w' for write.
*/
-void test_memory_poison(const char *name)
+static void test_memory_poison(const char *name)
{
size_t start = 0, offset = 0, count = 0;
char direction = 'r';
@@ -254,7 +254,7 @@
/* Threading */
/****************************************************************/
-void mutex_lock_not_initialized(const char *name)
+static void mutex_lock_not_initialized(const char *name)
{
(void) name;
#if defined(MBEDTLS_THREADING_C)
@@ -270,7 +270,7 @@
#endif
}
-void mutex_unlock_not_initialized(const char *name)
+static void mutex_unlock_not_initialized(const char *name)
{
(void) name;
#if defined(MBEDTLS_THREADING_C)
@@ -286,7 +286,7 @@
#endif
}
-void mutex_free_not_initialized(const char *name)
+static void mutex_free_not_initialized(const char *name)
{
(void) name;
#if defined(MBEDTLS_THREADING_C)
@@ -300,7 +300,7 @@
#endif
}
-void mutex_double_init(const char *name)
+static void mutex_double_init(const char *name)
{
(void) name;
#if defined(MBEDTLS_THREADING_C)
@@ -315,7 +315,7 @@
#endif
}
-void mutex_double_free(const char *name)
+static void mutex_double_free(const char *name)
{
(void) name;
#if defined(MBEDTLS_THREADING_C)
@@ -330,7 +330,7 @@
#endif
}
-void mutex_leak(const char *name)
+static void mutex_leak(const char *name)
{
(void) name;
#if defined(MBEDTLS_THREADING_C)
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index 043209b..e72386f 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -241,7 +241,7 @@
}
#endif
-int mbedtls_entropy_self_test_wrapper(int verbose)
+static int mbedtls_entropy_self_test_wrapper(int verbose)
{
#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
create_entropy_seed_file();
@@ -252,7 +252,7 @@
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-int mbedtls_memory_buffer_alloc_free_and_self_test(int verbose)
+static int mbedtls_memory_buffer_alloc_free_and_self_test(int verbose)
{
if (verbose != 0) {
#if defined(MBEDTLS_MEMORY_DEBUG)
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index beaa8bd..7213f8a 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -483,7 +483,7 @@
} packet;
/* Print packet. Outgoing packets come with a reason (forward, dupl, etc.) */
-void print_packet(const packet *p, const char *why)
+static void print_packet(const packet *p, const char *why)
{
#if defined(MBEDTLS_TIMING_C)
if (why == NULL) {
@@ -527,7 +527,7 @@
static inject_clihlo_state_t inject_clihlo_state;
static packet initial_clihlo;
-int send_packet(const packet *p, const char *why)
+static int send_packet(const packet *p, const char *why)
{
int ret;
mbedtls_net_context *dst = p->dst;
@@ -616,13 +616,13 @@
static size_t prev_len;
static packet prev[MAX_DELAYED_MSG];
-void clear_pending(void)
+static void clear_pending(void)
{
memset(&prev, 0, sizeof(prev));
prev_len = 0;
}
-void delay_packet(packet *delay)
+static void delay_packet(packet *delay)
{
if (prev_len == MAX_DELAYED_MSG) {
return;
@@ -631,7 +631,7 @@
memcpy(&prev[prev_len++], delay, sizeof(packet));
}
-int send_delayed(void)
+static int send_delayed(void)
{
uint8_t offset;
int ret;
@@ -663,9 +663,9 @@
static unsigned char held[2048] = { 0 };
#define HOLD_MAX 2
-int handle_message(const char *way,
- mbedtls_net_context *dst,
- mbedtls_net_context *src)
+static int handle_message(const char *way,
+ mbedtls_net_context *dst,
+ mbedtls_net_context *src)
{
int ret;
packet cur;
diff --git a/programs/test/zeroize.c b/programs/test/zeroize.c
index 1e9b98d..c1cee0d 100644
--- a/programs/test/zeroize.c
+++ b/programs/test/zeroize.c
@@ -23,7 +23,7 @@
#define BUFFER_LEN 1024
-void usage(void)
+static void usage(void)
{
mbedtls_printf("Zeroize is a simple program to assist with testing\n");
mbedtls_printf("the mbedtls_platform_zeroize() function by using the\n");
diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c
index d682c2b..177365b 100644
--- a/programs/util/pem2der.c
+++ b/programs/util/pem2der.c
@@ -45,8 +45,8 @@
const char *output_file; /* where to store the output */
} opt;
-int convert_pem_to_der(const unsigned char *input, size_t ilen,
- unsigned char *output, size_t *olen)
+static int convert_pem_to_der(const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen)
{
int ret;
const unsigned char *s1, *s2, *end = input + ilen;
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index dcfd176..995ee49 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -94,22 +94,22 @@
* global options
*/
struct options {
- const char *filename; /* filename of the key file */
- const char *password; /* password for the key file */
- int debug_level; /* level of debugging */
+ const char *filename; /* filename of the key file */
+ const char *password; /* password for the key file */
+ int debug_level; /* level of debugging */
const char *output_file; /* where to store the constructed key file */
- const char *subject_name; /* subject name for certificate request */
- mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */
- unsigned char key_usage; /* key usage flags */
- int force_key_usage; /* Force adding the KeyUsage extension */
- unsigned char ns_cert_type; /* NS cert type */
- int force_ns_cert_type; /* Force adding NsCertType extension */
- mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
+ const char *subject_name; /* subject name for certificate request */
+ mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */
+ unsigned char key_usage; /* key usage flags */
+ int force_key_usage; /* Force adding the KeyUsage extension */
+ unsigned char ns_cert_type; /* NS cert type */
+ int force_ns_cert_type; /* Force adding NsCertType extension */
+ mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
} opt;
-int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng)
+static int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
{
int ret;
FILE *f;
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 0b2575e..6fd1dce 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -204,9 +204,9 @@
int format; /* format */
} opt;
-int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng)
+static int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
{
int ret;
FILE *f;
@@ -249,8 +249,8 @@
return 0;
}
-int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax,
- const char *ibuf, size_t *len)
+static int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax,
+ const char *ibuf, size_t *len)
{
unsigned long long int dec;
unsigned int remaining_bytes = sizeof(dec);
diff --git a/programs/x509/load_roots.c b/programs/x509/load_roots.c
index f0e6acf..d14537f 100644
--- a/programs/x509/load_roots.c
+++ b/programs/x509/load_roots.c
@@ -48,7 +48,7 @@
} opt;
-int read_certificates(const char *const *filenames)
+static int read_certificates(const char *const *filenames)
{
mbedtls_x509_crt cas;
int ret = 0;
diff --git a/scripts/common.make b/scripts/common.make
index 9908a3c..439f13d 100644
--- a/scripts/common.make
+++ b/scripts/common.make
@@ -18,7 +18,7 @@
CFLAGS ?= -O2
WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
+WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic
LDFLAGS ?=
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I$(MBEDTLS_PATH)/include -D_FILE_OFFSET_BITS=64
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
index 8b91f0b..d3b7d6f 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
@@ -731,7 +731,8 @@
static inline psa_status_t psa_driver_wrapper_generate_key(
const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params, size_t params_data_length,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data, size_t custom_data_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@@ -740,7 +741,7 @@
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
int is_default_production =
- psa_key_production_parameters_are_default(params, params_data_length);
+ psa_custom_key_parameters_are_default(custom, custom_data_length);
if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production )
{
/* We don't support passing custom production parameters
@@ -811,7 +812,7 @@
/* Software fallback */
status = psa_generate_key_internal(
- attributes, params, params_data_length,
+ attributes, custom, custom_data, custom_data_length,
key_buffer, key_buffer_size, key_buffer_length );
break;
diff --git a/scripts/lcov.sh b/scripts/lcov.sh
index 9a0c582..2d2f42b 100755
--- a/scripts/lcov.sh
+++ b/scripts/lcov.sh
@@ -30,9 +30,15 @@
set -eu
-# Repository detection
-in_mbedtls_build_dir () {
- test -d library
+# Project detection
+PROJECT_NAME_FILE='./scripts/project_name.txt'
+if read -r PROJECT_NAME < "$PROJECT_NAME_FILE"; then :; else
+ echo "$PROJECT_NAME_FILE does not exist... Exiting..." >&2
+ exit 1
+fi
+
+in_mbedtls_repo () {
+ test "$PROJECT_NAME" = "Mbed TLS"
}
# Collect stats and build a HTML report.
@@ -68,7 +74,7 @@
exit
fi
-if in_mbedtls_build_dir; then
+if in_mbedtls_repo; then
library_dir='library'
title='Mbed TLS'
else
diff --git a/scripts/project_name.txt b/scripts/project_name.txt
new file mode 100644
index 0000000..a38cf26
--- /dev/null
+++ b/scripts/project_name.txt
@@ -0,0 +1 @@
+Mbed TLS
diff --git a/tests/Makefile b/tests/Makefile
index af26965..14c6995 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -212,8 +212,7 @@
clean:
ifndef WINDOWS
rm -rf $(BINARIES) *.c *.datax
- rm -f src/*.o src/drivers/*.o src/test_helpers/*.o src/libmbed* src/test_keys.h src/test_certs.h
- rm -f src/test_keys.h src/test_certs.h
+ rm -f src/*.o src/drivers/*.o src/test_helpers/*.o src/libmbed*
rm -f include/test/instrument_record_status.h
rm -f include/alt-extra/*/*_alt.h
rm -rf libtestdriver1
@@ -224,10 +223,8 @@
if exist *.datax del /Q /F *.datax
if exist src/*.o del /Q /F src/*.o
if exist src/drivers/*.o del /Q /F src/drivers/*.o
- if exist src/test_keys.h del /Q /F src/test_keys.h
- if exist src/test_certs.h del /Q /F src/test_cers.h
if exist src/test_helpers/*.o del /Q /F src/test_helpers/*.o
- if exist src/libmbed* del /Q /F src/libmed*
+ if exist src/libmbed* del /Q /F src/libmbed*
if exist include/test/instrument_record_status.h del /Q /F include/test/instrument_record_status.h
endif
diff --git a/tests/include/test/psa_crypto_helpers.h b/tests/include/test/psa_crypto_helpers.h
index 7306d8e..1039712 100644
--- a/tests/include/test/psa_crypto_helpers.h
+++ b/tests/include/test/psa_crypto_helpers.h
@@ -16,6 +16,8 @@
#include <psa/crypto.h>
#endif
+#include <mbedtls/ctr_drbg.h>
+
#if defined(MBEDTLS_PSA_CRYPTO_C)
/** Initialize the PSA Crypto subsystem. */
#define PSA_INIT() PSA_ASSERT(psa_crypto_init())
@@ -332,9 +334,18 @@
* This is like #PSA_DONE except it does nothing under the same conditions as
* #USE_PSA_INIT.
*/
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define USE_PSA_INIT() PSA_INIT()
#define USE_PSA_DONE() PSA_DONE()
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* TLS 1.3 must work without having called psa_crypto_init(), for backward
+ * compatibility with Mbed TLS <= 3.5 when connecting with a peer that
+ * supports both TLS 1.2 and TLS 1.3. See mbedtls_ssl_tls13_crypto_init()
+ * and https://github.com/Mbed-TLS/mbedtls/issues/9072 . */
+#define USE_PSA_INIT() ((void) 0)
+/* TLS 1.3 may have initialized the PSA subsystem. Shut it down cleanly,
+ * otherwise Asan and Valgrind would notice a resource leak. */
+#define USE_PSA_DONE() PSA_DONE()
#else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
/* Define empty macros so that we can use them in the preamble and teardown
* of every test function that uses PSA conditionally based on
@@ -406,13 +417,12 @@
* This is like #PSA_DONE except it does nothing under the same conditions as
* #MD_OR_USE_PSA_INIT.
*/
-#if defined(MBEDTLS_MD_SOME_PSA) || \
- defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_MD_SOME_PSA)
#define MD_OR_USE_PSA_INIT() PSA_INIT()
#define MD_OR_USE_PSA_DONE() PSA_DONE()
#else
-#define MD_OR_USE_PSA_INIT() ((void) 0)
-#define MD_OR_USE_PSA_DONE() ((void) 0)
+#define MD_OR_USE_PSA_INIT() USE_PSA_INIT()
+#define MD_OR_USE_PSA_DONE() USE_PSA_DONE()
#endif
/** \def AES_PSA_INIT
@@ -430,12 +440,32 @@
* This is like #PSA_DONE except it does nothing under the same conditions as
* #AES_PSA_INIT.
*/
-#if defined(MBEDTLS_AES_C)
-#define AES_PSA_INIT() ((void) 0)
-#define AES_PSA_DONE() ((void) 0)
-#else /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
#define AES_PSA_INIT() PSA_INIT()
#define AES_PSA_DONE() PSA_DONE()
-#endif /* MBEDTLS_AES_C */
+#else /* MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO */
+#define AES_PSA_INIT() ((void) 0)
+#define AES_PSA_DONE() ((void) 0)
+#endif /* MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO */
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
+ defined(MBEDTLS_CTR_DRBG_C) && \
+ defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
+/* When AES_C is not defined and PSA does not have an external RNG,
+ * then CTR_DRBG uses PSA to perform AES-ECB. In this scenario 1 key
+ * slot is used internally from PSA to hold the AES key and it should
+ * not be taken into account when evaluating remaining open slots. */
+#define MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG 1
+#else
+#define MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG 0
+#endif
+
+/** The number of volatile keys that PSA crypto uses internally.
+ *
+ * We expect that many volatile keys to be in use after a successful
+ * psa_crypto_init().
+ */
+#define MBEDTLS_TEST_PSA_INTERNAL_KEYS \
+ MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG
#endif /* PSA_CRYPTO_HELPERS_H */
diff --git a/tests/include/test/psa_test_wrappers.h b/tests/include/test/psa_test_wrappers.h
index 9551855..134a547 100644
--- a/tests/include/test/psa_test_wrappers.h
+++ b/tests/include/test/psa_test_wrappers.h
@@ -354,6 +354,15 @@
#define psa_generate_key(arg0_attributes, arg1_key) \
mbedtls_test_wrap_psa_generate_key(arg0_attributes, arg1_key)
+psa_status_t mbedtls_test_wrap_psa_generate_key_custom(
+ const psa_key_attributes_t *arg0_attributes,
+ const psa_custom_key_parameters_t *arg1_custom,
+ const uint8_t *arg2_custom_data,
+ size_t arg3_custom_data_length,
+ mbedtls_svc_key_id_t *arg4_key);
+#define psa_generate_key_custom(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key) \
+ mbedtls_test_wrap_psa_generate_key_custom(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key)
+
psa_status_t mbedtls_test_wrap_psa_generate_key_ext(
const psa_key_attributes_t *arg0_attributes,
const psa_key_production_parameters_t *arg1_params,
@@ -496,6 +505,16 @@
#define psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key) \
mbedtls_test_wrap_psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key)
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_custom(
+ const psa_key_attributes_t *arg0_attributes,
+ psa_key_derivation_operation_t *arg1_operation,
+ const psa_custom_key_parameters_t *arg2_custom,
+ const uint8_t *arg3_custom_data,
+ size_t arg4_custom_data_length,
+ mbedtls_svc_key_id_t *arg5_key);
+#define psa_key_derivation_output_key_custom(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key) \
+ mbedtls_test_wrap_psa_key_derivation_output_key_custom(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key)
+
psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext(
const psa_key_attributes_t *arg0_attributes,
psa_key_derivation_operation_t *arg1_operation,
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 9d5870d..90ae3b2 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -839,7 +839,21 @@
-c "Protocol is TLSv1.3" \
-C "Saving session for reuse... ok" \
-C "Reconnecting with saved session... ok" \
- -c "Ignore NewSessionTicket, not supported."
+ -c "Ignoring NewSessionTicket, not supported."
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+ MBEDTLS_SSL_SESSION_TICKETS \
+ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->O: resumption fails, ticket handling disabled" \
+ "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \
+ "$P_CLI debug_level=3 new_session_tickets=0 reco_mode=1 reconnect=1" \
+ 1 \
+ -c "Protocol is TLSv1.3" \
+ -C "Saving session for reuse... ok" \
+ -C "Reconnecting with saved session... ok" \
+ -c "Ignoring NewSessionTicket, handling disabled."
# No early data m->O tests for the time being. The option -early_data is needed
# to enable early data on OpenSSL server and it is not compatible with the
@@ -899,7 +913,21 @@
-c "Protocol is TLSv1.3" \
-C "Saving session for reuse... ok" \
-C "Reconnecting with saved session... ok" \
- -c "Ignore NewSessionTicket, not supported."
+ -c "Ignoring NewSessionTicket, not supported."
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
+ MBEDTLS_SSL_SESSION_TICKETS \
+ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->G: resumption fails, ticket handling disabled" \
+ "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
+ "$P_CLI debug_level=3 new_session_tickets=0 reco_mode=1 reconnect=1" \
+ 1 \
+ -c "Protocol is TLSv1.3" \
+ -C "Saving session for reuse... ok" \
+ -C "Reconnecting with saved session... ok" \
+ -c "Ignoring NewSessionTicket, handling disabled."
requires_gnutls_tls1_3
requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index ed097df..1a73020 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -115,15 +115,23 @@
# Enable ksh/bash extended file matching patterns
shopt -s extglob
+# For project detection
in_mbedtls_repo () {
- test -d include -a -d library -a -d programs -a -d tests
+ test "$PROJECT_NAME" = "Mbed TLS"
}
in_tf_psa_crypto_repo () {
- test -d include -a -d core -a -d drivers -a -d programs -a -d tests
+ test "$PROJECT_NAME" = "TF-PSA-Crypto"
}
pre_check_environment () {
+ # For project detection
+ PROJECT_NAME_FILE='./scripts/project_name.txt'
+ if read -r PROJECT_NAME < "$PROJECT_NAME_FILE"; then :; else
+ echo "$PROJECT_NAME_FILE does not exist... Exiting..." >&2
+ exit 1
+ fi
+
if in_mbedtls_repo || in_tf_psa_crypto_repo; then :; else
echo "Must be run from Mbed TLS / TF-PSA-Crypto root" >&2
exit 1
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 993e23c..082ed01 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -642,8 +642,9 @@
re.compile(r'mbedtls_ct_memmove_left .*')
],
'test_suite_psa_crypto': [
- # We don't support generate_key_ext entry points
+ # We don't support generate_key_custom entry points
# in drivers yet.
+ re.compile(r'PSA generate key custom: RSA, e=.*'),
re.compile(r'PSA generate key ext: RSA, e=.*'),
],
}
diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh
index c16c1b1..c41aa48 100644
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@@ -11,7 +11,7 @@
component_test_make_shared () {
msg "build/test: make shared" # ~ 40s
- make SHARED=1 all check
+ make SHARED=1 TEST_CPP=1 all check
ldd programs/util/strerror | grep libmbedcrypto
programs/test/dlopen_demo.sh
}
@@ -65,7 +65,7 @@
mkdir "$OUT_OF_SOURCE_DIR"
cd "$OUT_OF_SOURCE_DIR"
# Note: Explicitly generate files as these are turned off in releases
- cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$MBEDTLS_ROOT_DIR"
+ cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON -D TEST_CPP=1 "$MBEDTLS_ROOT_DIR"
make
msg "test: cmake 'out-of-source' build"
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index 39b9d5d..da0e180 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -2504,6 +2504,40 @@
scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
}
+component_test_full_block_cipher_psa_dispatch_static_keystore () {
+ msg "build: full + PSA dispatch in block_cipher with static keystore"
+ # Check that the static key store works well when CTR_DRBG uses a
+ # PSA key for AES.
+ scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC
+
+ loc_accel_list="ALG_ECB_NO_PADDING \
+ KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA"
+
+ # Configure
+ # ---------
+
+ common_block_cipher_dispatch 1
+
+ # Build
+ # -----
+
+ helper_libtestdriver1_make_drivers "$loc_accel_list"
+
+ helper_libtestdriver1_make_main "$loc_accel_list"
+
+ # Make sure disabled components were not re-enabled by accident (additive
+ # config)
+ not grep mbedtls_aes_ library/aes.o
+ not grep mbedtls_aria_ library/aria.o
+ not grep mbedtls_camellia_ library/camellia.o
+
+ # Run the tests
+ # -------------
+
+ msg "test: full + PSA dispatch in block_cipher with static keystore"
+ make test
+}
+
component_test_full_block_cipher_psa_dispatch () {
msg "build: full + PSA dispatch in block_cipher"
@@ -3038,6 +3072,16 @@
make test
}
+component_test_full_static_keystore () {
+ msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC"
+ scripts/config.py full
+ scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC
+ make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC"
+ make test
+}
+
component_test_psa_crypto_drivers () {
msg "build: full + test drivers dispatching to builtins"
scripts/config.py full
diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh
index 5511cc9..7debb34 100644
--- a/tests/scripts/components-configuration-tls.sh
+++ b/tests/scripts/components-configuration-tls.sh
@@ -315,14 +315,14 @@
msg "build: full config except SSL server, make, gcc" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_SRV_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes'
}
component_build_no_ssl_cli () {
msg "build: full config except SSL client, make, gcc" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_CLI_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes'
}
component_test_no_max_fragment_length () {
diff --git a/tests/src/asn1_helpers.c b/tests/src/asn1_helpers.c
index c8df199..c63bd0c 100644
--- a/tests/src/asn1_helpers.c
+++ b/tests/src/asn1_helpers.c
@@ -15,6 +15,8 @@
#include <mbedtls/asn1.h>
+#include <test/asn1_helpers.h>
+
int mbedtls_test_asn1_skip_integer(unsigned char **p, const unsigned char *end,
size_t min_bits, size_t max_bits,
int must_be_odd)
diff --git a/tests/src/drivers/platform_builtin_keys.c b/tests/src/drivers/platform_builtin_keys.c
index 01fc050..4561b6f 100644
--- a/tests/src/drivers/platform_builtin_keys.c
+++ b/tests/src/drivers/platform_builtin_keys.c
@@ -10,6 +10,8 @@
#include <test/helpers.h>
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+
#include <psa/crypto.h>
#include <psa/crypto_extra.h>
@@ -76,3 +78,5 @@
return PSA_ERROR_DOES_NOT_EXIST;
}
+
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
diff --git a/tests/src/psa_crypto_helpers.c b/tests/src/psa_crypto_helpers.c
index e1ea2b5..197fd41 100644
--- a/tests/src/psa_crypto_helpers.c
+++ b/tests/src/psa_crypto_helpers.c
@@ -13,6 +13,10 @@
#include <psa_crypto_slot_management.h>
#include <test/psa_crypto_helpers.h>
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include <mbedtls/ctr_drbg.h>
+#endif
+
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include <psa/crypto.h>
@@ -70,20 +74,14 @@
mbedtls_psa_get_stats(&stats);
-#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) && \
- !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
- /* When AES_C is not defined and PSA does not have an external RNG,
- * then CTR_DRBG uses PSA to perform AES-ECB. In this scenario 1 key
- * slot is used internally from PSA to hold the AES key and it should
- * not be taken into account when evaluating remaining open slots. */
- if (stats.volatile_slots > 1) {
+ /* Some volatile slots may be used for internal purposes. Generally
+ * we'll have exactly MBEDTLS_TEST_PSA_INTERNAL_KEYS at this point,
+ * but in some cases we might have less, e.g. if a code path calls
+ * PSA_DONE more than once, or if there has only been a partial or
+ * failed initialization. */
+ if (stats.volatile_slots > MBEDTLS_TEST_PSA_INTERNAL_KEYS) {
return "A volatile slot has not been closed properly.";
}
-#else
- if (stats.volatile_slots != 0) {
- return "A volatile slot has not been closed properly.";
- }
-#endif
if (stats.persistent_slots != 0) {
return "A persistent slot has not been closed properly.";
}
diff --git a/tests/src/psa_memory_poisoning_wrappers.c b/tests/src/psa_memory_poisoning_wrappers.c
index 05cba18..7b48c7c 100644
--- a/tests/src/psa_memory_poisoning_wrappers.c
+++ b/tests/src/psa_memory_poisoning_wrappers.c
@@ -4,7 +4,8 @@
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#include "test/memory.h"
+#include <test/memory.h>
+#include <test/psa_memory_poisoning_wrappers.h>
#include "psa_crypto_invasive.h"
diff --git a/tests/src/psa_test_wrappers.c b/tests/src/psa_test_wrappers.c
index 7415e29..eceb40b 100644
--- a/tests/src/psa_test_wrappers.c
+++ b/tests/src/psa_test_wrappers.c
@@ -604,6 +604,24 @@
return status;
}
+/* Wrapper for psa_generate_key_custom */
+psa_status_t mbedtls_test_wrap_psa_generate_key_custom(
+ const psa_key_attributes_t *arg0_attributes,
+ const psa_custom_key_parameters_t *arg1_custom,
+ const uint8_t *arg2_custom_data,
+ size_t arg3_custom_data_length,
+ mbedtls_svc_key_id_t *arg4_key)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+ MBEDTLS_TEST_MEMORY_POISON(arg2_custom_data, arg3_custom_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+ psa_status_t status = (psa_generate_key_custom)(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+ MBEDTLS_TEST_MEMORY_UNPOISON(arg2_custom_data, arg3_custom_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+ return status;
+}
+
/* Wrapper for psa_generate_key_ext */
psa_status_t mbedtls_test_wrap_psa_generate_key_ext(
const psa_key_attributes_t *arg0_attributes,
@@ -870,6 +888,25 @@
return status;
}
+/* Wrapper for psa_key_derivation_output_key_custom */
+psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_custom(
+ const psa_key_attributes_t *arg0_attributes,
+ psa_key_derivation_operation_t *arg1_operation,
+ const psa_custom_key_parameters_t *arg2_custom,
+ const uint8_t *arg3_custom_data,
+ size_t arg4_custom_data_length,
+ mbedtls_svc_key_id_t *arg5_key)
+{
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+ MBEDTLS_TEST_MEMORY_POISON(arg3_custom_data, arg4_custom_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+ psa_status_t status = (psa_key_derivation_output_key_custom)(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+ MBEDTLS_TEST_MEMORY_UNPOISON(arg3_custom_data, arg4_custom_data_length);
+#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */
+ return status;
+}
+
/* Wrapper for psa_key_derivation_output_key_ext */
psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext(
const psa_key_attributes_t *arg0_attributes,
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 16fa38a..3cb6175 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -950,10 +950,10 @@
/*
* Write application data. Increase write counter if necessary.
*/
-int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl,
- unsigned char *buf, int buf_len,
- int *written,
- const int expected_fragments)
+static int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl,
+ unsigned char *buf, int buf_len,
+ int *written,
+ const int expected_fragments)
{
int ret;
/* Verify that calling mbedtls_ssl_write with a NULL buffer and zero length is
@@ -997,10 +997,10 @@
* Read application data and increase read counter and fragments counter
* if necessary.
*/
-int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl,
- unsigned char *buf, int buf_len,
- int *read, int *fragments,
- const int expected_fragments)
+static int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl,
+ unsigned char *buf, int buf_len,
+ int *read, int *fragments,
+ const int expected_fragments)
{
int ret;
/* Verify that calling mbedtls_ssl_write with a NULL buffer and zero length is
@@ -2543,6 +2543,9 @@
server_options, NULL, NULL, NULL);
TEST_EQUAL(ret, 0);
+ mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
+ &client_ep.conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
+
mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
mbedtls_test_ticket_write,
mbedtls_test_ticket_parse,
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0b8f129..6afc26a 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2155,7 +2155,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "CA callback on client" \
"$P_SRV debug_level=3" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 " \
+ "$P_CLI ca_callback=1 debug_level=3 " \
0 \
-c "use CA callback for X.509 CRT verification" \
-S "error" \
@@ -2165,7 +2165,7 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "CA callback on server" \
- "$P_SRV force_version=tls12 auth_mode=required" \
+ "$P_SRV auth_mode=required" \
"$P_CLI ca_callback=1 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt \
key_file=$DATA_FILES_PATH/server5.key" \
0 \
@@ -2722,9 +2722,10 @@
0
# Tests for certificate verification callback
+requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Configuration-specific CRT verification callback" \
"$P_SRV debug_level=3" \
- "$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \
+ "$P_CLI context_crt_cb=0 debug_level=3" \
0 \
-S "error" \
-c "Verify requested for " \
@@ -2732,9 +2733,10 @@
-C "Use context-specific verification callback" \
-C "error"
+requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Context-specific CRT verification callback" \
"$P_SRV debug_level=3" \
- "$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \
+ "$P_CLI context_crt_cb=1 debug_level=3" \
0 \
-S "error" \
-c "Verify requested for " \
@@ -5809,38 +5811,78 @@
# Tests for auth_mode, there are duplicated tests using ca callback for authentication
# When updating these tests, modify the matching authentication tests accordingly
+# The next 4 cases test the 3 auth modes with a badly signed server cert.
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: server badcert, client required" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI debug_level=1 auth_mode=required" \
+ "$P_CLI debug_level=3 auth_mode=required" \
1 \
-c "x509_verify_cert() returned" \
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! mbedtls_ssl_handshake returned" \
+ -c "send alert level=2 message=48" \
-c "X509 - Certificate verification failed"
+ # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
+# We don't check that the server receives the alert because it might
+# detect that its write end of the connection is closed and abort
+# before reading the alert message.
+
+run_test "Authentication: server badcert, client required (1.2)" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI force_version=tls12 debug_level=3 auth_mode=required" \
+ 1 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "send alert level=2 message=48" \
+ -c "X509 - Certificate verification failed"
+ # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
run_test "Authentication: server badcert, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI force_version=tls12 debug_level=1 auth_mode=optional" \
+ "$P_CLI force_version=tls13 debug_level=3 auth_mode=optional" \
0 \
-c "x509_verify_cert() returned" \
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
+ -C "send alert level=2 message=48" \
-C "X509 - Certificate verification failed"
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Authentication: server goodcert, client optional, no trusted CA" \
- "$P_SRV" \
- "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
+run_test "Authentication: server badcert, client optional (1.2)" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional" \
0 \
-c "x509_verify_cert() returned" \
-c "! The certificate is not correctly signed by the trusted CA" \
- -c "! Certificate verification flags"\
-C "! mbedtls_ssl_handshake returned" \
- -C "X509 - Certificate verification failed" \
- -C "SSL - No CA Chain is set, but required to operate"
+ -C "send alert level=2 message=48" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: server badcert, client none" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI debug_level=3 auth_mode=none" \
+ 0 \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "send alert level=2 message=48" \
+ -C "X509 - Certificate verification failed"
+
+run_test "Authentication: server badcert, client none (1.2)" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \
+ 0 \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "send alert level=2 message=48" \
+ -C "X509 - Certificate verification failed"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: server goodcert, client required, no trusted CA" \
@@ -5853,6 +5895,65 @@
-c "! mbedtls_ssl_handshake returned" \
-c "SSL - No CA Chain is set, but required to operate"
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test "Authentication: server goodcert, client required, no trusted CA (1.2)" \
+ "$P_SRV force_version=tls12" \
+ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
+ 1 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! Certificate verification flags"\
+ -c "! mbedtls_ssl_handshake returned" \
+ -c "SSL - No CA Chain is set, but required to operate"
+
+requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
+run_test "Authentication: server goodcert, client optional, no trusted CA" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
+ 0 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed" \
+ -C "SSL - No CA Chain is set, but required to operate"
+
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test "Authentication: server goodcert, client optional, no trusted CA (1.2)" \
+ "$P_SRV" \
+ "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
+ 0 \
+ -c "x509_verify_cert() returned" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
+ -c "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed" \
+ -C "SSL - No CA Chain is set, but required to operate"
+
+requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
+run_test "Authentication: server goodcert, client none, no trusted CA" \
+ "$P_SRV" \
+ "$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \
+ 0 \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
+ -C "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed" \
+ -C "SSL - No CA Chain is set, but required to operate"
+
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" \
+ "$P_SRV" \
+ "$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \
+ 0 \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
+ -C "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed" \
+ -C "SSL - No CA Chain is set, but required to operate"
+
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
# the client informs the server about the supported curves - it does, though, in the
@@ -5878,16 +5979,6 @@
-c "! Certificate verification flags"\
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
-run_test "Authentication: server badcert, client none" \
- "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
- key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI force_version=tls12 debug_level=1 auth_mode=none" \
- 0 \
- -C "x509_verify_cert() returned" \
- -C "! The certificate is not correctly signed by the trusted CA" \
- -C "! mbedtls_ssl_handshake returned" \
- -C "X509 - Certificate verification failed"
-
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: client SHA256, server required" \
"$P_SRV auth_mode=required" \
@@ -6098,7 +6189,7 @@
run_test "Authentication: server max_int+1 chain, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
- "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
+ "$P_CLI server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
auth_mode=optional" \
1 \
-c "X509 - A fatal error occurred"
@@ -6219,7 +6310,7 @@
run_test "Authentication, CA callback: server badcert, client required" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
+ "$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
1 \
-c "use CA callback for X.509 CRT verification" \
-c "x509_verify_cert() returned" \
@@ -6231,7 +6322,7 @@
run_test "Authentication, CA callback: server badcert, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
+ "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
0 \
-c "use CA callback for X.509 CRT verification" \
-c "x509_verify_cert() returned" \
@@ -6239,6 +6330,18 @@
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
+requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+run_test "Authentication, CA callback: server badcert, client none" \
+ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
+ key_file=$DATA_FILES_PATH/server5.key" \
+ "$P_CLI ca_callback=1 debug_level=3 auth_mode=none" \
+ 0 \
+ -C "use CA callback for X.509 CRT verification" \
+ -C "x509_verify_cert() returned" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
+ -C "! mbedtls_ssl_handshake returned" \
+ -C "X509 - Certificate verification failed"
+
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
# the client informs the server about the supported curves - it does, though, in the
@@ -6270,7 +6373,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Authentication, CA callback: client SHA256, server required" \
+run_test "Authentication, CA callback: client SHA384, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
key_file=$DATA_FILES_PATH/server6.key \
@@ -6282,7 +6385,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
-run_test "Authentication, CA callback: client SHA384, server required" \
+run_test "Authentication, CA callback: client SHA256, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
key_file=$DATA_FILES_PATH/server6.key \
@@ -6294,7 +6397,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client badcert, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
1 \
@@ -6309,7 +6412,6 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-s "send alert level=2 message=48" \
- -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
# We don't check that the client receives the alert because it might
# detect that its write end of the connection is closed and abort
@@ -6317,7 +6419,7 @@
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client cert not trusted, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
key_file=$DATA_FILES_PATH/server5.key" \
1 \
@@ -6331,12 +6433,11 @@
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
- -c "! mbedtls_ssl_handshake returned" \
-s "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client badcert, server optional" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
+ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
key_file=$DATA_FILES_PATH/server5.key" \
0 \
@@ -6359,7 +6460,7 @@
run_test "Authentication, CA callback: server max_int chain, client default" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
- "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
+ "$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
0 \
-c "use CA callback for X.509 CRT verification" \
-C "X509 - A fatal error occurred"
@@ -6370,7 +6471,7 @@
run_test "Authentication, CA callback: server max_int+1 chain, client default" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
- "$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
+ "$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
1 \
-c "use CA callback for X.509 CRT verification" \
-c "X509 - A fatal error occurred"
@@ -6381,7 +6482,7 @@
run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
- "$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
+ "$P_CLI ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
debug_level=3 auth_mode=optional" \
1 \
-c "use CA callback for X.509 CRT verification" \
@@ -6391,7 +6492,7 @@
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
+ "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
1 \
@@ -6402,7 +6503,7 @@
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int+1 chain, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
1 \
@@ -6413,7 +6514,7 @@
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "Authentication, CA callback: client max_int chain, server required" \
- "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
+ "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
0 \
@@ -6578,7 +6679,9 @@
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
-S "! The certificate is not correctly signed by the trusted CA" \
+ -s "send alert level=2 message=44" \
-s "The certificate has been revoked (is on a CRL)"
+ # MBEDTLS_X509_BADCERT_REVOKED -> MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
# Tests for SNI and DTLS
@@ -6726,7 +6829,9 @@
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
-S "! The certificate is not correctly signed by the trusted CA" \
+ -s "send alert level=2 message=44" \
-s "The certificate has been revoked (is on a CRL)"
+ # MBEDTLS_X509_BADCERT_REVOKED -> MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
# Tests for non-blocking I/O: exercise a variety of handshake flows
@@ -7640,22 +7745,26 @@
# Tests for keyUsage in leaf certificates, part 1:
# server-side certificate/suite selection
+#
+# This is only about 1.2 (for 1.3, all key exchanges use signatures).
+# In 4.0 this will probably go away as all TLS 1.2 key exchanges will use
+# signatures too, following the removal of RSA #8170 and static ECDH #9201.
-run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
+run_test "keyUsage srv 1.2: RSA, digitalSignature -> (EC)DHE-RSA" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
crt_file=$DATA_FILES_PATH/server2.ku-ds.crt" \
"$P_CLI" \
0 \
-c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
-run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
+run_test "keyUsage srv 1.2: RSA, keyEncipherment -> RSA" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
crt_file=$DATA_FILES_PATH/server2.ku-ke.crt" \
"$P_CLI" \
0 \
-c "Ciphersuite is TLS-RSA-WITH-"
-run_test "keyUsage srv: RSA, keyAgreement -> fail" \
+run_test "keyUsage srv 1.2: RSA, keyAgreement -> fail" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
crt_file=$DATA_FILES_PATH/server2.ku-ka.crt" \
"$P_CLI" \
@@ -7663,7 +7772,7 @@
-C "Ciphersuite is "
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
+run_test "keyUsage srv 1.2: ECC, digitalSignature -> ECDHE-ECDSA" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ds.crt" \
"$P_CLI" \
@@ -7671,14 +7780,14 @@
-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
-run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
+run_test "keyUsage srv 1.2: ECC, keyAgreement -> ECDH-" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
"$P_CLI" \
0 \
-c "Ciphersuite is TLS-ECDH-"
-run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
+run_test "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \
"$P_CLI" \
@@ -7687,8 +7796,12 @@
# Tests for keyUsage in leaf certificates, part 2:
# client-side checking of server cert
+#
+# TLS 1.3 uses only signature, but for 1.2 it depends on the key exchange.
+# In 4.0 this will probably change as all TLS 1.2 key exchanges will use
+# signatures too, following the removal of RSA #8170 and static ECDH #9201.
-run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
+run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, RSA: OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
"$P_CLI debug_level=1 \
@@ -7698,7 +7811,7 @@
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
-run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
+run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
"$P_CLI debug_level=1 \
@@ -7708,7 +7821,7 @@
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
-run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
+run_test "keyUsage cli 1.2: KeyEncipherment, RSA: OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
"$P_CLI debug_level=1 \
@@ -7718,28 +7831,32 @@
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
-run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
+run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (hard)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
- "$P_CLI debug_level=1 \
+ "$P_CLI debug_level=3 \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is TLS-"
+ -C "Ciphersuite is TLS-" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the keyUsage extension"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
-run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
+run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (soft)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
- "$P_CLI debug_level=1 auth_mode=optional \
+ "$P_CLI debug_level=3 auth_mode=optional \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-" \
+ -C "send alert level=2 message=43" \
-c "! Usage does not match the keyUsage extension"
-run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
+run_test "keyUsage cli 1.2: DigitalSignature, DHE-RSA: OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
"$P_CLI debug_level=1 \
@@ -7749,30 +7866,46 @@
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
-run_test "keyUsage cli: DigitalSignature, RSA: fail" \
+run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (hard)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
- "$P_CLI debug_level=1 \
+ "$P_CLI debug_level=3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is TLS-"
+ -C "Ciphersuite is TLS-" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the keyUsage extension"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
-run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
+run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (soft)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
- "$P_CLI debug_level=1 auth_mode=optional \
+ "$P_CLI debug_level=3 auth_mode=optional \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-" \
+ -C "send alert level=2 message=43" \
-c "! Usage does not match the keyUsage extension"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "keyUsage cli 1.3: DigitalSignature, RSA: OK" \
+ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
+ -cert $DATA_FILES_PATH/server2-sha256.ku-ds.crt" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \
"$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \
@@ -7785,26 +7918,32 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
+run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail (hard)" \
"$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
- "$P_CLI debug_level=1" \
+ "$P_CLI debug_level=3" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is"
+ -C "Ciphersuite is" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the keyUsage extension"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
+run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail (hard)" \
"$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2-sha256.ku-ka.crt" \
- "$P_CLI debug_level=1" \
+ "$P_CLI debug_level=3" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is"
+ -C "Ciphersuite is" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the keyUsage extension"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
@@ -7821,32 +7960,40 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
+run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail (hard)" \
"$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.ku-ke.crt" \
- "$P_CLI debug_level=1" \
+ "$P_CLI debug_level=3" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is"
+ -C "Ciphersuite is" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the keyUsage extension"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
+run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail (hard)" \
"$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.ku-ka.crt" \
- "$P_CLI debug_level=1" \
+ "$P_CLI debug_level=3" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is"
+ -C "Ciphersuite is" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the keyUsage extension"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
# Tests for keyUsage in leaf certificates, part 3:
# server-side checking of client cert
+#
+# Here, both 1.2 and 1.3 only use signatures.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
+run_test "keyUsage cli-auth 1.2: RSA, DigitalSignature: OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
@@ -7856,25 +8003,40 @@
-S "Processing of the Certificate handshake message failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
+run_test "keyUsage cli-auth 1.2: RSA, DigitalSignature+KeyEncipherment: OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
+ -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok" \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (soft)" \
+ "$P_SRV debug_level=3 auth_mode=optional" \
+ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
0 \
-s "bad certificate (usage extensions)" \
+ -S "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-S "Processing of the Certificate handshake message failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
- "$P_SRV debug_level=1 force_version=tls12 auth_mode=required" \
+run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (hard)" \
+ "$P_SRV debug_level=3 force_version=tls12 auth_mode=required" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
1 \
-s "bad certificate (usage extensions)" \
+ -s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-s "Processing of the Certificate handshake message failed"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
+run_test "keyUsage cli-auth 1.2: ECDSA, DigitalSignature: OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.ku-ds.crt" \
@@ -7884,14 +8046,28 @@
-S "Processing of the Certificate handshake message failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
- "$P_SRV debug_level=1 auth_mode=optional" \
+run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (soft)" \
+ "$P_SRV debug_level=3 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.ku-ka.crt" \
0 \
-s "bad certificate (usage extensions)" \
+ -S "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-S "Processing of the Certificate handshake message failed"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (hard)" \
+ "$P_SRV debug_level=3 auth_mode=required" \
+ "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
+ -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
+ 1 \
+ -s "bad certificate (usage extensions)" \
+ -s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
+ -s "Processing of the Certificate handshake message failed"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
@@ -7907,17 +8083,46 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
+run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature+KeyEncipherment: OK" \
"$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
"$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \
+ -cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok" \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
+ "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \
+ "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \
-cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
0 \
-s "bad certificate (usage extensions)" \
+ -S "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-S "Processing of the Certificate handshake message failed"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (hard)" \
+ "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \
+ "$P_CLI key_file=$DATA_FILES_PATH/server2.key \
+ crt_file=$DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
+ 1 \
+ -s "bad certificate (usage extensions)" \
+ -s "Processing of the Certificate handshake message failed" \
+ -s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
+ -s "! mbedtls_ssl_handshake returned"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \
"$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
"$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
@@ -7931,13 +8136,29 @@
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
- "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
+ "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \
"$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.ku-ka.crt" \
0 \
-s "bad certificate (usage extensions)" \
+ -s "! Usage does not match the keyUsage extension" \
-S "Processing of the Certificate handshake message failed"
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (hard)" \
+ "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \
+ "$P_CLI key_file=$DATA_FILES_PATH/server5.key \
+ crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
+ 1 \
+ -s "bad certificate (usage extensions)" \
+ -s "Processing of the Certificate handshake message failed" \
+ -s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
+ -s "! mbedtls_ssl_handshake returned"
+ # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+
# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
@@ -7971,7 +8192,7 @@
# Tests for extendedKeyUsage, part 2: client-side checking of server cert
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli: serverAuth -> OK" \
+run_test "extKeyUsage cli 1.2: serverAuth -> OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-srv.crt" \
"$P_CLI debug_level=1" \
@@ -7981,7 +8202,7 @@
-c "Ciphersuite is TLS-"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
+run_test "extKeyUsage cli 1.2: serverAuth,clientAuth -> OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
"$P_CLI debug_level=1" \
@@ -7991,7 +8212,7 @@
-c "Ciphersuite is TLS-"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
+run_test "extKeyUsage cli 1.2: codeSign,anyEKU -> OK" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
"$P_CLI debug_level=1" \
@@ -8001,14 +8222,30 @@
-c "Ciphersuite is TLS-"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli: codeSign -> fail" \
+run_test "extKeyUsage cli 1.2: codeSign -> fail (soft)" \
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs.crt" \
- "$P_CLI debug_level=1" \
+ "$P_CLI debug_level=3 auth_mode=optional" \
+ 0 \
+ -c "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is TLS-" \
+ -C "send alert level=2 message=43" \
+ -c "! Usage does not match the extendedKeyUsage extension"
+ # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "extKeyUsage cli 1.2: codeSign -> fail (hard)" \
+ "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
+ -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
+ "$P_CLI debug_level=3" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is TLS-"
+ -C "Ciphersuite is TLS-" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the extendedKeyUsage extension"
+ # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
@@ -8049,19 +8286,22 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
-run_test "extKeyUsage cli 1.3: codeSign -> fail" \
+run_test "extKeyUsage cli 1.3: codeSign -> fail (hard)" \
"$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs.crt" \
- "$P_CLI debug_level=1" \
+ "$P_CLI debug_level=3" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
- -C "Ciphersuite is"
+ -C "Ciphersuite is" \
+ -c "send alert level=2 message=43" \
+ -c "! Usage does not match the extendedKeyUsage extension"
+ # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
# Tests for extendedKeyUsage, part 3: server-side checking of client cert
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli-auth: clientAuth -> OK" \
+run_test "extKeyUsage cli-auth 1.2: clientAuth -> OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cli.crt" \
@@ -8070,7 +8310,7 @@
-S "Processing of the Certificate handshake message failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
+run_test "extKeyUsage cli-auth 1.2: serverAuth,clientAuth -> OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
@@ -8079,7 +8319,7 @@
-S "Processing of the Certificate handshake message failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
+run_test "extKeyUsage cli-auth 1.2: codeSign,anyEKU -> OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
@@ -8088,22 +8328,27 @@
-S "Processing of the Certificate handshake message failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
- "$P_SRV debug_level=1 auth_mode=optional" \
+run_test "extKeyUsage cli-auth 1.2: codeSign -> fail (soft)" \
+ "$P_SRV debug_level=3 auth_mode=optional" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs.crt" \
0 \
-s "bad certificate (usage extensions)" \
- -S "Processing of the Certificate handshake message failed"
+ -S "send alert level=2 message=43" \
+ -s "! Usage does not match the extendedKeyUsage extension" \
+ -S "Processing of the Certificate handshake message failed" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
- "$P_SRV debug_level=1 auth_mode=required" \
+run_test "extKeyUsage cli-auth 1.2: codeSign -> fail (hard)" \
+ "$P_SRV debug_level=3 auth_mode=required" \
"$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs.crt" \
1 \
-s "bad certificate (usage extensions)" \
+ -s "send alert level=2 message=43" \
+ -s "! Usage does not match the extendedKeyUsage extension" \
-s "Processing of the Certificate handshake message failed"
+ # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
@@ -8142,13 +8387,29 @@
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \
- "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
+ "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \
"$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
-cert $DATA_FILES_PATH/server5.eku-cs.crt" \
0 \
-s "bad certificate (usage extensions)" \
+ -S "send alert level=2 message=43" \
+ -s "! Usage does not match the extendedKeyUsage extension" \
-S "Processing of the Certificate handshake message failed"
+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (hard)" \
+ "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \
+ "$P_CLI key_file=$DATA_FILES_PATH/server5.key \
+ crt_file=$DATA_FILES_PATH/server5.eku-cs.crt" \
+ 1 \
+ -s "bad certificate (usage extensions)" \
+ -s "send alert level=2 message=43" \
+ -s "! Usage does not match the extendedKeyUsage extension" \
+ -s "Processing of the Certificate handshake message failed"
+ # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+
# Tests for DHM parameters loading
run_test "DHM parameters: reference" \
@@ -14142,6 +14403,18 @@
-c "Selected key exchange mode: psk$" \
-c "HTTP/1.0 200 OK"
+# Legacy_compression_methods testing
+
+requires_gnutls
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test "TLS 1.2 ClientHello indicating support for deflate compression method" \
+ "$P_SRV debug_level=3" \
+ "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+COMP-DEFLATE localhost" \
+ 0 \
+ -c "Handshake was completed" \
+ -s "dumping .client hello, compression. (2 bytes)"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index b5f5796..b561f47 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -55,8 +55,8 @@
/* Indicates whether we expect mbedtls_entropy_init
* to initialize some strong entropy source. */
#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \
- (!defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \
- defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
+ (!defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \
+ defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
defined(ENTROPY_NV_SEED))
#define ENTROPY_HAVE_STRONG
#endif
diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function
index eb42a07..d28a75e 100644
--- a/tests/suites/host_test.function
+++ b/tests/suites/host_test.function
@@ -8,7 +8,7 @@
*
* \return 0 if success else 1
*/
-int verify_string(char **str)
+static int verify_string(char **str)
{
if ((*str)[0] != '"' ||
(*str)[strlen(*str) - 1] != '"') {
@@ -32,7 +32,7 @@
*
* \return 0 if success else 1
*/
-int verify_int(char *str, intmax_t *p_value)
+static int verify_int(char *str, intmax_t *p_value)
{
char *end = NULL;
errno = 0;
@@ -80,7 +80,7 @@
*
* \return 0 if success else -1
*/
-int get_line(FILE *f, char *buf, size_t len)
+static int get_line(FILE *f, char *buf, size_t len)
{
char *ret;
int i = 0, str_len = 0, has_string = 0;
@@ -485,7 +485,7 @@
*
* \return Program exit status.
*/
-int execute_tests(int argc, const char **argv)
+static int execute_tests(int argc, const char **argv)
{
/* Local Configurations and options */
const char *default_filename = "DATA_FILE";
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index f327a03..c0cc2ac 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -69,7 +69,7 @@
*
* \return 0 if exp_id is found. 1 otherwise.
*/
-int get_expression(int32_t exp_id, intmax_t *out_value)
+static int get_expression(int32_t exp_id, intmax_t *out_value)
{
int ret = KEY_VALUE_MAPPING_FOUND;
@@ -100,7 +100,7 @@
*
* \return DEPENDENCY_SUPPORTED if set else DEPENDENCY_NOT_SUPPORTED
*/
-int dep_check(int dep_id)
+static int dep_check(int dep_id)
{
int ret = DEPENDENCY_NOT_SUPPORTED;
@@ -155,7 +155,7 @@
* DISPATCH_TEST_FN_NOT_FOUND if not found
* DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
*/
-int dispatch_test(size_t func_idx, void **params)
+static int dispatch_test(size_t func_idx, void **params)
{
int ret = DISPATCH_TEST_SUCCESS;
TestWrapper_t fp = NULL;
@@ -193,7 +193,7 @@
* DISPATCH_TEST_FN_NOT_FOUND if not found
* DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
*/
-int check_test(size_t func_idx)
+static int check_test(size_t func_idx)
{
int ret = DISPATCH_TEST_SUCCESS;
TestWrapper_t fp = NULL;
diff --git a/tests/suites/test_suite_alignment.function b/tests/suites/test_suite_alignment.function
index 842101f..240f552 100644
--- a/tests/suites/test_suite_alignment.function
+++ b/tests/suites/test_suite_alignment.function
@@ -10,7 +10,7 @@
/*
* Convert a string of the form "abcd" (case-insensitive) to a uint64_t.
*/
-int parse_hex_string(char *hex_string, uint64_t *result)
+static int parse_hex_string(char *hex_string, uint64_t *result)
{
uint8_t raw[8] = { 0 };
size_t olen;
diff --git a/tests/suites/test_suite_asn1parse.function b/tests/suites/test_suite_asn1parse.function
index 01a091b..123da5a 100644
--- a/tests/suites/test_suite_asn1parse.function
+++ b/tests/suites/test_suite_asn1parse.function
@@ -122,8 +122,8 @@
return ERR_PARSE_INCONSISTENCY;
}
-int get_len_step(const data_t *input, size_t buffer_size,
- size_t actual_length)
+static int get_len_step(const data_t *input, size_t buffer_size,
+ size_t actual_length)
{
unsigned char *buf = NULL;
unsigned char *p = NULL;
diff --git a/tests/suites/test_suite_asn1write.function b/tests/suites/test_suite_asn1write.function
index 469b971..f5fc025 100644
--- a/tests/suites/test_suite_asn1write.function
+++ b/tests/suites/test_suite_asn1write.function
@@ -12,7 +12,7 @@
size_t size;
} generic_write_data_t;
-int generic_write_start_step(generic_write_data_t *data)
+static int generic_write_start_step(generic_write_data_t *data)
{
mbedtls_test_set_step(data->size);
mbedtls_free(data->output);
@@ -26,8 +26,8 @@
return 0;
}
-int generic_write_finish_step(generic_write_data_t *data,
- const data_t *expected, int ret)
+static int generic_write_finish_step(generic_write_data_t *data,
+ const data_t *expected, int ret)
{
int ok = 0;
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index f3a64e1..3ac4e10 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -3,6 +3,7 @@
#include "mbedtls/entropy.h"
#include "constant_time_internal.h"
#include "bignum_core.h"
+#include "bignum_internal.h"
#include "test/constant_flow.h"
#if MBEDTLS_MPI_MAX_BITS > 792
@@ -32,6 +33,7 @@
return 1;
}
+#if defined(MBEDTLS_GENPRIME)
typedef struct mbedtls_test_mpi_random {
data_t *data;
size_t pos;
@@ -44,9 +46,9 @@
* test) are stored in the data member of the state structure. Each number is in
* the format that mbedtls_mpi_read_string understands and is chunk_len long.
*/
-int mbedtls_test_mpi_miller_rabin_determinizer(void *state,
- unsigned char *buf,
- size_t len)
+static int mbedtls_test_mpi_miller_rabin_determinizer(void *state,
+ unsigned char *buf,
+ size_t len)
{
mbedtls_test_mpi_random *random = (mbedtls_test_mpi_random *) state;
@@ -73,6 +75,7 @@
return 0;
}
+#endif /* MBEDTLS_GENPRIME */
/* Random generator that is told how many bytes to return. */
static int f_rng_bytes_left(void *state, unsigned char *buf, size_t len)
diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function
index db84d62..08dac2e 100644
--- a/tests/suites/test_suite_bignum_core.function
+++ b/tests/suites/test_suite_bignum_core.function
@@ -1178,6 +1178,7 @@
char *input_E, char *input_X)
{
mbedtls_mpi_uint *A = NULL;
+ mbedtls_mpi_uint *A_copy = NULL;
mbedtls_mpi_uint *E = NULL;
mbedtls_mpi_uint *N = NULL;
mbedtls_mpi_uint *X = NULL;
@@ -1229,19 +1230,56 @@
TEST_CALLOC(T, working_limbs);
- mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T);
+ /* Test the safe variant */
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ mbedtls_mpi_optionally_safe_codepath_reset();
+#endif
+ mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_SECRET);
+#endif
TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint)));
- /* Check when output aliased to input */
+ /* Test the unsafe variant */
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ mbedtls_mpi_optionally_safe_codepath_reset();
+#endif
+ mbedtls_mpi_core_exp_mod_unsafe(Y, A, N, N_limbs, E, E_limbs, R2, T);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_PUBLIC);
+#endif
+ TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint)));
+
+ /* Check both with output aliased to input */
+
+ TEST_CALLOC(A_copy, A_limbs);
+ memcpy(A_copy, A, sizeof(*A_copy) * A_limbs);
+
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ mbedtls_mpi_optionally_safe_codepath_reset();
+#endif
mbedtls_mpi_core_exp_mod(A, A, N, N_limbs, E, E_limbs, R2, T);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_SECRET);
+#endif
+ TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint)));
+ memcpy(A, A_copy, sizeof(*A) * A_limbs);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ mbedtls_mpi_optionally_safe_codepath_reset();
+#endif
+ mbedtls_mpi_core_exp_mod_unsafe(A, A, N, N_limbs, E, E_limbs, R2, T);
+#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
+ TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_PUBLIC);
+#endif
TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint)));
exit:
mbedtls_free(T);
mbedtls_free(A);
+ mbedtls_free(A_copy);
mbedtls_free(E);
mbedtls_free(N);
mbedtls_free(X);
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 8e49d2d..040c35c 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -129,7 +129,7 @@
* return 1 if it is,
* 0 if it isn't.
*/
-int buffer_is_all_zero(const uint8_t *buf, size_t size)
+static int buffer_is_all_zero(const uint8_t *buf, size_t size)
{
for (size_t i = 0; i < size; i++) {
if (buf[i] != 0) {
diff --git a/tests/suites/test_suite_common.function b/tests/suites/test_suite_common.function
index 5c5700c..8626a0b 100644
--- a/tests/suites/test_suite_common.function
+++ b/tests/suites/test_suite_common.function
@@ -1,7 +1,11 @@
/* BEGIN_HEADER */
#include "common.h"
-void fill_arrays(unsigned char *a, unsigned char *b, unsigned char *r1, unsigned char *r2, size_t n)
+static void fill_arrays(unsigned char *a,
+ unsigned char *b,
+ unsigned char *r1,
+ unsigned char *r2,
+ size_t n)
{
for (size_t i = 0; i < n; i++) {
a[i] = (unsigned char) i * 3;
diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index 720eb3e..9fa55a7 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@@ -96,6 +96,7 @@
}
static const int thread_random_reps = 10;
+void *thread_random_function(void *ctx); /* only used conditionally in ctr_drbg_threads */
void *thread_random_function(void *ctx)
{
unsigned char out[16];
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index 70e7bad..878ceed 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -9,7 +9,7 @@
char *ptr;
};
-void string_debug(void *data, int level, const char *file, int line, const char *str)
+static void string_debug(void *data, int level, const char *file, int line, const char *str)
{
struct buffer_data *buffer = (struct buffer_data *) data;
char *p = buffer->ptr;
diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function
index 2090594..bb64ef3 100644
--- a/tests/suites/test_suite_dhm.function
+++ b/tests/suites/test_suite_dhm.function
@@ -1,9 +1,9 @@
/* BEGIN_HEADER */
#include "mbedtls/dhm.h"
-int check_get_value(const mbedtls_dhm_context *ctx,
- mbedtls_dhm_parameter param,
- const mbedtls_mpi *expected)
+static int check_get_value(const mbedtls_dhm_context *ctx,
+ mbedtls_dhm_parameter param,
+ const mbedtls_mpi *expected)
{
mbedtls_mpi actual;
int ok = 0;
diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function
index 5ac65fc..a4f3b1b 100644
--- a/tests/suites/test_suite_entropy.function
+++ b/tests/suites/test_suite_entropy.function
@@ -60,12 +60,14 @@
}
#if defined(MBEDTLS_ENTROPY_NV_SEED)
+
+#if defined(MBEDTLS_MD_LIGHT) && defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
/*
* NV seed read/write functions that use a buffer instead of a file
*/
static unsigned char buffer_seed[MBEDTLS_ENTROPY_BLOCK_SIZE];
-int buffer_nv_seed_read(unsigned char *buf, size_t buf_len)
+static int buffer_nv_seed_read(unsigned char *buf, size_t buf_len)
{
if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
return -1;
@@ -75,7 +77,7 @@
return 0;
}
-int buffer_nv_seed_write(unsigned char *buf, size_t buf_len)
+static int buffer_nv_seed_write(unsigned char *buf, size_t buf_len)
{
if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
return -1;
@@ -84,7 +86,9 @@
memcpy(buffer_seed, buf, MBEDTLS_ENTROPY_BLOCK_SIZE);
return 0;
}
+#endif /* MBEDTLS_MD_LIGHT && MBEDTLS_PLATFORM_NV_SEED_ALT */
+#if defined(MBEDTLS_FS_IO)
/*
* NV seed read/write helpers that fill the base seedfile
*/
@@ -111,7 +115,8 @@
return 0;
}
-int read_nv_seed(unsigned char *buf, size_t buf_len)
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+static int read_nv_seed(unsigned char *buf, size_t buf_len)
{
FILE *f;
@@ -133,6 +138,8 @@
return 0;
}
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_FS_IO */
#endif /* MBEDTLS_ENTROPY_NV_SEED */
/* END_HEADER */
diff --git a/tests/suites/test_suite_lmots.function b/tests/suites/test_suite_lmots.function
index 293287a..bcc72d1 100644
--- a/tests/suites/test_suite_lmots.function
+++ b/tests/suites/test_suite_lmots.function
@@ -2,8 +2,8 @@
#include "lmots.h"
#include "mbedtls/lms.h"
-#if defined(MBEDTLS_TEST_HOOKS)
-int check_lmots_private_key_for_leak(unsigned char *sig)
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_LMS_PRIVATE)
+static int check_lmots_private_key_for_leak(unsigned char *sig)
{
size_t idx;
@@ -18,7 +18,7 @@
exit:
return -1;
}
-#endif /* defined(MBEDTLS_TEST_HOOKS) */
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_LMS_PRIVATE */
/* END_HEADER */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 38c27e3..f197d04 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -221,9 +221,9 @@
}
#if defined(MBEDTLS_PSA_CRYPTO_C)
-psa_status_t pk_psa_import_key(const unsigned char *key_data, size_t key_len,
- psa_key_type_t type, psa_key_usage_t usage,
- psa_algorithm_t alg, mbedtls_svc_key_id_t *key)
+static psa_status_t pk_psa_import_key(const unsigned char *key_data, size_t key_len,
+ psa_key_type_t type, psa_key_usage_t usage,
+ psa_algorithm_t alg, mbedtls_svc_key_id_t *key)
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status;
@@ -320,11 +320,11 @@
* for volatile keys.
* \param[out] key Identifier of the "generated" (actually imported) PSA key.
*/
-psa_status_t pk_psa_setup(psa_key_type_t type, size_t bits,
- psa_key_usage_t usage, psa_algorithm_t alg,
- psa_algorithm_t enrollment_alg,
- mbedtls_svc_key_id_t persistent_key_id,
- mbedtls_svc_key_id_t *key)
+static psa_status_t pk_psa_setup(psa_key_type_t type, size_t bits,
+ psa_key_usage_t usage, psa_algorithm_t alg,
+ psa_algorithm_t enrollment_alg,
+ mbedtls_svc_key_id_t persistent_key_id,
+ mbedtls_svc_key_id_t *key)
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
@@ -467,19 +467,19 @@
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
-#if defined(MBEDTLS_RSA_C)
-int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
- const unsigned char *input, unsigned char *output,
- size_t output_max_len)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len)
{
return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx,
mbedtls_test_rnd_std_rand, NULL,
olen, input, output, output_max_len);
}
-int mbedtls_rsa_sign_func(void *ctx,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- mbedtls_md_type_t md_alg, unsigned int hashlen,
- const unsigned char *hash, unsigned char *sig)
+static int mbedtls_rsa_sign_func(void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_md_type_t md_alg, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig)
{
((void) f_rng);
((void) p_rng);
@@ -487,11 +487,11 @@
mbedtls_test_rnd_std_rand, NULL,
md_alg, hashlen, hash, sig);
}
-size_t mbedtls_rsa_key_len_func(void *ctx)
+static size_t mbedtls_rsa_key_len_func(void *ctx)
{
return ((const mbedtls_rsa_context *) ctx)->len;
}
-#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PK_RSA_ALT_SUPPORT */
typedef enum {
/* The values are compatible with thinking of "from pair" as a boolean. */
@@ -618,7 +618,7 @@
/* Create a copy of a PSA key with same usage and algorithm policy and destroy
* the original one. */
-mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id)
+static mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id)
{
psa_key_attributes_t orig_attr = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t new_attr = PSA_KEY_ATTRIBUTES_INIT;
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 4c8bf23..e5dc4bd 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -17,7 +17,7 @@
* END_DEPENDENCIES
*/
/* BEGIN_SUITE_HELPERS */
-int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen)
+static int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen)
{
int res;
mbedtls_pkcs7 pkcs7;
diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function
index c65d011..5d49e52 100644
--- a/tests/suites/test_suite_platform.function
+++ b/tests/suites/test_suite_platform.function
@@ -18,7 +18,7 @@
#else
#include <unistd.h>
#endif
-void sleep_ms(int milliseconds)
+static void sleep_ms(int milliseconds)
{
#if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
defined(__MINGW32__) || defined(_WIN64)
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 32c7274..4149fdb 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -6935,6 +6935,18 @@
depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
derive_key_type:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_AES:256:"28e288c6345bb5ecf7ca70274208a3ba0f1148b5868537d5e09d3ee6813b1f52"
+PSA key derivation custom: default -> AES-128
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
+derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a"
+
+PSA key derivation custom: flags=1 -> AES-128
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
+derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:""
+
+PSA key derivation custom: data non-empty -> AES-128
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
+derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:""
+
PSA key derivation: default params -> AES-128
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES
derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a"
@@ -7520,6 +7532,83 @@
depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0
+PSA generate key custom: RSA, flags=1
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key custom: RSA, empty e
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS
+
+PSA generate key custom: RSA, e=3
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS
+
+PSA generate key custom: RSA, e=3 with leading zeros
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS
+
+# TODO: currently errors with NOT_SUPPORTED because e is converted to an int
+# and the conversion errors out if there are too many digits without checking
+# for leading zeros. This is a very minor bug. Re-enable this test when this
+# bug is fixed.
+#PSA generate key custom: RSA, e=3 with many leading zeros
+#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+#generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS
+
+PSA generate key custom: RSA, e=513
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS
+
+PSA generate key custom: RSA, e=65537
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS
+
+PSA generate key custom: RSA, e=2^31-1
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS
+
+PSA generate key custom: RSA, e=2^31+3 (too large for built-in RSA)
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED
+
+PSA generate key custom: RSA, e=2^64+3 (too large for built-in RSA)
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED
+
+PSA generate key custom: RSA, e=1
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key custom: RSA, e=0
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key custom: RSA, e=2
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT
+
+# Check that with a driver, we reject a custom e as unsupported,
+# as opposed to silently using the default e.
+# When we add proper driver support, remove this test case and remove
+# the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from
+# the positive/invalid_argument test cases.
+PSA generate key custom: RSA, e=3 with driver and no fallback (not yet supported)
+depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED
+
+PSA generate key custom: ECC, flags=0
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
+generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS
+
+PSA generate key custom: ECC, flags=1
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
+generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT
+
+PSA generate key custom: ECC, data non-empty
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
+generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT
+
PSA generate key ext: RSA, params.flags=1
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT
@@ -7528,63 +7617,10 @@
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS
-PSA generate key ext: RSA, e=3
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS
-
-PSA generate key ext: RSA, e=3 with leading zeros
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS
-
-# TODO: currently errors with NOT_SUPPORTED because e is converted to an int
-# and the conversion errors out if there are too many digits without checking
-# for leading zeros. This is a very minor bug. Re-enable this test when this
-# bug is fixed.
-#PSA generate key ext: RSA, e=3 with many leading zeros
-#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-#generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS
-
PSA generate key ext: RSA, e=513
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS
-PSA generate key ext: RSA, e=65537
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS
-
-PSA generate key ext: RSA, e=2^31-1
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS
-
-PSA generate key ext: RSA, e=2^31+3 (too large for built-in RSA)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED
-
-PSA generate key ext: RSA, e=2^64+3 (too large for built-in RSA)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED
-
-PSA generate key ext: RSA, e=1
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT
-
-PSA generate key ext: RSA, e=0
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT
-
-PSA generate key ext: RSA, e=2
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT
-
-# Check that with a driver, we reject a custom e as unsupported,
-# as opposed to silently using the default e.
-# When we add proper driver support, remove this test case and remove
-# the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from
-# the positive/invalid_argument test cases.
-PSA generate key ext: RSA, e=3 with driver and no fallback (not yet supported)
-depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
-generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED
-
PSA generate key ext: ECC, flags=0
depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH
generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 0c8552b..2e513ea 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -39,28 +39,6 @@
#define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0)
#define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0)
-#if defined(PSA_WANT_ALG_JPAKE)
-int ecjpake_operation_setup(psa_pake_operation_t *operation,
- psa_pake_cipher_suite_t *cipher_suite,
- psa_pake_role_t role,
- mbedtls_svc_key_id_t key,
- size_t key_available)
-{
- PSA_ASSERT(psa_pake_abort(operation));
-
- PSA_ASSERT(psa_pake_setup(operation, cipher_suite));
-
- PSA_ASSERT(psa_pake_set_role(operation, role));
-
- if (key_available) {
- PSA_ASSERT(psa_pake_set_password_key(operation, key));
- }
- return 0;
-exit:
- return 1;
-}
-#endif
-
/** An invalid export length that will never be set by psa_export_key(). */
static const size_t INVALID_EXPORT_LENGTH = ~0U;
@@ -175,12 +153,12 @@
}
#endif /* MBEDTLS_ASN1_WRITE_C */
-int exercise_mac_setup(psa_key_type_t key_type,
- const unsigned char *key_bytes,
- size_t key_length,
- psa_algorithm_t alg,
- psa_mac_operation_t *operation,
- psa_status_t *status)
+static int exercise_mac_setup(psa_key_type_t key_type,
+ const unsigned char *key_bytes,
+ size_t key_length,
+ psa_algorithm_t alg,
+ psa_mac_operation_t *operation,
+ psa_status_t *status)
{
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -207,12 +185,12 @@
return 0;
}
-int exercise_cipher_setup(psa_key_type_t key_type,
- const unsigned char *key_bytes,
- size_t key_length,
- psa_algorithm_t alg,
- psa_cipher_operation_t *operation,
- psa_status_t *status)
+static int exercise_cipher_setup(psa_key_type_t key_type,
+ const unsigned char *key_bytes,
+ size_t key_length,
+ psa_algorithm_t alg,
+ psa_cipher_operation_t *operation,
+ psa_status_t *status)
{
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -285,14 +263,14 @@
/* Assert that a key isn't reported as having a slot number. */
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
#define ASSERT_NO_SLOT_NUMBER(attributes) \
- do \
- { \
- psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \
- TEST_EQUAL(psa_get_key_slot_number( \
- attributes, \
+ do \
+ { \
+ psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \
+ TEST_EQUAL(psa_get_key_slot_number( \
+ attributes, \
&ASSERT_NO_SLOT_NUMBER_slot_number), \
PSA_ERROR_INVALID_ARGUMENT); \
- } \
+ } \
while (0)
#else /* MBEDTLS_PSA_CRYPTO_SE_C */
#define ASSERT_NO_SLOT_NUMBER(attributes) \
@@ -1338,6 +1316,7 @@
#if defined(MBEDTLS_THREADING_PTHREAD)
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
typedef struct same_key_context {
data_t *data;
mbedtls_svc_key_id_t key;
@@ -1354,7 +1333,7 @@
/* Attempt to import the key in ctx. This handles any valid error codes
* and reports an error for any invalid codes. This function also insures
* that once imported by some thread, all threads can use the key. */
-void *thread_import_key(void *ctx)
+static void *thread_import_key(void *ctx)
{
mbedtls_svc_key_id_t returned_key_id;
same_key_context *skc = (struct same_key_context *) ctx;
@@ -1428,7 +1407,7 @@
return NULL;
}
-void *thread_use_and_destroy_key(void *ctx)
+static void *thread_use_and_destroy_key(void *ctx)
{
same_key_context *skc = (struct same_key_context *) ctx;
@@ -1456,6 +1435,7 @@
exit:
return NULL;
}
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
typedef struct generate_key_context {
psa_key_type_t type;
@@ -1468,7 +1448,7 @@
int reps;
}
generate_key_context;
-void *thread_generate_key(void *ctx)
+static void *thread_generate_key(void *ctx)
{
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -9592,6 +9572,77 @@
/* END_CASE */
/* BEGIN_CASE */
+void derive_key_custom(int alg_arg,
+ data_t *key_data,
+ data_t *input1,
+ data_t *input2,
+ int key_type_arg, int bits_arg,
+ int flags_arg,
+ data_t *custom_data,
+ psa_status_t expected_status,
+ data_t *expected_export)
+{
+ mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT;
+ mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT;
+ const psa_algorithm_t alg = alg_arg;
+ const psa_key_type_t key_type = key_type_arg;
+ const size_t bits = bits_arg;
+ psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT;
+ custom.flags = flags_arg;
+ psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
+ const size_t export_buffer_size =
+ PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits);
+ uint8_t *export_buffer = NULL;
+ psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ size_t export_length;
+
+ TEST_CALLOC(export_buffer, export_buffer_size);
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&base_attributes, alg);
+ psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE);
+ PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len,
+ &base_key));
+
+ if (mbedtls_test_psa_setup_key_derivation_wrap(
+ &operation, base_key, alg,
+ input1->x, input1->len,
+ input2->x, input2->len,
+ PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) {
+ goto exit;
+ }
+
+ psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT);
+ psa_set_key_algorithm(&derived_attributes, 0);
+ psa_set_key_type(&derived_attributes, key_type);
+ psa_set_key_bits(&derived_attributes, bits);
+
+ TEST_EQUAL(psa_key_derivation_output_key_custom(
+ &derived_attributes, &operation,
+ &custom, custom_data->x, custom_data->len,
+ &derived_key),
+ expected_status);
+
+ if (expected_status == PSA_SUCCESS) {
+ PSA_ASSERT(psa_export_key(derived_key,
+ export_buffer, export_buffer_size,
+ &export_length));
+ TEST_MEMORY_COMPARE(export_buffer, export_length,
+ expected_export->x, expected_export->len);
+ }
+
+exit:
+ mbedtls_free(export_buffer);
+ psa_key_derivation_abort(&operation);
+ psa_destroy_key(base_key);
+ psa_destroy_key(derived_key);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void derive_key_ext(int alg_arg,
data_t *key_data,
data_t *input1,
@@ -10153,6 +10204,71 @@
/* END_CASE */
/* BEGIN_CASE */
+void generate_key_custom(int type_arg,
+ int bits_arg,
+ int usage_arg,
+ int alg_arg,
+ int flags_arg,
+ data_t *custom_data,
+ int expected_status_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t type = type_arg;
+ psa_key_usage_t usage = usage_arg;
+ size_t bits = bits_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_status_t expected_status = expected_status_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT;
+ custom.flags = flags_arg;
+ psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, usage);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, type);
+ psa_set_key_bits(&attributes, bits);
+
+ /* Generate a key */
+ psa_status_t status =
+ psa_generate_key_custom(&attributes,
+ &custom, custom_data->x, custom_data->len,
+ &key);
+
+ TEST_EQUAL(status, expected_status);
+ if (expected_status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Test the key information */
+ PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
+ TEST_EQUAL(psa_get_key_type(&got_attributes), type);
+ TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+ if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ TEST_ASSERT(rsa_test_e(key, bits, custom_data));
+ }
+#endif
+
+ /* Do something with the key according to its type and permitted usage. */
+ if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
+ goto exit;
+ }
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&got_attributes);
+ psa_destroy_key(key);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void generate_key_ext(int type_arg,
int bits_arg,
int usage_arg,
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data
index 54e0892..fb2da8c 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data
@@ -1,3 +1,6 @@
+Built-in key range
+builtin_key_id_stability:
+
sign_hash transparent driver: in driver ECDSA SECP256R1 SHA-256
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
sign_hash:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0:PSA_SUCCESS
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
index e7925dd..84611fa 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -490,6 +490,21 @@
*/
/* BEGIN_CASE */
+void builtin_key_id_stability()
+{
+ /* If the range of built-in keys is reduced, it's an API break, since
+ * it breaks user code that hard-codes the key id of built-in keys.
+ * It's ok to expand this range, but not to shrink it. That is, you
+ * may make the MIN smaller or the MAX larger at any time, but
+ * making the MIN larger or the MAX smaller can only be done in
+ * a new major version of the library.
+ */
+ TEST_EQUAL(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN, 0x7fff0000);
+ TEST_EQUAL(MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, 0x7fffefff);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void sign_hash(int key_type_arg,
int alg_arg,
int force_status_arg,
diff --git a/tests/suites/test_suite_psa_crypto_init.function b/tests/suites/test_suite_psa_crypto_init.function
index 9ff33a6..954560a 100644
--- a/tests/suites/test_suite_psa_crypto_init.function
+++ b/tests/suites/test_suite_psa_crypto_init.function
@@ -8,6 +8,23 @@
#include "mbedtls/entropy.h"
#include "entropy_poll.h"
+static int check_stats(void)
+{
+ mbedtls_psa_stats_t stats;
+ mbedtls_psa_get_stats(&stats);
+
+ TEST_EQUAL(stats.volatile_slots, MBEDTLS_TEST_PSA_INTERNAL_KEYS);
+ TEST_EQUAL(stats.persistent_slots, 0);
+ TEST_EQUAL(stats.external_slots, 0);
+ TEST_EQUAL(stats.half_filled_slots, 0);
+ TEST_EQUAL(stats.locked_slots, 0);
+
+ return 1;
+
+exit:
+ return 0;
+}
+
#define ENTROPY_MIN_NV_SEED_SIZE \
MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
@@ -187,12 +204,23 @@
psa_status_t status;
int i;
for (i = 0; i < count; i++) {
+ mbedtls_test_set_step(2 * i);
status = psa_crypto_init();
PSA_ASSERT(status);
+ if (!check_stats()) {
+ goto exit;
+ }
+
+ mbedtls_test_set_step(2 * i);
status = psa_crypto_init();
PSA_ASSERT(status);
+ if (!check_stats()) {
+ goto exit;
+ }
PSA_DONE();
}
+exit:
+ PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function
index b51f2a2..3b5bf66 100644
--- a/tests/suites/test_suite_psa_crypto_metadata.function
+++ b/tests/suites/test_suite_psa_crypto_metadata.function
@@ -80,17 +80,17 @@
* Unconditionally mask flag into the ambient variable
* classification_flags_tested.
*/
-#define TEST_CLASSIFICATION_MACRO(cond, flag, alg, flags) \
+#define TEST_CLASSIFICATION_MACRO(cond, flag, alg, flags) \
do \
{ \
- if (cond) \
+ if (cond) \
{ \
- if ((flags) & (flag)) \
- TEST_ASSERT(PSA_##flag(alg)); \
+ if ((flags) & (flag)) \
+ TEST_ASSERT(PSA_##flag(alg)); \
else \
- TEST_ASSERT(!PSA_##flag(alg)); \
+ TEST_ASSERT(!PSA_##flag(alg)); \
} \
- classification_flags_tested |= (flag); \
+ classification_flags_tested |= (flag); \
} \
while (0)
@@ -106,7 +106,7 @@
* The expected parity is even so that 0 is considered a valid encoding.
*
* Return a nonzero value if value has even parity and 0 otherwise. */
-int has_even_parity(uint32_t value)
+static int has_even_parity(uint32_t value)
{
value ^= value >> 16;
value ^= value >> 8;
@@ -116,7 +116,7 @@
#define TEST_PARITY(value) \
TEST_ASSERT(has_even_parity(value))
-void algorithm_classification(psa_algorithm_t alg, unsigned flags)
+static void algorithm_classification(psa_algorithm_t alg, unsigned flags)
{
unsigned classification_flags_tested = 0;
TEST_CLASSIFICATION_MACRO(1, ALG_IS_VENDOR_DEFINED, alg, flags);
@@ -155,7 +155,7 @@
exit:;
}
-void key_type_classification(psa_key_type_t type, unsigned flags)
+static void key_type_classification(psa_key_type_t type, unsigned flags)
{
unsigned classification_flags_tested = 0;
@@ -192,9 +192,9 @@
exit:;
}
-void mac_algorithm_core(psa_algorithm_t alg, int classification_flags,
- psa_key_type_t key_type, size_t key_bits,
- size_t length)
+static void mac_algorithm_core(psa_algorithm_t alg, int classification_flags,
+ psa_key_type_t key_type, size_t key_bits,
+ size_t length)
{
/* Algorithm classification */
TEST_ASSERT(!PSA_ALG_IS_HASH(alg));
@@ -218,9 +218,9 @@
exit:;
}
-void aead_algorithm_core(psa_algorithm_t alg, int classification_flags,
- psa_key_type_t key_type, size_t key_bits,
- size_t tag_length)
+static void aead_algorithm_core(psa_algorithm_t alg, int classification_flags,
+ psa_key_type_t key_type, size_t key_bits,
+ size_t tag_length)
{
/* Algorithm classification */
TEST_ASSERT(!PSA_ALG_IS_HASH(alg));
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 9878237..9289869 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -27,11 +27,11 @@
* run, it would be better to clarify the expectations and reconcile the
* library and the test case generator.
*/
-#define TEST_STATUS(expr1, expr2) \
- do { \
+#define TEST_STATUS(expr1, expr2) \
+ do { \
if (!test_equal_status( #expr1 " == " #expr2, __LINE__, __FILE__, \
- expr1, expr2)) \
- goto exit; \
+ expr1, expr2)) \
+ goto exit; \
} while (0)
/* END_HEADER */
diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function
index 1cc69a7..08c88a1 100644
--- a/tests/suites/test_suite_psa_crypto_pake.function
+++ b/tests/suites/test_suite_psa_crypto_pake.function
@@ -71,9 +71,9 @@
* we're corrupting.
*/
#define DO_ROUND_CONDITIONAL_INJECT(this_stage, buf) \
- if (this_stage == err_stage) \
- { \
- *(buf + 7) ^= 1; \
+ if (this_stage == err_stage) \
+ { \
+ *(buf + 7) ^= 1; \
}
#define DO_ROUND_CONDITIONAL_CHECK_FAILURE(this_stage, function) \
@@ -84,20 +84,20 @@
}
#define DO_ROUND_UPDATE_OFFSETS(main_buf_offset, step_offset, step_size) \
- { \
- step_offset = main_buf_offset; \
- main_buf_offset += step_size; \
+ { \
+ step_offset = main_buf_offset; \
+ main_buf_offset += step_size; \
}
-#define DO_ROUND_CHECK_FAILURE() \
- if (err_stage != ERR_NONE && status != PSA_SUCCESS) \
+#define DO_ROUND_CHECK_FAILURE() \
+ if (err_stage != ERR_NONE && status != PSA_SUCCESS) \
{ \
- TEST_EQUAL(status, expected_error_arg); \
+ TEST_EQUAL(status, expected_error_arg); \
break; \
} \
else \
{ \
- TEST_EQUAL(status, PSA_SUCCESS); \
+ TEST_EQUAL(status, PSA_SUCCESS); \
}
#if defined(PSA_WANT_ALG_JPAKE)
@@ -550,15 +550,15 @@
* - terminated with failure otherwise (either no error was expected at this
* stage or a different error code was expected)
*/
-#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \
+#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \
status = test_function; \
- if (err_stage != this_check_err_stage) \
+ if (err_stage != this_check_err_stage) \
{ \
- PSA_ASSERT(status); \
+ PSA_ASSERT(status); \
} \
else \
{ \
- TEST_EQUAL(status, expected_error); \
+ TEST_EQUAL(status, expected_error); \
goto exit; \
}
@@ -572,10 +572,10 @@
* The test succeeds if the returned error is exactly the expected one,
* otherwise it fails.
*/
-#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \
- if (err_stage == this_check_err_stage) \
+#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \
+ if (err_stage == this_check_err_stage) \
{ \
- TEST_EQUAL(test_function, expected_error); \
+ TEST_EQUAL(test_function, expected_error); \
goto exit; \
}
/* END_HEADER */
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.data b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
index cc89c0f..ae4ee0c 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.data
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
@@ -148,7 +148,16 @@
Key registration: smoke test
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:1:PSA_SUCCESS
-Key registration: invalid lifetime (volatile internal storage)
+Key registration: invalid lifetime (volatile, in SE, id=0)
+register_key_smoke_test:TEST_SE_VOLATILE_LIFETIME:7:0:0:PSA_ERROR_INVALID_ARGUMENT
+
+Key registration: invalid lifetime (volatile, in SE, id=1)
+register_key_smoke_test:TEST_SE_VOLATILE_LIFETIME:7:1:1:PSA_ERROR_INVALID_ARGUMENT
+
+Key registration: invalid lifetime (volatile, internal, id=0)
+register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:7:0:0:PSA_ERROR_INVALID_ARGUMENT
+
+Key registration: invalid lifetime (volatile, internal, id=1)
register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:7:1:1:PSA_ERROR_INVALID_ARGUMENT
Key registration: invalid lifetime (internal storage)
@@ -169,8 +178,8 @@
Key registration: key id min vendor
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MIN:1:PSA_ERROR_INVALID_ARGUMENT
-Key registration: key id max vendor except volatile
-register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN-1:1:PSA_ERROR_INVALID_ARGUMENT
+Key registration: key id max vendor
+register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX:1:PSA_ERROR_INVALID_ARGUMENT
Key registration: key id min volatile
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN:1:PSA_ERROR_INVALID_ARGUMENT
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
index 37a72d9..66d2a4e 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
@@ -14,8 +14,8 @@
#endif
/* Same in library/psa_crypto.c */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
- defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
#define BUILTIN_ALG_ANY_HKDF 1
#endif
@@ -36,11 +36,11 @@
/** The location and lifetime used for tests that use a single driver. */
#define TEST_DRIVER_LOCATION 1
-#define TEST_SE_PERSISTENT_LIFETIME \
+#define TEST_SE_PERSISTENT_LIFETIME \
(PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \
PSA_KEY_PERSISTENCE_DEFAULT, TEST_DRIVER_LOCATION))
-#define TEST_SE_VOLATILE_LIFETIME \
+#define TEST_SE_VOLATILE_LIFETIME \
(PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \
PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION))
@@ -54,13 +54,13 @@
*
* Use this macro to assert on guarantees provided by the core.
*/
-#define DRIVER_ASSERT_RETURN(TEST) \
- do { \
- if (!(TEST)) \
- { \
- mbedtls_test_fail( #TEST, __LINE__, __FILE__); \
- return PSA_ERROR_DETECTED_BY_DRIVER; \
- } \
+#define DRIVER_ASSERT_RETURN(TEST) \
+ do { \
+ if (!(TEST)) \
+ { \
+ mbedtls_test_fail( #TEST, __LINE__, __FILE__); \
+ return PSA_ERROR_DETECTED_BY_DRIVER; \
+ } \
} while (0)
/** Like #TEST_ASSERT for use in a driver method, with cleanup.
@@ -70,14 +70,14 @@
*
* Use this macro to assert on guarantees provided by the core.
*/
-#define DRIVER_ASSERT(TEST) \
- do { \
- if (!(TEST)) \
- { \
- mbedtls_test_fail( #TEST, __LINE__, __FILE__); \
+#define DRIVER_ASSERT(TEST) \
+ do { \
+ if (!(TEST)) \
+ { \
+ mbedtls_test_fail( #TEST, __LINE__, __FILE__); \
status = PSA_ERROR_DETECTED_BY_DRIVER; \
goto exit; \
- } \
+ } \
} while (0)
/** Like #PSA_ASSERT for a PSA API call that calls a driver underneath.
@@ -91,16 +91,16 @@
* case, the test driver code is expected to have called mbedtls_test_fail()
* already, so we make sure not to overwrite the failure information.
*/
-#define PSA_ASSERT_VIA_DRIVER(expr, expected_status) \
- do { \
- psa_status_t PSA_ASSERT_VIA_DRIVER_status = (expr); \
- if (PSA_ASSERT_VIA_DRIVER_status == PSA_ERROR_DETECTED_BY_DRIVER) \
- goto exit; \
- if (PSA_ASSERT_VIA_DRIVER_status != (expected_status)) \
- { \
+#define PSA_ASSERT_VIA_DRIVER(expr, expected_status) \
+ do { \
+ psa_status_t PSA_ASSERT_VIA_DRIVER_status = (expr); \
+ if (PSA_ASSERT_VIA_DRIVER_status == PSA_ERROR_DETECTED_BY_DRIVER) \
+ goto exit; \
+ if (PSA_ASSERT_VIA_DRIVER_status != (expected_status)) \
+ { \
mbedtls_test_fail( #expr, __LINE__, __FILE__); \
- goto exit; \
- } \
+ goto exit; \
+ } \
} while (0)
@@ -599,7 +599,7 @@
* If this changes, the storage format version must change.
* See psa_get_se_driver_its_file_uid() in psa_crypto_se.c.
*/
-psa_storage_uid_t file_uid_for_location(psa_key_location_t location)
+static psa_storage_uid_t file_uid_for_location(psa_key_location_t location)
{
if (location > PSA_MAX_SE_LOCATION) {
return 0;
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
index b6d3a34..efd24e9 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
@@ -6,7 +6,7 @@
/** The location and lifetime used for tests that use a single driver. */
#define TEST_DRIVER_LOCATION 1
-#define TEST_SE_PERSISTENT_LIFETIME \
+#define TEST_SE_PERSISTENT_LIFETIME \
(PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \
PSA_KEY_PERSISTENCE_DEFAULT, TEST_DRIVER_LOCATION))
@@ -162,11 +162,11 @@
return mock_import_data.return_value;
}
-psa_status_t mock_export(psa_drv_se_context_t *context,
- psa_key_slot_number_t slot_number,
- uint8_t *p_data,
- size_t data_size,
- size_t *p_data_length)
+static psa_status_t mock_export(psa_drv_se_context_t *context,
+ psa_key_slot_number_t slot_number,
+ uint8_t *p_data,
+ size_t data_size,
+ size_t *p_data_length)
{
(void) context;
(void) p_data;
@@ -179,11 +179,11 @@
return mock_export_data.return_value;
}
-psa_status_t mock_export_public(psa_drv_se_context_t *context,
- psa_key_slot_number_t slot_number,
- uint8_t *p_data,
- size_t data_size,
- size_t *p_data_length)
+static psa_status_t mock_export_public(psa_drv_se_context_t *context,
+ psa_key_slot_number_t slot_number,
+ uint8_t *p_data,
+ size_t data_size,
+ size_t *p_data_length)
{
(void) context;
(void) p_data;
@@ -196,14 +196,14 @@
return mock_export_public_data.return_value;
}
-psa_status_t mock_sign(psa_drv_se_context_t *context,
- psa_key_slot_number_t key_slot,
- psa_algorithm_t alg,
- const uint8_t *p_hash,
- size_t hash_length,
- uint8_t *p_signature,
- size_t signature_size,
- size_t *p_signature_length)
+static psa_status_t mock_sign(psa_drv_se_context_t *context,
+ psa_key_slot_number_t key_slot,
+ psa_algorithm_t alg,
+ const uint8_t *p_hash,
+ size_t hash_length,
+ uint8_t *p_signature,
+ size_t signature_size,
+ size_t *p_signature_length)
{
(void) context;
(void) p_hash;
@@ -219,13 +219,13 @@
return mock_sign_data.return_value;
}
-psa_status_t mock_verify(psa_drv_se_context_t *context,
- psa_key_slot_number_t key_slot,
- psa_algorithm_t alg,
- const uint8_t *p_hash,
- size_t hash_length,
- const uint8_t *p_signature,
- size_t signature_length)
+static psa_status_t mock_verify(psa_drv_se_context_t *context,
+ psa_key_slot_number_t key_slot,
+ psa_algorithm_t alg,
+ const uint8_t *p_hash,
+ size_t hash_length,
+ const uint8_t *p_signature,
+ size_t signature_length)
{
(void) context;
(void) p_hash;
@@ -240,11 +240,11 @@
return mock_verify_data.return_value;
}
-psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
- void *persistent_data,
- const psa_key_attributes_t *attributes,
- psa_key_creation_method_t method,
- psa_key_slot_number_t *key_slot)
+static psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
+ void *persistent_data,
+ const psa_key_attributes_t *attributes,
+ psa_key_creation_method_t method,
+ psa_key_slot_number_t *key_slot)
{
(void) drv_context;
(void) persistent_data;
@@ -258,9 +258,9 @@
return mock_allocate_data.return_value;
}
-psa_status_t mock_destroy(psa_drv_se_context_t *context,
- void *persistent_data,
- psa_key_slot_number_t slot_number)
+static psa_status_t mock_destroy(psa_drv_se_context_t *context,
+ void *persistent_data,
+ psa_key_slot_number_t slot_number)
{
(void) context;
(void) persistent_data;
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.data b/tests/suites/test_suite_psa_crypto_slot_management.data
index 7d364ac..f379dba 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.data
+++ b/tests/suites/test_suite_psa_crypto_slot_management.data
@@ -122,7 +122,18 @@
Open failure: invalid identifier (implementation range)
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
-open_fail:PSA_KEY_ID_USER_MAX + 1:PSA_ERROR_DOES_NOT_EXIST
+# We need to avoid existing volatile key IDs. Normally there aren't any
+# existing volatile keys because the test case doesn't create any, but
+# in some configurations, the implementation or a driver creates a
+# volatile key during initialization for its own use. At the time of
+# writing, this happens in builds where AES uses a PSA driver and the
+# PSA RNG uses AES-CTR_DRBG through the PSA AES.
+# Pick a key id that's in the middle of the volatile key ID range.
+# That works out both when MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled and
+# volatile key IDs are assigned starting with the lowest value, and when
+# MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled and volatile key IDs are assigned
+# starting with the highest values.
+open_fail:(PSA_KEY_ID_VOLATILE_MIN + PSA_KEY_ID_VOLATILE_MAX) / 2:PSA_ERROR_DOES_NOT_EXIST
Open failure: non-existent identifier
depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
@@ -214,8 +225,25 @@
invalid handle: huge
invalid_handle:INVALID_HANDLE_HUGE:PSA_ERROR_INVALID_HANDLE
-Open many transient keys
-many_transient_keys:42
+Key slot count: maximum
+many_transient_keys:MBEDTLS_PSA_KEY_SLOT_COUNT - MBEDTLS_TEST_PSA_INTERNAL_KEYS
+
+Key slot count: dynamic: more than MBEDTLS_PSA_KEY_SLOT_COUNT
+depends_on:MBEDTLS_PSA_KEY_STORE_DYNAMIC
+# Check that MBEDTLS_PSA_KEY_SLOT_COUNT doesn't apply to volatile keys.
+many_transient_keys:MBEDTLS_PSA_KEY_SLOT_COUNT + 1
+
+Key slot count: try to overfill, destroy first
+fill_key_store:0
+
+Key slot count: try to overfill, destroy second
+fill_key_store:1
+
+Key slot count: try to overfill, destroy next-to-last
+fill_key_store:-2
+
+Key slot count: try to overfill, destroy last
+fill_key_store:-1
# Eviction from a key slot to be able to import a new persistent key.
Key slot eviction to import a new persistent key
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function
index 94f26f6..604c4bd 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.function
+++ b/tests/suites/test_suite_psa_crypto_slot_management.function
@@ -98,6 +98,31 @@
return 0;
}
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+#if defined(MBEDTLS_TEST_HOOKS)
+/* Artificially restrictable dynamic key store */
+#define KEY_SLICE_1_LENGTH 4
+#define KEY_SLICE_2_LENGTH 10
+static size_t tiny_key_slice_length(size_t slice_idx)
+{
+ switch (slice_idx) {
+ case 1: return KEY_SLICE_1_LENGTH;
+ case 2: return KEY_SLICE_2_LENGTH;
+ default: return 1;
+ }
+}
+#define MAX_VOLATILE_KEYS \
+ (KEY_SLICE_1_LENGTH + KEY_SLICE_2_LENGTH + \
+ psa_key_slot_volatile_slice_count() - 2)
+
+#else /* Effectively unbounded dynamic key store */
+#undef MAX_VOLATILE_KEYS
+#endif
+
+#else /* Static key store */
+#define MAX_VOLATILE_KEYS MBEDTLS_PSA_KEY_SLOT_COUNT
+#endif
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -813,21 +838,19 @@
psa_set_key_type(&attributes, PSA_KEY_TYPE_RAW_DATA);
for (i = 0; i < max_keys; i++) {
+ mbedtls_test_set_step(i);
status = psa_import_key(&attributes,
(uint8_t *) &i, sizeof(i),
&keys[i]);
- if (status == PSA_ERROR_INSUFFICIENT_MEMORY) {
- break;
- }
PSA_ASSERT(status);
TEST_ASSERT(!mbedtls_svc_key_id_is_null(keys[i]));
for (j = 0; j < i; j++) {
TEST_ASSERT(!mbedtls_svc_key_id_equal(keys[i], keys[j]));
}
}
- max_keys = i;
for (i = 1; i < max_keys; i++) {
+ mbedtls_test_set_step(i);
PSA_ASSERT(psa_close_key(keys[i - 1]));
PSA_ASSERT(psa_export_key(keys[i],
exported, sizeof(exported),
@@ -843,6 +866,119 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MAX_VOLATILE_KEYS */
+/*
+ * 1. Fill the key store with volatile keys.
+ * 2. Check that attempting to create another volatile key fails without
+ * corrupting the key store.
+ * 3. Destroy the key specified by key_to_destroy. This is the number of the
+ * key in creation order (e.g. 0 means the first key that was created).
+ * It can also be a negative value to count in reverse order (e.g.
+ * -1 means to destroy the last key that was created).
+ * 4. Check that creating another volatile key succeeds.
+ */
+void fill_key_store(int key_to_destroy_arg)
+{
+ mbedtls_svc_key_id_t *keys = NULL;
+ size_t max_keys = MAX_VOLATILE_KEYS;
+ size_t i, j;
+ psa_status_t status;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t exported[sizeof(size_t)];
+ size_t exported_length;
+
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && defined(MBEDTLS_TEST_HOOKS)
+ mbedtls_test_hook_psa_volatile_key_slice_length = &tiny_key_slice_length;
+#endif
+
+ PSA_ASSERT(psa_crypto_init());
+
+ mbedtls_psa_stats_t stats;
+ mbedtls_psa_get_stats(&stats);
+ /* Account for any system-created volatile key, e.g. for the RNG. */
+ max_keys -= stats.volatile_slots;
+ TEST_CALLOC(keys, max_keys + 1);
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT);
+ psa_set_key_algorithm(&attributes, 0);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RAW_DATA);
+
+ /* Fill the key store. */
+ for (i = 0; i < max_keys; i++) {
+ mbedtls_test_set_step(i);
+ status = psa_import_key(&attributes,
+ (uint8_t *) &i, sizeof(i),
+ &keys[i]);
+ PSA_ASSERT(status);
+ TEST_ASSERT(!mbedtls_svc_key_id_is_null(keys[i]));
+ for (j = 0; j < i; j++) {
+ TEST_ASSERT(!mbedtls_svc_key_id_equal(keys[i], keys[j]));
+ }
+ }
+
+ /* Attempt to overfill. */
+ mbedtls_test_set_step(max_keys);
+ status = psa_import_key(&attributes,
+ (uint8_t *) &max_keys, sizeof(max_keys),
+ &keys[max_keys]);
+ TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_MEMORY);
+ TEST_ASSERT(mbedtls_svc_key_id_is_null(keys[max_keys]));
+
+ /* Check that the keys are not corrupted. */
+ for (i = 0; i < max_keys; i++) {
+ mbedtls_test_set_step(i);
+ PSA_ASSERT(psa_export_key(keys[i],
+ exported, sizeof(exported),
+ &exported_length));
+ TEST_MEMORY_COMPARE(exported, exported_length,
+ (uint8_t *) &i, sizeof(i));
+ }
+
+ /* Destroy one key and try again. */
+ size_t key_to_destroy = (key_to_destroy_arg >= 0 ?
+ (size_t) key_to_destroy_arg :
+ max_keys + key_to_destroy_arg);
+ mbedtls_svc_key_id_t reused_id = keys[key_to_destroy];
+ const uint8_t replacement_value[1] = { 0x64 };
+ PSA_ASSERT(psa_destroy_key(keys[key_to_destroy]));
+ keys[key_to_destroy] = MBEDTLS_SVC_KEY_ID_INIT;
+ status = psa_import_key(&attributes,
+ replacement_value, sizeof(replacement_value),
+ &keys[key_to_destroy]);
+ PSA_ASSERT(status);
+ /* Since the key store was full except for one key, the new key must be
+ * in the same slot in the key store as the destroyed key.
+ * Since volatile keys IDs are assigned based on which slot contains
+ * the key, the new key should have the same ID as the destroyed key.
+ */
+ TEST_ASSERT(mbedtls_svc_key_id_equal(reused_id, keys[key_to_destroy]));
+
+ /* Check that the keys are not corrupted and destroy them. */
+ for (i = 0; i < max_keys; i++) {
+ mbedtls_test_set_step(i);
+ PSA_ASSERT(psa_export_key(keys[i],
+ exported, sizeof(exported),
+ &exported_length));
+ if (i == key_to_destroy) {
+ TEST_MEMORY_COMPARE(exported, exported_length,
+ replacement_value, sizeof(replacement_value));
+ } else {
+ TEST_MEMORY_COMPARE(exported, exported_length,
+ (uint8_t *) &i, sizeof(i));
+ }
+ PSA_ASSERT(psa_destroy_key(keys[i]));
+ keys[i] = MBEDTLS_SVC_KEY_ID_INIT;
+ }
+
+exit:
+ PSA_DONE();
+ mbedtls_free(keys);
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && defined(MBEDTLS_TEST_HOOKS)
+ mbedtls_test_hook_psa_volatile_key_slice_length = NULL;
+#endif
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */
void key_slot_eviction_to_import_new_key(int lifetime_arg)
{
@@ -919,7 +1055,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C:!MBEDTLS_PSA_KEY_STORE_DYNAMIC */
void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
{
psa_status_t status;
@@ -959,7 +1095,14 @@
TEST_ASSERT(mbedtls_svc_key_id_equal(returned_key_id, persistent_key));
/*
- * Create the maximum available number of volatile keys
+ * Create the maximum available number of keys that are locked in
+ * memory. This can be:
+ * - volatile keys, when MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled;
+ * - opened persistent keys (could work, but not currently implemented
+ * in this test function);
+ * - keys in use by another thread (we don't do this because it would
+ * be hard to arrange and we can't control how long the keys are
+ * locked anyway).
*/
psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
for (i = 0; i < available_key_slots; i++) {
diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data
index 807007b..c84a836 100644
--- a/tests/suites/test_suite_psa_crypto_util.data
+++ b/tests/suites/test_suite_psa_crypto_util.data
@@ -6,6 +6,16 @@
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+# Check coordinates one byte larger than the largest supported curve.
+# If we add an even larger curve, this test case will fail in the full
+# configuration because mbedtls_ecdsa_raw_to_der() will return 0, and we'll
+# need to use larger data for this test case.
+ECDSA Raw -> DER, very large input (536-bit)
+ecdsa_raw_to_der:536:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
+ECDSA Raw -> DER, very large input (1016-bit)
+ecdsa_raw_to_der:1016:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
ECDSA Raw -> DER, 256bit, Null r
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
@@ -58,6 +68,16 @@
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+# Check coordinates one byte larger than the largest supported curve.
+# If we add an even larger curve, this test case will fail in the full
+# configuration because mbedtls_ecdsa_der_to_raw() will return 0, and we'll
+# need to use larger data for this test case.
+ECDSA DER -> Raw, very large input (536-bit)
+ecdsa_der_to_raw:536:"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
+ECDSA DER -> Raw, very large input (1016-bit)
+ecdsa_der_to_raw:1016:"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
ECDSA DER -> Raw, 256bit, Wrong sequence tag
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
diff --git a/tests/suites/test_suite_psa_its.function b/tests/suites/test_suite_psa_its.function
index 0f66c79..ce3433f 100644
--- a/tests/suites/test_suite_psa_its.function
+++ b/tests/suites/test_suite_psa_its.function
@@ -19,11 +19,11 @@
#define PSA_ITS_STORAGE_PREFIX ""
#define PSA_ITS_STORAGE_FILENAME_PATTERN "%08lx%08lx"
#define PSA_ITS_STORAGE_SUFFIX ".psa_its"
-#define PSA_ITS_STORAGE_FILENAME_LENGTH \
- (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 + /*prefix without terminating 0*/ \
- 16 + /*UID (64-bit number in hex)*/ \
- 16 + /*UID (64-bit number in hex)*/ \
- sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 + /*suffix without terminating 0*/ \
+#define PSA_ITS_STORAGE_FILENAME_LENGTH \
+ (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 + /*prefix without terminating 0*/ \
+ 16 + /*UID (64-bit number in hex)*/ \
+ 16 + /*UID (64-bit number in hex)*/ \
+ sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 + /*suffix without terminating 0*/ \
1 /*terminating null byte*/)
#define PSA_ITS_STORAGE_TEMP \
PSA_ITS_STORAGE_PREFIX "tempfile" PSA_ITS_STORAGE_SUFFIX
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 840af7d..343e58a 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1623,11 +1623,11 @@
unsigned char const *lbl = NULL;
size_t lbl_len;
-#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
- if (label_idx == (int) tls13_label_ ## name) \
+#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
+ if (label_idx == (int) tls13_label_ ## name) \
{ \
lbl = mbedtls_ssl_tls13_labels.name; \
- lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \
+ lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \
}
MBEDTLS_SSL_TLS1_3_LABEL_LIST
#undef MBEDTLS_SSL_TLS1_3_LABEL
@@ -1667,7 +1667,7 @@
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH(alg);
- TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
+ TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
secret->len == hash_len &&
transcript->len == hash_len &&
traffic_expected->len == hash_len &&
@@ -1701,7 +1701,7 @@
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH(alg);
- TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
+ TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
secret->len == hash_len &&
transcript->len == hash_len &&
client_expected->len == hash_len &&
@@ -1736,7 +1736,7 @@
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH(alg);
- TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
+ TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
secret->len == hash_len &&
transcript->len == hash_len &&
client_expected->len == hash_len &&
@@ -1772,7 +1772,7 @@
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH(alg);
- TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
+ TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
secret->len == hash_len &&
transcript->len == hash_len &&
resumption_expected->len == hash_len);
@@ -1803,7 +1803,7 @@
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH(alg);
- TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
+ TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
transcript->len == hash_len &&
binder_expected->len == hash_len);
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 0edee96..670e06b 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compile time library version
-check_compiletime_version:"3.6.0"
+check_compiletime_version:"3.6.1"
Check runtime library version
-check_runtime_version:"3.6.0"
+check_runtime_version:"3.6.1"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index ba71c8f..9fc0e55 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -60,7 +60,10 @@
1024,
};
-int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if defined(MBEDTLS_FS_IO)
+static int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
{
((void) data);
((void) crt);
@@ -70,7 +73,7 @@
return 0;
}
-int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+static int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
{
((void) data);
((void) crt);
@@ -80,8 +83,10 @@
return 0;
}
-#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
-int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates)
+#if defined(MBEDTLS_X509_CRL_PARSE_C) && \
+ defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+static int ca_callback_fail(void *data, mbedtls_x509_crt const *child,
+ mbedtls_x509_crt **candidates)
{
((void) data);
((void) child);
@@ -89,9 +94,9 @@
return -1;
}
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-int ca_callback(void *data, mbedtls_x509_crt const *child,
- mbedtls_x509_crt **candidates)
+
+static int ca_callback(void *data, mbedtls_x509_crt const *child,
+ mbedtls_x509_crt **candidates)
{
int ret = 0;
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
@@ -138,10 +143,9 @@
*candidates = first;
return ret;
}
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+#endif /* MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
-int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+static int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
{
int *levels = (int *) data;
@@ -158,7 +162,7 @@
}
/* strsep() not available on Windows */
-char *mystrsep(char **stringp, const char *delim)
+static char *mystrsep(char **stringp, const char *delim)
{
const char *p;
char *ret = *stringp;
@@ -186,19 +190,18 @@
return ret;
}
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
typedef struct {
char buf[512];
char *p;
} verify_print_context;
-void verify_print_init(verify_print_context *ctx)
+static void verify_print_init(verify_print_context *ctx)
{
memset(ctx, 0, sizeof(verify_print_context));
ctx->p = ctx->buf;
}
-int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+static int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
{
int ret;
verify_print_context *ctx = (verify_print_context *) data;
@@ -226,8 +229,8 @@
return 0;
}
-int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
- char **buf, size_t *size)
+static int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
+ char **buf, size_t *size)
{
int ret;
size_t i;
@@ -316,9 +319,10 @@
return 0;
}
+#endif /* MBEDTLS_FS_IO */
-int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid,
- int critical, const unsigned char *cp, const unsigned char *end)
+static int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid,
+ int critical, const unsigned char *cp, const unsigned char *end)
{
(void) crt;
(void) critical;
@@ -416,9 +420,14 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_X509_CSR_PARSE_C)
-int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
- int critical, const unsigned char *cp, const unsigned char *end)
+#if defined(MBEDTLS_X509_CSR_PARSE_C) && \
+ !defined(MBEDTLS_X509_REMOVE_INFO)
+static int parse_csr_ext_accept_cb(void *p_ctx,
+ mbedtls_x509_csr const *csr,
+ mbedtls_x509_buf const *oid,
+ int critical,
+ const unsigned char *cp,
+ const unsigned char *end)
{
(void) p_ctx;
(void) csr;
@@ -430,8 +439,12 @@
return 0;
}
-int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
- int critical, const unsigned char *cp, const unsigned char *end)
+static int parse_csr_ext_reject_cb(void *p_ctx,
+ mbedtls_x509_csr const *csr,
+ mbedtls_x509_buf const *oid,
+ int critical,
+ const unsigned char *cp,
+ const unsigned char *end)
{
(void) p_ctx;
(void) csr;
@@ -443,7 +456,7 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
-#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#endif /* MBEDTLS_X509_CSR_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */
/* END_HEADER */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 1db7e1c..2762b0f 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -10,27 +10,31 @@
#include "mbedtls/pk.h"
#include "mbedtls/psa_util.h"
-#if defined(MBEDTLS_RSA_C)
-int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
- const unsigned char *input, unsigned char *output,
- size_t output_max_len)
+#if defined(MBEDTLS_PEM_WRITE_C) && \
+ defined(MBEDTLS_X509_CRT_WRITE_C) && \
+ defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ defined(MBEDTLS_MD_CAN_SHA1) && \
+ defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len)
{
return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, NULL, NULL,
olen, input, output, output_max_len);
}
-int mbedtls_rsa_sign_func(void *ctx,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- mbedtls_md_type_t md_alg, unsigned int hashlen,
- const unsigned char *hash, unsigned char *sig)
+static int mbedtls_rsa_sign_func(void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_md_type_t md_alg, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig)
{
return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx, f_rng, p_rng,
md_alg, hashlen, hash, sig);
}
-size_t mbedtls_rsa_key_len_func(void *ctx)
+static size_t mbedtls_rsa_key_len_func(void *ctx)
{
return ((const mbedtls_rsa_context *) ctx)->len;
}
-#endif /* MBEDTLS_RSA_C */
+#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)