Merge remote-tracking branch 'origin/pr/2390' into mbedtls-2.7
* origin/pr/2390:
Correct length check for DTLS records from old epochs.
diff --git a/ChangeLog b/ChangeLog
index 3cce6d8..bae12c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,11 +2,34 @@
= mbed TLS 2.7.x branch released xxxx-xx-xx
+Features
+ * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
+ from the default list (enabled by default). See
+ https://sweet32.info/SWEET32_CCS16.pdf.
+
Bugfix
* Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
Raised as a comment in #1996.
* Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
* Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
+ * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
+ Fixes #2190.
+ * Ensure that unused bits are zero when writing ASN.1 bitstrings when using
+ mbedtls_asn1_write_bitstring().
+ * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
+ extensions in CSRs and CRTs that caused these bitstrings to not be encoded
+ correctly as trailing zeroes were not accounted for as unused bits in the
+ leading content octet. Fixes #1610.
+ * Server's RSA certificate in certs.c was SHA-1 signed. In the default
+ mbedTLS configuration only SHA-2 signed certificates are accepted.
+ This certificate is used in the demo server programs, which lead the
+ client programs to fail at the peer's certificate verification
+ due to an unacceptable hash signature. The certificate has been
+ updated to one that is SHA-256 signed. Fix contributed by
+ Illya Gerasymchuk.
+ * Fix private key DER output in the key_app_writer example. File contents
+ were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
+ Christian Walther in #2239.
Changes
* Include configuration file in all header files that use configuration,
@@ -14,6 +37,21 @@
Inserted as an enhancement for #1371
* Add support for alternative CSR headers, as used by Microsoft and defined
in RFC 7468. Found by Michael Ernst. Fixes #767.
+ * Fix clobber list in MIPS assembly for large integer multiplication.
+ Previously, this could lead to functionally incorrect assembly being
+ produced by some optimizing compilers, showing up as failures in
+ e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
+ by Aurelien Jarno and submitted by Jeffrey Martin.
+ * Reduce the complexity of the timing tests. They were assuming more than the
+ underlying OS actually guarantees.
+ * Ciphersuites based on 3DES now have the lowest priority by default when
+ they are enabled.
+ * Return from various debugging routines immediately if the
+ provided SSL context is unset.
+ * Remove dead code from bignum.c in the default configuration.
+ Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
+ * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
+ Contributed by Peter Kolbus (Garmin).
= mbed TLS 2.7.9 branch released 2018-12-21
diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h
index dc6947b..083601a 100644
--- a/include/mbedtls/asn1write.h
+++ b/include/mbedtls/asn1write.h
@@ -189,24 +189,27 @@
const char *text, size_t text_len );
/**
- * \brief Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ * value in ASN.1 format.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param buf the bitstring
- * \param bits the total number of bits in the bitstring
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param buf The bitstring to write.
+ * \param bits The total number of bits in the bitstring.
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
*/
int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
const unsigned char *buf, size_t bits );
/**
- * \brief Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ * and value in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
* \param p reference to current position pointer
* \param start start of the buffer (for bounds-checking)
diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h
index dbdc0a3..3a254aa 100644
--- a/include/mbedtls/bn_mul.h
+++ b/include/mbedtls/bn_mul.h
@@ -740,7 +740,7 @@
"sw $10, %2 \n\t" \
: "=m" (c), "=m" (d), "=m" (s) \
: "m" (s), "m" (d), "m" (c), "m" (b) \
- : "$9", "$10", "$11", "$12", "$13", "$14", "$15" \
+ : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
);
#endif /* MIPS */
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 50239e1..f3039f9 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -557,6 +557,26 @@
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
+/**
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
*
* MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index 0c6ccad..a3c2804 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -205,6 +205,14 @@
* \param key_usage key usage flags to set
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note The <code>decipherOnly</code> flag from the Key Usage
+ * extension is represented by bit 8 (i.e.
+ * <code>0x8000</code>), which cannot typically be represented
+ * in an unsigned char. Therefore, the flag
+ * <code>decipherOnly</code> (i.e.
+ * #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ * function.
*/
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 59df958..3afdcc5 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -91,6 +91,12 @@
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
endif(CMAKE_COMPILER_IS_CLANG)
+if(UNSAFE_BUILD)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error")
+ set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error")
+ set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error")
+endif(UNSAFE_BUILD)
+
if(WIN32)
set(libs ${libs} ws2_32)
endif(WIN32)
diff --git a/library/asn1write.c b/library/asn1write.c
index c13e85e..b451887 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -294,22 +294,28 @@
const unsigned char *buf, size_t bits )
{
int ret;
- size_t len = 0, size;
+ size_t len = 0;
+ size_t unused_bits, byte_len;
- size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 );
+ byte_len = ( bits + 7 ) / 8;
+ unused_bits = ( byte_len * 8 ) - bits;
- // Calculate byte length
- //
- if( *p < start || (size_t)( *p - start ) < size + 1 )
+ if( *p < start || (size_t)( *p - start ) < byte_len + 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
- len = size + 1;
- (*p) -= size;
- memcpy( *p, buf, size );
+ len = byte_len + 1;
- // Write unused bits
- //
- *--(*p) = (unsigned char) (size * 8 - bits);
+ /* Write the bitstring. Ensure the unused bits are zeroed */
+ if( byte_len > 0 )
+ {
+ byte_len--;
+ *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 );
+ ( *p ) -= byte_len;
+ memcpy( *p, buf, byte_len );
+ }
+
+ /* Write unused bits */
+ *--( *p ) = (unsigned char)unused_bits;
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
diff --git a/library/bignum.c b/library/bignum.c
index 18daea2..f6e50b9 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -500,26 +500,38 @@
}
/*
- * Helper to write the digits high-order first
+ * Helper to write the digits high-order first.
*/
-static int mpi_write_hlp( mbedtls_mpi *X, int radix, char **p )
+static int mpi_write_hlp( mbedtls_mpi *X, int radix,
+ char **p, const size_t buflen )
{
int ret;
mbedtls_mpi_uint r;
+ size_t length = 0;
+ char *p_end = *p + buflen;
- if( radix < 2 || radix > 16 )
- return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+ do
+ {
+ if( length >= buflen )
+ {
+ return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+ }
- MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+ /*
+ * Write the residue in the current position, as an ASCII character.
+ */
+ if( r < 0xA )
+ *(--p_end) = (char)( '0' + r );
+ else
+ *(--p_end) = (char)( 'A' + ( r - 0xA ) );
- if( mbedtls_mpi_cmp_int( X, 0 ) != 0 )
- MBEDTLS_MPI_CHK( mpi_write_hlp( X, radix, p ) );
+ length++;
+ } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
- if( r < 10 )
- *(*p)++ = (char)( r + 0x30 );
- else
- *(*p)++ = (char)( r + 0x37 );
+ memmove( *p, p_end, length );
+ *p += length;
cleanup:
@@ -589,7 +601,7 @@
if( T.s == -1 )
T.s = 1;
- MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
+ MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
}
*p++ = '\0';
@@ -1667,8 +1679,10 @@
wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
j = N->n + 1;
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
diff --git a/library/certs.c b/library/certs.c
index f1379b8..2c6fbdf 100644
--- a/library/certs.c
+++ b/library/certs.c
@@ -116,7 +116,6 @@
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_RSA_C)
-
#if defined(MBEDTLS_SHA256_C)
#define TEST_CA_CRT_RSA_SHA256 \
"-----BEGIN CERTIFICATE-----\r\n" \
@@ -141,13 +140,11 @@
"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \
"-----END CERTIFICATE-----\r\n"
+static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA256;
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
#define TEST_CA_CRT_RSA_SOME
-
-static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
-
-#endif
+#endif /* MBEDTLS_SHA256_C */
#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
#define TEST_CA_CRT_RSA_SHA1 \
@@ -173,14 +170,72 @@
"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \
"-----END CERTIFICATE-----\r\n"
+static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
+
#if !defined (TEST_CA_CRT_RSA_SOME)
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1;
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
-#endif
+#endif /* !TEST_CA_CRT_RSA_SOME */
+#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */
-static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
+#if defined(MBEDTLS_SHA256_C)
+/* tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256 \
+"-----BEGIN CERTIFICATE-----\r\n" \
+"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n" \
+"kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n" \
+"DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n" \
+"3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n" \
+"ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n" \
+"eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n" \
+"e4K1cVANRPN2o9Y=\r\n" \
+"-----END CERTIFICATE-----\r\n"
-#endif
+const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256;
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
+#define TEST_SRV_CRT_RSA_SOME
+#endif /* MBEDTLS_SHA256_C */
+
+#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
+/* tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1 \
+"-----BEGIN CERTIFICATE-----\r\n" \
+"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n" \
+"oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n" \
+"UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n" \
+"iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n" \
+"wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n" \
+"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n" \
+"zhuYwjVuX6JHG0c=\r\n" \
+"-----END CERTIFICATE-----\r\n";
+
+#if !defined(TEST_SRV_CRT_RSA_SOME)
+const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1;
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
+#endif /* TEST_SRV_CRT_RSA_SOME */
+#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */
const char mbedtls_test_ca_key_rsa[] =
"-----BEGIN RSA PRIVATE KEY-----\r\n"
@@ -218,29 +273,6 @@
const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
-const char mbedtls_test_srv_crt_rsa[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
-"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
-"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
-"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
-"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
-"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
-"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
-"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
-"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
-"oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
-"UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
-"iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
-"wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
-"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
-"zhuYwjVuX6JHG0c=\r\n"
-"-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
-
const char mbedtls_test_srv_key_rsa[] =
"-----BEGIN RSA PRIVATE KEY-----\r\n"
"MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
diff --git a/library/debug.c b/library/debug.c
index db3924a..30c8c7b 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -86,8 +86,13 @@
char str[DEBUG_BUF_SIZE];
int ret;
- if( NULL == ssl || NULL == ssl->conf || NULL == ssl->conf->f_dbg || level > debug_threshold )
+ if( NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold )
+ {
return;
+ }
va_start( argp, format );
#if defined(_WIN32)
@@ -121,8 +126,13 @@
{
char str[DEBUG_BUF_SIZE];
- if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold )
+ if( NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold )
+ {
return;
+ }
/*
* With non-blocking I/O and examples that just retry immediately,
@@ -146,8 +156,13 @@
char txt[17];
size_t i, idx = 0;
- if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold )
+ if( NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold )
+ {
return;
+ }
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
text, (unsigned int) len );
@@ -199,8 +214,13 @@
{
char str[DEBUG_BUF_SIZE];
- if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold )
+ if( NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold )
+ {
return;
+ }
mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
@@ -219,8 +239,14 @@
int j, k, zeros = 1;
size_t i, n, idx = 0;
- if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || X == NULL || level > debug_threshold )
+ if( NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ NULL == X ||
+ level > debug_threshold )
+ {
return;
+ }
for( n = X->n - 1; n > 0; n-- )
if( X->p[n] != 0 )
@@ -345,8 +371,14 @@
char str[DEBUG_BUF_SIZE];
int i = 0;
- if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || crt == NULL || level > debug_threshold )
+ if( NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ NULL == crt ||
+ level > debug_threshold )
+ {
return;
+ }
while( crt != NULL )
{
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 800b5f8..01d1c45 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -43,11 +43,11 @@
/*
* Ordered from most preferred to least preferred in terms of security.
*
- * Current rule (except rc4, weak and null which come last):
+ * Current rule (except RC4 and 3DES, weak and null which come last):
* 1. By key exchange:
* Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
* 2. By key length and cipher:
- * AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES
+ * AES-256 > Camellia-256 > AES-128 > Camellia-128
* 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
* 4. By hash function used when relevant
* 5. By key exchange/auth again: EC > non-EC
@@ -105,11 +105,6 @@
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
- /* All remaining >= 128-bit ephemeral suites */
- MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-
/* The PSK ephemeral suites */
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
@@ -133,9 +128,6 @@
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
- MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
-
/* The ECJPAKE suite */
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
@@ -183,11 +175,6 @@
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- /* All remaining >= 128-bit suites */
- MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
- MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-
/* The RSA PSK suites */
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
@@ -201,8 +188,6 @@
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
- MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
-
/* The PSK suites */
MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
@@ -220,6 +205,16 @@
MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+ /* 3DES suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
/* RC4 suites */
@@ -1704,6 +1699,26 @@
static int supported_ciphersuites[MAX_CIPHERSUITES];
static int supported_init = 0;
+static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
+{
+ (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+ if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+ return( 1 );
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+ if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+ cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
+ {
+ return( 1 );
+ }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+ return( 0 );
+}
+
const int *mbedtls_ssl_list_ciphersuites( void )
{
/*
@@ -1719,14 +1734,12 @@
*p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
p++ )
{
-#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
const mbedtls_ssl_ciphersuite_t *cs_info;
if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
- cs_info->cipher != MBEDTLS_CIPHER_ARC4_128 )
-#else
- if( mbedtls_ssl_ciphersuite_from_id( *p ) != NULL )
-#endif
+ !ciphersuite_is_removed( cs_info ) )
+ {
*(q++) = *p;
+ }
}
*q = 0;
diff --git a/library/version_features.c b/library/version_features.c
index da47e3d..d6deb01 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -270,6 +270,9 @@
#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
"MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+ "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
"MBEDTLS_ECP_DP_SECP192R1_ENABLED",
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 41dfe87..4cdb941 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -222,26 +222,51 @@
}
#endif /* MBEDTLS_SHA1_C */
+static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+ size_t bit_offset )
+{
+ size_t unused_bits;
+
+ /* Count the unused bits removing trailing 0s */
+ for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+ if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+ break;
+
+ return( unused_bits );
+}
+
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
unsigned int key_usage )
{
unsigned char buf[4], ku;
unsigned char *c;
int ret;
+ size_t unused_bits;
+ const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+ MBEDTLS_X509_KU_NON_REPUDIATION |
+ MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
+ MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+ MBEDTLS_X509_KU_KEY_AGREEMENT |
+ MBEDTLS_X509_KU_KEY_CERT_SIGN |
+ MBEDTLS_X509_KU_CRL_SIGN;
- /* We currently only support 7 bits, from 0x80 to 0x02 */
- if( ( key_usage & ~0xfe ) != 0 )
+ /* Check that nothing other than the allowed flags is set */
+ if( ( key_usage & ~allowed_bits ) != 0 )
return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
c = buf + 4;
- ku = (unsigned char) key_usage;
+ ku = (unsigned char)key_usage;
+ unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
+ ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 )
+ if( ret < 0 )
return( ret );
+ else if( ret < 3 || ret > 4 )
+ return( MBEDTLS_ERR_X509_INVALID_FORMAT );
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
- 1, buf, 4 );
+ 1, c, (size_t)ret );
if( ret != 0 )
return( ret );
@@ -253,16 +278,22 @@
{
unsigned char buf[4];
unsigned char *c;
+ size_t unused_bits;
int ret;
c = buf + 4;
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
+ unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+ ret = mbedtls_asn1_write_bitstring( &c,
+ buf,
+ &ns_cert_type,
+ 8 - unused_bits );
+ if( ret < 3 || ret > 4 )
return( ret );
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
- 0, buf, 4 );
+ 0, c, (size_t)ret );
if( ret != 0 )
return( ret );
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index e800538..d59354d 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -85,20 +85,39 @@
0, val, val_len );
}
+static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+ size_t bit_offset )
+{
+ size_t unused_bits;
+
+ /* Count the unused bits removing trailing 0s */
+ for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+ if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+ break;
+
+ return( unused_bits );
+}
+
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
{
unsigned char buf[4];
unsigned char *c;
+ size_t unused_bits;
int ret;
c = buf + 4;
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
+ unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
+ ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
+
+ if( ret < 0 )
return( ret );
+ else if( ret < 3 || ret > 4 )
+ return( MBEDTLS_ERR_X509_INVALID_FORMAT );
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
- buf, 4 );
+ c, (size_t)ret );
if( ret != 0 )
return( ret );
@@ -110,16 +129,25 @@
{
unsigned char buf[4];
unsigned char *c;
+ size_t unused_bits;
int ret;
c = buf + 4;
- if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
+ unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+ ret = mbedtls_asn1_write_bitstring( &c,
+ buf,
+ &ns_cert_type,
+ 8 - unused_bits );
+
+ if( ret < 0 )
+ return( ret );
+ else if( ret < 3 || ret > 4 )
return( ret );
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
- buf, 4 );
+ c, (size_t)ret );
if( ret != 0 )
return( ret );
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index cd0c230..0450a17 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -175,7 +175,7 @@
return( ret );
len = ret;
- c = output_buf + sizeof(output_buf) - len - 1;
+ c = output_buf + sizeof(output_buf) - len;
}
if( ( f = fopen( output_file, "w" ) ) == NULL )
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b6e8a1d..ec23c8a 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -201,8 +201,12 @@
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
-#define USAGE_PSK \
- " psk=%%s default: \"\" (in hex, without 0x)\n" \
+#define USAGE_PSK \
+ " psk=%%s default: \"\" (in hex, without 0x)\n" \
+ " psk_list=%%s default: \"\"\n" \
+ " A list of (PSK identity, PSK value) pairs.\n" \
+ " The PSK values are in hex, without 0x.\n" \
+ " id1,psk1[,id2,psk2[,...]]\n" \
" psk_identity=%%s default: \"Client_identity\"\n"
#else
#define USAGE_PSK ""
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index a32ac50..fd04817 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -63,7 +63,10 @@
#define DFL_OUTPUT_FILENAME "cert.req"
#define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
#define DFL_KEY_USAGE 0
+#define DFL_FORCE_KEY_USAGE 0
#define DFL_NS_CERT_TYPE 0
+#define DFL_FORCE_NS_CERT_TYPE 0
+#define DFL_MD_ALG MBEDTLS_MD_SHA256
#define USAGE \
"\n usage: cert_req param=<>...\n" \
@@ -81,6 +84,8 @@
" key_agreement\n" \
" key_cert_sign\n" \
" crl_sign\n" \
+ " force_key_usage=0/1 default: off\n" \
+ " Add KeyUsage even if it is empty\n" \
" ns_cert_type=%%s default: (empty)\n" \
" Comma-separated-list of values:\n" \
" ssl_client\n" \
@@ -90,6 +95,13 @@
" ssl_ca\n" \
" email_ca\n" \
" object_signing_ca\n" \
+ " force_ns_cert_type=0/1 default: off\n" \
+ " Add NsCertType even if it is empty\n" \
+ " md=%%s default: SHA256\n" \
+ " possible values:\n" \
+ " MD4, MD5, SHA1\n" \
+ " SHA224, SHA256\n" \
+ " SHA384, SHA512\n" \
"\n"
/*
@@ -102,7 +114,10 @@
const char *output_file; /* where to store the constructed key file */
const char *subject_name; /* subject name for certificate request */
unsigned char key_usage; /* key usage flags */
+ int force_key_usage; /* Force adding the KeyUsage extension */
unsigned char ns_cert_type; /* NS cert type */
+ int force_ns_cert_type; /* Force adding NsCertType extension */
+ mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
} opt;
int write_certificate_request( mbedtls_x509write_csr *req, const char *output_file,
@@ -151,7 +166,6 @@
* Set to sane values
*/
mbedtls_x509write_csr_init( &req );
- mbedtls_x509write_csr_set_md_alg( &req, MBEDTLS_MD_SHA256 );
mbedtls_pk_init( &key );
mbedtls_ctr_drbg_init( &ctr_drbg );
memset( buf, 0, sizeof( buf ) );
@@ -168,7 +182,10 @@
opt.output_file = DFL_OUTPUT_FILENAME;
opt.subject_name = DFL_SUBJECT_NAME;
opt.key_usage = DFL_KEY_USAGE;
+ opt.force_key_usage = DFL_FORCE_KEY_USAGE;
opt.ns_cert_type = DFL_NS_CERT_TYPE;
+ opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE;
+ opt.md_alg = DFL_MD_ALG;
for( i = 1; i < argc; i++ )
{
@@ -192,6 +209,54 @@
{
opt.subject_name = q;
}
+ else if( strcmp( p, "md" ) == 0 )
+ {
+ if( strcmp( q, "SHA256" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_SHA256;
+ }
+ else if( strcmp( q, "SHA224" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_SHA224;
+ }
+ else
+#if defined(MBEDTLS_MD5_C)
+ if( strcmp( q, "MD5" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_MD5;
+ }
+ else
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MD4_C)
+ if( strcmp( q, "MD4" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_MD4;
+ }
+ else
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+ if( strcmp( q, "SHA1" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_SHA1;
+ }
+ else
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA512_C)
+ if( strcmp( q, "SHA384" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_SHA384;
+ }
+ else
+ if( strcmp( q, "SHA512" ) == 0 )
+ {
+ opt.md_alg = MBEDTLS_MD_SHA512;
+ }
+ else
+#endif /* MBEDTLS_SHA512_C */
+ {
+ goto usage;
+ }
+ }
else if( strcmp( p, "key_usage" ) == 0 )
{
while( q != NULL )
@@ -219,6 +284,15 @@
q = r;
}
}
+ else if( strcmp( p, "force_key_usage" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.force_key_usage = 0; break;
+ case 1: opt.force_key_usage = 1; break;
+ default: goto usage;
+ }
+ }
else if( strcmp( p, "ns_cert_type" ) == 0 )
{
while( q != NULL )
@@ -246,14 +320,25 @@
q = r;
}
}
+ else if( strcmp( p, "force_ns_cert_type" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.force_ns_cert_type = 0; break;
+ case 1: opt.force_ns_cert_type = 1; break;
+ default: goto usage;
+ }
+ }
else
goto usage;
}
- if( opt.key_usage )
+ mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg );
+
+ if( opt.key_usage || opt.force_key_usage == 1 )
mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage );
- if( opt.ns_cert_type )
+ if( opt.ns_cert_type || opt.force_ns_cert_type == 1 )
mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );
/*
diff --git a/scripts/config.pl b/scripts/config.pl
index 468aeb9..ab4322b 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -29,6 +29,7 @@
# MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
# MBEDTLS_NO_PLATFORM_ENTROPY
# MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+# MBEDTLS_REMOVE_3DES_CIPHERSUITES
# MBEDTLS_SSL_HW_RECORD_ACCEL
# MBEDTLS_RSA_NO_CRT
# MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
@@ -89,6 +90,7 @@
MBEDTLS_NO_PLATFORM_ENTROPY
MBEDTLS_RSA_NO_CRT
MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+MBEDTLS_REMOVE_3DES_CIPHERSUITES
MBEDTLS_SSL_HW_RECORD_ACCEL
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 9fd4916..0f3c58f 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -15,6 +15,13 @@
message(FATAL_ERROR "Cannot build test suites without Perl")
endif()
+# Test suites caught by SKIP_TEST_SUITES are built but not executed.
+# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar"
+# but not "test_suite_foobar".
+string(REGEX REPLACE "[ ,;]" "|" SKIP_TEST_SUITES_REGEX "${SKIP_TEST_SUITES}")
+string(REPLACE "." "\\." SKIP_TEST_SUITES_REGEX "${SKIP_TEST_SUITES_REGEX}")
+set(SKIP_TEST_SUITES_REGEX "^(${SKIP_TEST_SUITES_REGEX})(\$|\\.)")
+
function(add_test_suite suite_name)
if(ARGV1)
set(data_name ${ARGV1})
@@ -31,7 +38,11 @@
include_directories(${CMAKE_CURRENT_SOURCE_DIR})
add_executable(test_suite_${data_name} test_suite_${data_name}.c)
target_link_libraries(test_suite_${data_name} ${libs})
- add_test(${data_name}-suite test_suite_${data_name} --verbose)
+ if(${data_name} MATCHES ${SKIP_TEST_SUITES_REGEX})
+ message(STATUS "The test suite ${data_name} will not be executed.")
+ else()
+ add_test(${data_name}-suite test_suite_${data_name} --verbose)
+ endif()
endfunction(add_test_suite)
if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
diff --git a/tests/Makefile b/tests/Makefile
index d85617f..03f1a7f 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -444,7 +444,8 @@
del /Q /F *.c *.exe
endif
+# Test suites caught by SKIP_TEST_SUITES are built but not executed.
check: $(APPS)
- perl scripts/run-test-suites.pl
+ perl scripts/run-test-suites.pl --skip=$(SKIP_TEST_SUITES)
test: check
diff --git a/tests/compat.sh b/tests/compat.sh
index a2b2d5b..df499dc 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -53,7 +53,12 @@
VERIFIES="NO YES"
TYPES="ECDSA RSA PSK"
FILTER=""
-EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# exclude:
+# - NULL: excluded from our default config
+# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
+# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# - 3DES: not in default config
+EXCLUDE='NULL\|DES\|RC4\|ARCFOUR'
VERBOSE=""
MEMCHECK=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 2a7a50c..af1898c 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -14,6 +14,7 @@
OPENSSL ?= openssl
FAKETIME ?= faketime
MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
+MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req
## Build the generated test data. Note that since the final outputs
## are committed to the repository, this target should do nothing on a
@@ -701,6 +702,37 @@
$(OPENSSL) pkey -in $< -inform DER -out $@
all_final += ec_prv.pk8param.pem
+# server5*
+
+# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.'
+server5.req.ku.sha1: server5.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server5.req.ku.sha1
+
+################################################################
+### Generate CSRs for X.509 write test suite
+################################################################
+
+server1.req.cert_type: server1.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.cert_type
+
+server1.req.key_usage: server1.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.key_usage
+
+server1.req.ku-ct: server1.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.ku-ct
+
+server1.req.key_usage_empty: server1.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_key_usage=1
+all_final += server1.req.key_usage_empty
+
+server1.req.cert_type_empty: server1.key
+ $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1
+all_final += server1.req.cert_type_empty
+
################################################################
### Generate certificates for CRT write check tests
################################################################
diff --git a/tests/data_files/server1.cert_type.crt b/tests/data_files/server1.cert_type.crt
index 91c3a90..107328e 100644
--- a/tests/data_files/server1.cert_type.crt
+++ b/tests/data_files/server1.cert_type.crt
@@ -11,10 +11,10 @@
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC
-AEAwDQYJKoZIhvcNAQEFBQADggEBAJ28VuktjDGkUWcVpM/W+YjohFDay676Yozx
-BbBLU3QZiDkcdXZbX/jOaKKBGWrjWiB6txchV4XrlvEtVtPgPrQLil2xaD20LOqJ
-e/ZEFIAIndf06CAcimdQaPD6mww04v3gZw3cwPQd/aMQCw9tm93tyf6YU4uIh/o8
-evG1ZBrNHRyiW18kbuueLNZ2daYQIISRJSIFrAERacfOvA8r7yXJCqZnB6AU5j9u
-V+ySNW3sdZIOTfs1nWKU6SECWo72dd89Yvs7wCf3NSZNM2UemLeOjQOmZIHBiR8L
-PAhDxhra5B/QBKaWeTVQohEvKz75pLAWouUGIKlgHiqJ4cvBGcg=
+BkAwDQYJKoZIhvcNAQEFBQADggEBAL+IvLnq101fUrpfWA1s9HhyOrnJH+N2gO1F
+6UnLmDw4NuX9pttIK60Xesb5pEhtU76y2hP2EAICe8tTQgGgZG4MW4TxIvAliuHl
+qvUB/lfmAAGJoQ9WrKriL90IxcKnH3I4aIzNyG2TSIHYo6L8FXVoSrPAuL3X133D
+JF6Ie0H8GUK7UOY0pZ0c6x8LCium4Ho/1UNfouSW3x7uq8gEz8lUn2blWUr0HlQr
+HDyxTV4tjZ1jKPh0VHYBmcpxdNbObK4NRZanYRKAUCIUCD+kHi67akMAukv0qjbm
+Y8DPy+gTLyl89BHnXDR/xCzlta5KkG1oKh3jgV7QQ6BS2+mR7+4=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.cert_type_noauthid.crt b/tests/data_files/server1.cert_type_noauthid.crt
index ed8b80b..0f71ecb 100644
--- a/tests/data_files/server1.cert_type_noauthid.crt
+++ b/tests/data_files/server1.cert_type_noauthid.crt
@@ -10,11 +10,11 @@
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
-BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz
-mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9
-FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy
-prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv
-9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS
-HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x
-jz0b2l4=
+BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBADAWS7qdGNShzKm+
+AO7vfM3/+6YyIq7Jelm4T7n1GkmiGJ0bf2KhX3ohvaRz5gl0165teWVhLAivaIqB
+lK3wLU9TSEaLAtgCMxw+TZhq11qq07FuaawH3nbdMAo4qA2UT0eu2CM1NJjgg8iL
+b5FYGwsNcaCmmQYWVRbKlqkA1VNY2p/4PDn8xgRcgVgmqrHf7BUrEPoRA5RXBAhM
+huceZxFpA+15x789xKUZHmMoOYvDeZNYw2Fg6Dk4jV403kxzrcP8sSx8Abu6aROb
+b2ktuUS5hS8FjrbhDgeosDTU10PQR0Ov9LpMYO4WshkYUBpgC3pSR81pGOKxJuuH
+8EV3rhc=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.key_usage.crt b/tests/data_files/server1.key_usage.crt
index 8f4e59f..303a222 100644
--- a/tests/data_files/server1.key_usage.crt
+++ b/tests/data_files/server1.key_usage.crt
@@ -10,11 +10,11 @@
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCAeAw
-DQYJKoZIhvcNAQEFBQADggEBABKC/1x0m57EY4H412ue3ghCWgg07VcRKamnUSTs
-tnqI5T0mSvuPrxhINdQB6360ibctBkXP3S9rxGHiUdeK/JqxYs2YamCs50TSWpon
-p4Hzcmjsw1YgXsQ6pmYwkzU03zqs361gt7JSOzL2dN0IjwIy47qfLQb/AXhX2Ims
-7gBuqVpYqJuSHR0qsN/c6WgIE3IrbK1MB6CJTkxBfcSc5E4oUIBHmww+RSVLOczM
-nGk3U13dmfG0ndhMtrMyyxBZZSUwoZLjRZ6J5mHSv+k8oo1PYQeiivNEP53mgVaY
-ha0gLUIk6zNBRpY1uUmxQ+RQSMIyYPBb1RedHn2s8El2mlo=
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw
+DQYJKoZIhvcNAQEFBQADggEBAFqG4NbAqtsec3lFOiUDKQiGmMCO4Yq3NHhnRWkD
+e9r9jWo+gfLgfUJKe02a76ciE5forJRFxG4+pa3Lo38WsF5/2YRz3IfQLOjcK6c6
+DdHrTEsPXgdqhVYJZgZbCeD5Yu5YBXlegGOrlXB9+71BKX0H+AkrR2oXsdg/31Kn
+R17yP84tLucQpLdh079ecE8QTZ/21n0VTag6fQFHMeMY35MWkT4K6eRrz/Dta2tm
+keHSq/coKsmm0poYPzoMPcbh/D+kSa05Ut03NL2Y+2Q9uTjv5/K/zOgGef/mJbV2
+QxB+1as+WLTtpwc20IqAz3PVBoxbRyN2Z6vjiqqAzGlfB4M=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.key_usage_noauthid.crt b/tests/data_files/server1.key_usage_noauthid.crt
index d66e515..7ff2692 100644
--- a/tests/data_files/server1.key_usage_noauthid.crt
+++ b/tests/data_files/server1.key_usage_noauthid.crt
@@ -10,11 +10,11 @@
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
-BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43
-shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+
-3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg
-q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o
-37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ
-VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF
-JTo=
+BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBALIkgZjEfQcV7d7zovec
+tNVvaPO5hSE8kDVjMCdUZsKgZjMxpY8gJ4CLNIOamkIqN8sSd1zdhdexMdn3iE/O
+z5y3rQBQLs8UjLippm3abKksKrpTEkM9x7Z1X8KS7GOrnOgBWLzoE9D4F/2ay7yk
+H57qRUXEw1NlnAwKYS6hmEwf497szNKXvgr7MGbahQ/N+WfQbILW6+OSUttuoDrD
+t2uBZsGAVQGDzcQGyOuo7k8CE0D62HHZqA+ZPo/xicvyTbkk+lUfY6q6QA8sojaU
+2LuU0nBtd+LmY8odaUsQItwbIyfYZrZbXKruevVHfMKb9VuoYj6anA5jEl0pe7wN
+Tu0=
-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.req.cert_type b/tests/data_files/server1.req.cert_type
index 5677f32..3feb1fc 100644
--- a/tests/data_files/server1.req.cert_type
+++ b/tests/data_files/server1.req.cert_type
@@ -7,11 +7,11 @@
W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV
-MBMwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQB95Pkjpg/N
-Jbgl5nZcAk8maGMpUFlrhJS4kGutQKZugNX9v8cfABW905IHYXV1dm6zxVcyeqZM
-FiOgbV943fu5JbufoazdYXnnR2/iKMigqX4CzZrK3F5ZzegxkfDIfDrn/shC+rWb
-SS5WBVLJ3QNj9vwn3/b66IRbp/ViOwHx7+9JT4K/rLId/ynjYf2T57AsmNd/jptc
-Zs19fGgtrUXweWkliEZN2zE47Cc53jkx6+Li4TNs4Bjk5P/aXrCP0fBwgGt2K6YW
-dQ/nr0PwIbXzVlgUukSTHkJJfhF4Y/WqcUfOPrRdw+zxOLusJ9nzJBR0FOohcBxM
-kPBVna0dze/o
+MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBfm+BA0PSA
+9EFSFgdVODuBtjVoe+RzjiwrHVjja9/GAMurams5WSeJ0g3n0QJuNPf4m3vpSgQE
+qXZrkn2aNYSRPipiPYFUj0NMvji2gmyzmvy6VJyyerZ/saPfuySiVSJbCycA88/V
+vSv93qVHQ7QGwXlwg5dkhw4VNn1NK5CtA0DSEsGITKhdLZUZKkEdylwdjFdi+NTf
+Qx/LQ+cEECBM31s/88C6+ynd4ni42/YYRRcpj5+4TAyKt+nl9a0osrR1y3MmBeo3
+/9s9QEIpXPHMJnJDVq0q03FZwAkgGTaKI8bRsf125eh1CSBynvC6vC+LJSkPrW9g
+HUYYkPMQiQ2C
-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.cert_type_empty b/tests/data_files/server1.req.cert_type_empty
new file mode 100644
index 0000000..d61ef6b
--- /dev/null
+++ b/tests/data_files/server1.req.cert_type_empty
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
+GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU
+MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAFsbkVHizurV
+Ub9uDSTEEFm7R/TcCYjqAbP243sEOVfyCwZh49E7hrjq7lp1n/myILHX+keaxKEY
+hUq9B0Rpa61H5lTJPG3Iy1mDHcF0et4cPkDEsQw4GgjZ/A0RCNfYD+OZLATsDKMy
+AgGCZcYhjoL/8iZaYljfuE+a8Bo3xMePo+jignUhB+hEK2cNmUN2m7HqT22Ba4ag
+eJQtY0NUmBoXGJlNaDbzO79mwLl0HHxDmanLVnSzKXqzrH4U0fuoGZFuxY7Dn7AM
+vJujuWOxN1FtHOfJIimnVepuEG6wvDXMLgEPJTXSKbW6CMTgaz6fudEZzgVB6OKR
+zIbUGFi6kLg=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.key_usage b/tests/data_files/server1.req.key_usage
index 053aed9..5df41e1 100644
--- a/tests/data_files/server1.req.key_usage
+++ b/tests/data_files/server1.req.key_usage
@@ -7,11 +7,11 @@
W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP
-MA0wCwYDVR0PBAQDAgHgMA0GCSqGSIb3DQEBBQUAA4IBAQCj6jCu0wE5OQ1JGQwZ
-FNwPqZrvKntSq2yLIbgmGxwlvDLxOzn0KmidSFiKRqh0KXwj9siodlz5C0d9tUqq
-7xUXg+j+wDHqUV8zo42Jke+UmWXFPpnXx/fDFGTITdLSn8ZDxkt31ESLTEVZvPFD
-odm+C+zWJtKpyL+9op4KvyBQ1MZ9nWZpwMaK4g4mdtOIsz75gMa74w8ZT7VzhGMY
-cZGmafsl7x++GDDtf0oCPgrj9xy+Ovv/GyUBaB+6lweflTfPDTRSoN0meFlP5ynF
-vqcBM5JKH2FUQIizfc9o6Z8tKxe9FCov3x8szAuoMRA7bjhVngeQIrEkTcaQBvBY
-NalC
+MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQCn0RjrgOyNn5ZQ9Hfn
+zhN5q7EAMBYdKBQayeJQQkmreqTdzG/rCHZtt3bIZ/8SWIPNiIOkvsnsGzdBLp8B
+zAAwINhcDIQtIQVObgTLZmvC1syjXfjdH02mYKAccP9OxlnWIVivSPRp9jr9IwYO
+cnT6pzGvP/RWoQen+DougM2WwiZ8YJTrtoe8DlzDq+hbTgoGeQuEGhOnxMlkiLzs
++g6yoi/1F3nsUwJI+QhBxG7Xf74gCCHZckCtSs2MBEavhcPu7o9QjuWR0YFRTaCf
+5uBL7/gNIVmrWnsQLcH1+DexxzW7lPBN1iFXUXNcweoo0fX3ykkvBYdKKicF7bM1
+zZzQ
-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.key_usage_empty b/tests/data_files/server1.req.key_usage_empty
new file mode 100644
index 0000000..1ac1bc3
--- /dev/null
+++ b/tests/data_files/server1.req.key_usage_empty
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
+GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO
+MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAHkw230TfJnAoc+6j/5R
+oGfXR92g/k2DTlDaFQywO2j03h97isp47bEq/peOlKhAuMA+aHt5n8J1w6eWsr8B
+VpoQ079jDnMtlLVAtgsEAjhwEPZchB9oZzfGztzBC4kVKchMGiSHLVQptIM3DiOT
+/5JBlfGkAfap4V4V6qRYiNESBSpEdU/wGctg4ELgQgdpRSlqRud2LgClmMy3+A3o
+rHjyAY+1oANNNOV+TBwA58OKqwsniyqmSWkhlj4c0O4n8FdE+o1eKyrsQfH9LBx7
+DBo2ilAkp0O/+G0n9Wisov2i6QuOraxW3g5/YBdfrqoVpJ5+8YZvoSGJFYDYoWvN
+CvU=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server1.req.ku-ct b/tests/data_files/server1.req.ku-ct
index 0e057d5..4a0eab8 100644
--- a/tests/data_files/server1.req.ku-ct
+++ b/tests/data_files/server1.req.ku-ct
@@ -7,11 +7,11 @@
W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi
-MCAwCwYDVR0PBAQDAgHgMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQUF
-AAOCAQEANlNG9hW852OzVKj2Z8TtU9jxstAoSCH9yc9Coj4Vw2TTjs1zcuBWsMl1
-2bf2I6ZvEH6ZhcQY7i7nyHQyPlqE4l6U9D8ct967QN7smuAHNY2HiQ2++eCBTHck
-PdtGJAzIvNlXcoqNi8UC5fGepNtI1usNo41SKMvbg6nGA5gdcQKk7CVlk8lrD0qI
-Xn/HvjSRoDE4ZGxAtNvPXWorGSxtgcy8EMPoXVUab5fNt8q//x/NQ4yEQKPrexmR
-IuOiQ8VW8QZtkORGpZbGSvskU0WfKANui4zCcXYRc4mVR4Wf0C+fyHeihhjslSnT
-RbC7nQn5HSHp31qJlr80QodywaK1Dg==
+MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF
+AAOCAQEAKIF06WMMbkfDi6z3FzG0OVqGVgCIdQjJUK2S8VrVXJ74goM8SD7jp2RC
+2d5nszk0do3ruAqaI3YOk5U9HQR0qHMSXEcAeB/qqIYWXrlZKacdzSk6vd88VC01
+uAWBSE2IQ4TWPSiWLCN54VtO8AXuF5wJgjGOh4yixVqKzcQh5b+mJs3e7cgMsC5a
+3iPt0EemCT+irT4cXtcJe9/DAvnvvvCZ5UCcvc3shBIA5pBsOOmd1yCYCbxrq3aL
+PhFf/vbbf9eORMwWsqOWopnRgBkPpVnTu9G27t/Nyjencjfk8NEaM9q8YnF0x5lD
+elCFyt+HGwoCeOBN9odfQmKQpW+eGg==
-----END CERTIFICATE REQUEST-----
diff --git a/tests/data_files/server5.req.ku.sha1 b/tests/data_files/server5.req.ku.sha1
index 7556d1a..6f3b7aa 100644
--- a/tests/data_files/server5.req.ku.sha1
+++ b/tests/data_files/server5.req.ku.sha1
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIBFjCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY
+MIIBFzCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY
BgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d
Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD
-AgHAMAsGByqGSM49BAEFAANIADBFAiBjnnD7nwsFnCL+MpPPFJE3K/Tgj+5rAgXj
-e5UejDX2CAIhAKdbigWJL/ZatvG9CFHq7ykrRns2x8JEXehWu8DsXdx9
+AgbAMAsGByqGSM49BAEFAANJADBGAiEAmhkNVnF6mGzzyHxGMMuUM2tYw5/y5tlF
+3424Bs7DbG8CIQCJteTtpZ8RJ7PjpxcmVpP4fcYHFTR50zoc9jOV0AYPLQ==
-----END CERTIFICATE REQUEST-----
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 391de19..2ac9901 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -55,21 +55,46 @@
# Notes for maintainers
# ---------------------
#
+# The bulk of the code is organized into functions that follow one of the
+# following naming conventions:
+# * pre_XXX: things to do before running the tests, in order.
+# * component_XXX: independent components. They can be run in any order.
+# * component_check_XXX: quick tests that aren't worth parallelizing.
+# * component_build_XXX: build things but don't run them.
+# * component_test_XXX: build and test.
+# * support_XXX: if support_XXX exists and returns false then
+# component_XXX is not run by default.
+# * post_XXX: things to do after running the tests.
+# * other: miscellaneous support functions.
+#
+# Each component must start by invoking `msg` with a short informative message.
+#
+# The framework performs some cleanup tasks after each component. This
+# means that components can assume that the working directory is in a
+# cleaned-up state, and don't need to perform the cleanup themselves.
+# * Run `make clean`.
+# * Restore `include/mbedtks/config.h` from a backup made before running
+# the component.
+# * Check out `Makefile`, `library/Makefile`, `programs/Makefile` and
+# `tests/Makefile` from git. This cleans up after an in-tree use of
+# CMake.
+#
+# Any command that is expected to fail must be protected so that the
+# script keeps running in --keep-going mode despite `set -e`. In keep-going
+# mode, if a protected command fails, this is logged as a failure and the
+# script will exit with a failure status once it has run all components.
+# Commands can be protected in any of the following ways:
+# * `make` is a function which runs the `make` command with protection.
+# Note that you must write `make VAR=value`, not `VAR=value make`,
+# because the `VAR=value make` syntax doesn't work with functions.
+# * Put `report_status` before the command to protect it.
+# * Put `if_build_successful` before a command. This protects it, and
+# additionally skips it if a prior invocation of `make` in the same
+# component failed.
+#
# The tests are roughly in order from fastest to slowest. This doesn't
# have to be exact, but in general you should add slower tests towards
# the end and fast checks near the beginning.
-#
-# Sanity checks have the following form:
-# 1. msg "short description of what is about to be done"
-# 2. run sanity check (failure stops the script)
-#
-# Build or build-and-test steps have the following form:
-# 1. msg "short description of what is about to be done"
-# 2. cleanup
-# 3. preparation (config.pl, cmake, ...) (failure stops the script)
-# 4. make
-# 5. Run tests if relevant. All tests must be prefixed with
-# if_build_successful for the sake of --keep-going.
@@ -80,50 +105,93 @@
# Abort on errors (and uninitialised variables)
set -eu
-if [ "$( uname )" != "Linux" ]; then
- echo "This script only works in Linux" >&2
- exit 1
-elif [ -d library -a -d include -a -d tests ]; then :; else
- echo "Must be run from mbed TLS root" >&2
- exit 1
-fi
+pre_check_environment () {
+ if [ -d library -a -d include -a -d tests ]; then :; else
+ echo "Must be run from mbed TLS root" >&2
+ exit 1
+ fi
+}
-CONFIG_H='include/mbedtls/config.h'
-CONFIG_BAK="$CONFIG_H.bak"
+pre_initialize_variables () {
+ CONFIG_H='include/mbedtls/config.h'
+ CONFIG_BAK="$CONFIG_H.bak"
-MEMORY=0
-FORCE=0
-KEEP_GOING=0
-RUN_ARMCC=1
-YOTTA=1
+ MEMORY=0
+ FORCE=0
+ KEEP_GOING=0
+ YOTTA=1
-# Default commands, can be overriden by the environment
-: ${OPENSSL:="openssl"}
-: ${OPENSSL_LEGACY:="$OPENSSL"}
-: ${GNUTLS_CLI:="gnutls-cli"}
-: ${GNUTLS_SERV:="gnutls-serv"}
-: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
-: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
-: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
-: ${ARMC5_BIN_DIR:=/usr/bin}
-: ${ARMC6_BIN_DIR:=/usr/bin}
+ # Default commands, can be overriden by the environment
+ : ${OPENSSL:="openssl"}
+ : ${OPENSSL_LEGACY:="$OPENSSL"}
+ : ${GNUTLS_CLI:="gnutls-cli"}
+ : ${GNUTLS_SERV:="gnutls-serv"}
+ : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
+ : ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
+ : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
+ : ${ARMC5_BIN_DIR:=/usr/bin}
+ : ${ARMC6_BIN_DIR:=/usr/bin}
-# if MAKEFLAGS is not set add the -j option to speed up invocations of make
-if [ -n "${MAKEFLAGS+set}" ]; then
- export MAKEFLAGS="-j"
-fi
+ # if MAKEFLAGS is not set add the -j option to speed up invocations of make
+ if [ -z "${MAKEFLAGS+set}" ]; then
+ export MAKEFLAGS="-j"
+ fi
+
+ # Gather the list of available components. These are the functions
+ # defined in this script whose name starts with "component_".
+ # Parse the script with sed, because in sh there is no way to list
+ # defined functions.
+ ALL_COMPONENTS=$(sed -n 's/^ *component_\([0-9A-Z_a-z]*\) *().*/\1/p' <"$0")
+
+ # Exclude components that are not supported on this platform.
+ SUPPORTED_COMPONENTS=
+ for component in $ALL_COMPONENTS; do
+ case $(type "support_$component" 2>&1) in
+ *' function'*)
+ if ! support_$component; then continue; fi;;
+ esac
+ SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
+ done
+}
+
+# Test whether the component $1 is included in the command line patterns.
+is_component_included()
+{
+ set -f
+ for pattern in $COMMAND_LINE_COMPONENTS; do
+ set +f
+ case ${1#component_} in $pattern) return 0;; esac
+ done
+ set +f
+ return 1
+}
usage()
{
cat <<EOF
-Usage: $0 [OPTION]...
- -h|--help Print this help.
+Usage: $0 [OPTION]... [COMPONENT]...
+Run mbedtls release validation tests.
+By default, run all tests. With one or more COMPONENT, run only those.
+COMPONENT can be the name of a component or a shell wildcard pattern.
+
+Examples:
+ $0 "check_*"
+ Run all sanity checks.
+ $0 --no-armcc --except test_memsan
+ Run everything except builds that require armcc and MemSan.
+
+Special options:
+ -h|--help Print this help and exit.
+ --list-all-components List all available test components and exit.
+ --list-components List components supported on this platform and exit.
General options:
-f|--force Force the tests to overwrite any modified files.
-k|--keep-going Run all tests and report errors at the end.
-m|--memory Additional optional memory tests.
--armcc Run ARM Compiler builds (on by default).
+ --except Exclude the COMPONENTs listed on the command line,
+ instead of running only those.
--no-armcc Skip ARM Compiler builds.
--no-force Refuse to overwrite modified files (default).
--no-keep-going Stop at the first error (default).
@@ -190,25 +258,27 @@
msg()
{
+ if [ -n "${current_component:-}" ]; then
+ current_section="${current_component#component_}: $1"
+ else
+ current_section="$1"
+ fi
echo ""
echo "******************************************************************"
- echo "* $1 "
+ echo "* $current_section "
printf "* "; date
echo "******************************************************************"
- current_section=$1
}
-if [ $RUN_ARMCC -ne 0 ]; then
- armc6_build_test()
- {
- FLAGS="$1"
+armc6_build_test()
+{
+ FLAGS="$1"
- msg "build: ARM Compiler 6 ($FLAGS), make"
- ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \
- WARNING_CFLAGS='-xc -std=c99' make lib
- make clean
- }
-fi
+ msg "build: ARM Compiler 6 ($FLAGS), make"
+ ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \
+ WARNING_CFLAGS='-xc -std=c99' make lib
+ make clean
+}
err_msg()
{
@@ -225,72 +295,108 @@
done
}
-while [ $# -gt 0 ]; do
- case "$1" in
- --armcc) RUN_ARMCC=1;;
- --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
- --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
- --force|-f) FORCE=1;;
- --gnutls-cli) shift; GNUTLS_CLI="$1";;
- --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
- --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
- --gnutls-serv) shift; GNUTLS_SERV="$1";;
- --help|-h) usage; exit;;
- --keep-going|-k) KEEP_GOING=1;;
- --memory|-m) MEMORY=1;;
- --no-armcc) RUN_ARMCC=0;;
- --no-force) FORCE=0;;
- --no-keep-going) KEEP_GOING=0;;
- --no-memory) MEMORY=0;;
- --no-yotta) YOTTA=0;;
- --openssl) shift; OPENSSL="$1";;
- --openssl-legacy) shift; OPENSSL_LEGACY="$1";;
- --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
- --random-seed) unset SEED;;
- --release-test|-r) SEED=1;;
- --seed|-s) shift; SEED="$1";;
- --yotta) YOTTA=1;;
- *)
- echo >&2 "Unknown option: $1"
- echo >&2 "Run $0 --help for usage."
- exit 120
- ;;
- esac
- shift
-done
+pre_parse_command_line () {
+ COMMAND_LINE_COMPONENTS=
+ all_except=0
+ no_armcc=
-if [ $FORCE -eq 1 ]; then
- if [ $YOTTA -eq 1 ]; then
- rm -rf yotta/module "$OUT_OF_SOURCE_DIR"
- fi
- git checkout-index -f -q $CONFIG_H
- cleanup
-else
+ while [ $# -gt 0 ]; do
+ case "$1" in
+ --armcc) no_armcc=;;
+ --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
+ --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
+ --except) all_except=1;;
+ --force|-f) FORCE=1;;
+ --gnutls-cli) shift; GNUTLS_CLI="$1";;
+ --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
+ --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
+ --gnutls-serv) shift; GNUTLS_SERV="$1";;
+ --help|-h) usage; exit;;
+ --keep-going|-k) KEEP_GOING=1;;
+ --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;;
+ --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;;
+ --memory|-m) MEMORY=1;;
+ --no-armcc) no_armcc=1;;
+ --no-force) FORCE=0;;
+ --no-keep-going) KEEP_GOING=0;;
+ --no-memory) MEMORY=0;;
+ --no-yotta) YOTTA=0;;
+ --openssl) shift; OPENSSL="$1";;
+ --openssl-legacy) shift; OPENSSL_LEGACY="$1";;
+ --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
+ --random-seed) unset SEED;;
+ --release-test|-r) SEED=1;;
+ --seed|-s) shift; SEED="$1";;
+ --yotta) YOTTA=1;;
+ -*)
+ echo >&2 "Unknown option: $1"
+ echo >&2 "Run $0 --help for usage."
+ exit 120
+ ;;
+ *) COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS $1";;
+ esac
+ shift
+ done
- if [ $YOTTA -ne 0 ] && [ -d yotta/module ]; then
- err_msg "Warning - there is an existing yotta module in the directory 'yotta/module'"
- echo "You can either delete your work and retry, or force the test to overwrite the"
- echo "test by rerunning the script as: $0 --force"
- exit 1
+ # With no list of components, run everything.
+ if [ -z "$COMMAND_LINE_COMPONENTS" ]; then
+ all_except=1
fi
- if [ -d "$OUT_OF_SOURCE_DIR" ]; then
- echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2
- echo "You can either delete this directory manually, or force the test by rerunning"
- echo "the script as: $0 --force --out-of-source-dir $OUT_OF_SOURCE_DIR"
- exit 1
+ # --no-armcc is a legacy option. The modern way is --except '*_armcc*'.
+ # Ignore it if components are listed explicitly on the command line.
+ if [ -n "$no_armcc" ] && [ $all_except -eq 1 ]; then
+ COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_armcc*"
+ # --no-armcc also disables yotta.
+ COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_yotta*"
fi
- if ! git diff-files --quiet include/mbedtls/config.h; then
- err_msg "Warning - the configuration file 'include/mbedtls/config.h' has been edited. "
- echo "You can either delete or preserve your work, or force the test by rerunning the"
- echo "script as: $0 --force"
- exit 1
- fi
-fi
+ # Build the list of components to run.
+ RUN_COMPONENTS=
+ for component in $SUPPORTED_COMPONENTS; do
+ if is_component_included "$component"; [ $? -eq $all_except ]; then
+ RUN_COMPONENTS="$RUN_COMPONENTS $component"
+ fi
+ done
-build_status=0
-if [ $KEEP_GOING -eq 1 ]; then
+ unset all_except
+ unset no_armcc
+}
+
+pre_check_git () {
+ if [ $FORCE -eq 1 ]; then
+ rm -rf "$OUT_OF_SOURCE_DIR"
+ if [ $YOTTA -eq 1 ]; then
+ rm -rf yotta/module
+ fi
+ git checkout-index -f -q $CONFIG_H
+ cleanup
+ else
+
+ if [ $YOTTA -ne 0 ] && [ -d yotta/module ]; then
+ err_msg "Warning - there is an existing yotta module in the directory 'yotta/module'"
+ echo "You can either delete your work and retry, or force the test to overwrite the"
+ echo "test by rerunning the script as: $0 --force"
+ exit 1
+ fi
+
+ if [ -d "$OUT_OF_SOURCE_DIR" ]; then
+ echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2
+ echo "You can either delete this directory manually, or force the test by rerunning"
+ echo "the script as: $0 --force --out-of-source-dir $OUT_OF_SOURCE_DIR"
+ exit 1
+ fi
+
+ if ! git diff --quiet include/mbedtls/config.h; then
+ err_msg "Warning - the configuration file 'include/mbedtls/config.h' has been edited. "
+ echo "You can either delete or preserve your work, or force the test by rerunning the"
+ echo "script as: $0 --force"
+ exit 1
+ fi
+ fi
+}
+
+pre_setup_keep_going () {
failure_summary=
failure_count=0
start_red=
@@ -344,53 +450,94 @@
echo "Killed by SIG$1."
fi
}
-else
- record_status () {
- "$@"
- }
-fi
+}
+
if_build_succeeded () {
if [ $build_status -eq 0 ]; then
record_status "$@"
fi
}
-msg "info: $0 configuration"
-echo "MEMORY: $MEMORY"
-echo "FORCE: $FORCE"
-echo "SEED: ${SEED-"UNSET"}"
-echo "OPENSSL: $OPENSSL"
-echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
-echo "GNUTLS_CLI: $GNUTLS_CLI"
-echo "GNUTLS_SERV: $GNUTLS_SERV"
-echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
-echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
-echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
-echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
+# to be used instead of ! for commands run with
+# record_status or if_build_succeeded
+not() {
+ ! "$@"
+}
-ARMC5_CC="$ARMC5_BIN_DIR/armcc"
-ARMC5_AR="$ARMC5_BIN_DIR/armar"
-ARMC6_CC="$ARMC6_BIN_DIR/armclang"
-ARMC6_AR="$ARMC6_BIN_DIR/armar"
-# To avoid setting OpenSSL and GnuTLS for each call to compat.sh and ssl-opt.sh
-# we just export the variables they require
-export OPENSSL_CMD="$OPENSSL"
-export GNUTLS_CLI="$GNUTLS_CLI"
-export GNUTLS_SERV="$GNUTLS_SERV"
-
-# Avoid passing --seed flag in every call to ssl-opt.sh
-if [ -n "${SEED-}" ]; then
- export SEED
-fi
+pre_print_configuration () {
+ msg "info: $0 configuration"
+ echo "MEMORY: $MEMORY"
+ echo "FORCE: $FORCE"
+ echo "SEED: ${SEED-"UNSET"}"
+ echo "OPENSSL: $OPENSSL"
+ echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
+ echo "GNUTLS_CLI: $GNUTLS_CLI"
+ echo "GNUTLS_SERV: $GNUTLS_SERV"
+ echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
+ echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
+ echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
+ echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
+}
# Make sure the tools we need are available.
-check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$GNUTLS_CLI" "$GNUTLS_SERV" \
- "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" "doxygen" "dot" \
- "arm-none-eabi-gcc" "i686-w64-mingw32-gcc"
-if [ $RUN_ARMCC -ne 0 ]; then
- check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC6_CC" "$ARMC6_AR"
-fi
+pre_check_tools () {
+ # Build the list of variables to pass to output_env.sh.
+ set env
+
+ case " $RUN_COMPONENTS " in
+ # Require OpenSSL and GnuTLS if running any tests (as opposed to
+ # only doing builds). Not all tests run OpenSSL and GnuTLS, but this
+ # is a good enough approximation in practice.
+ *" test_"*)
+ # To avoid setting OpenSSL and GnuTLS for each call to compat.sh
+ # and ssl-opt.sh, we just export the variables they require.
+ export OPENSSL_CMD="$OPENSSL"
+ export GNUTLS_CLI="$GNUTLS_CLI"
+ export GNUTLS_SERV="$GNUTLS_SERV"
+ # Avoid passing --seed flag in every call to ssl-opt.sh
+ if [ -n "${SEED-}" ]; then
+ export SEED
+ fi
+ set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
+ set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
+ set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
+ set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
+ check_tools "$OPENSSL" "$OPENSSL_LEGACY" \
+ "$GNUTLS_CLI" "$GNUTLS_SERV" \
+ "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
+ ;;
+ esac
+
+ case " $RUN_COMPONENTS " in
+ *_doxygen[_\ ]*) check_tools "doxygen" "dot";;
+ esac
+
+ case " $RUN_COMPONENTS " in
+ *_arm_none_eabi_gcc[_\ ]*) check_tools "arm-none-eabi-gcc";;
+ esac
+
+ case " $RUN_COMPONENTS " in
+ *_mingw[_\ ]*) check_tools "i686-w64-mingw32-gcc";;
+ esac
+
+ case " $RUN_COMPONENTS " in
+ *_armcc*|*_yotta*)
+ ARMC5_CC="$ARMC5_BIN_DIR/armcc"
+ ARMC5_AR="$ARMC5_BIN_DIR/armar"
+ ARMC6_CC="$ARMC6_BIN_DIR/armclang"
+ ARMC6_AR="$ARMC6_BIN_DIR/armar"
+ check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC6_CC" "$ARMC6_AR";;
+ esac
+
+ msg "info: output_env.sh"
+ case $RUN_COMPONENTS in
+ *_armcc*|*_yotta*)
+ set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
+ *) set "$@" RUN_ARMCC=0;;
+ esac
+ "$@" scripts/output_env.sh
+}
@@ -409,378 +556,408 @@
#
# Indicative running times are given for reference.
-msg "info: output_env.sh"
-OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_CLI" \
- GNUTLS_SERV="$GNUTLS_SERV" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
- GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" ARMC5_CC="$ARMC5_CC" \
- ARMC6_CC="$ARMC6_CC" RUN_ARMCC="$RUN_ARMCC" scripts/output_env.sh
+component_check_recursion () {
+ msg "test: recursion.pl" # < 1s
+ record_status tests/scripts/recursion.pl library/*.c
+}
-msg "test: recursion.pl" # < 1s
-record_status tests/scripts/recursion.pl library/*.c
+component_check_generated_files () {
+ msg "test: freshness of generated source files" # < 1s
+ record_status tests/scripts/check-generated-files.sh
+}
-msg "test: freshness of generated source files" # < 1s
-record_status tests/scripts/check-generated-files.sh
+component_check_doxy_blocks () {
+ msg "test: doxygen markup outside doxygen blocks" # < 1s
+ record_status tests/scripts/check-doxy-blocks.pl
+}
-msg "test: doxygen markup outside doxygen blocks" # < 1s
-record_status tests/scripts/check-doxy-blocks.pl
+component_check_files () {
+ msg "test: check-files.py" # < 1s
+ record_status tests/scripts/check-files.py
+}
-msg "test: check-files.py" # < 1s
-cleanup
-record_status tests/scripts/check-files.py
+component_check_names () {
+ msg "test/build: declared and exported names" # < 3s
+ record_status tests/scripts/check-names.sh
+}
-msg "test/build: declared and exported names" # < 3s
-cleanup
-record_status tests/scripts/check-names.sh
-
-msg "test: doxygen warnings" # ~ 3s
-cleanup
-record_status tests/scripts/doxygen.sh
-
+component_check_doxygen_warnings () {
+ msg "test: doxygen warnings" # ~ 3s
+ record_status tests/scripts/doxygen.sh
+}
################################################################
#### Build and test many configurations and targets
################################################################
-if [ $RUN_ARMCC -ne 0 ] && [ $YOTTA -ne 0 ]; then
+component_build_yotta () {
# Note - use of yotta is deprecated, and yotta also requires armcc to be on the
# path, and uses whatever version of armcc it finds there.
msg "build: create and build yotta module" # ~ 30s
- cleanup
record_status tests/scripts/yotta-build.sh
-fi
+}
+support_build_yotta () {
+ [ $YOTTA -ne 0 ]
+}
-msg "build: cmake, gcc, ASan" # ~ 1 min 50s
-cleanup
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+component_test_default_cmake_gcc_asan () {
+ msg "build: cmake, gcc, ASan" # ~ 1 min 50s
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+ msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
+ make test
-msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
-if_build_succeeded tests/ssl-opt.sh
+ msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
+ if_build_succeeded tests/ssl-opt.sh
-msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
-record_status tests/scripts/test-ref-configs.pl
+ msg "test: compat.sh (ASan build)" # ~ 6 min
+ if_build_succeeded tests/compat.sh
+}
-msg "build: with ASan (rebuild after ref-configs)" # ~ 1 min
-make
+component_test_ref_configs () {
+ msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ record_status tests/scripts/test-ref-configs.pl
+}
-msg "test: compat.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/compat.sh
+component_test_sslv3 () {
+ msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
+ scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+ msg "test: SSLv3 - main suites (inc. selftests) (ASan build)" # ~ 50s
+ make test
-msg "test: SSLv3 - main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+ msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
+ if_build_succeeded tests/compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2'
+ if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
-msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2'
-if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
+ msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
+ if_build_succeeded tests/ssl-opt.sh
+}
-msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/ssl-opt.sh
+component_test_no_renegotiation () {
+ msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
+ scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+ msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
+ make test
-msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+ msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
+ if_build_succeeded tests/ssl-opt.sh
+}
-msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/ssl-opt.sh
+component_test_rsa_no_crt () {
+ msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
+ scripts/config.pl set MBEDTLS_RSA_NO_CRT
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_RSA_NO_CRT
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+ msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
+ make test
-msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+ msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
+ if_build_succeeded tests/ssl-opt.sh -f RSA
-msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
-if_build_succeeded tests/ssl-opt.sh -f RSA
+ msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
+ if_build_succeeded tests/compat.sh -t RSA
+}
-msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
-if_build_succeeded tests/compat.sh -t RSA
+component_test_full_cmake_clang () {
+ msg "build: cmake, full config, clang" # ~ 50s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+ CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check -D ENABLE_TESTING=On .
+ make
-msg "build: cmake, full config, clang" # ~ 50s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
-CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check -D ENABLE_TESTING=On .
-make
+ msg "test: main suites (full config)" # ~ 5s
+ make test
-msg "test: main suites (full config)" # ~ 5s
-make test
+ msg "test: ssl-opt.sh default (full config)" # ~ 1s
+ if_build_succeeded tests/ssl-opt.sh -f Default
-msg "test: ssl-opt.sh default (full config)" # ~ 1s
-if_build_succeeded tests/ssl-opt.sh -f Default
+ msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min
+ if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
+}
-msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min
-if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
+component_build_deprecated () {
+ msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
+ # Build with -O -Wextra to catch a maximum of issues.
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
-msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
-# Build with -O -Wextra to catch a maximum of issues.
-make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
-make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+ msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
+ # No cleanup, just tweak the configuration and rebuild
+ make clean
+ scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
+ scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED
+ # Build with -O -Wextra to catch a maximum of issues.
+ make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
+ make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+}
-msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
-# No cleanup, just tweak the configuration and rebuild
-make clean
-scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
-scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED
-# Build with -O -Wextra to catch a maximum of issues.
-make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
-make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+component_test_depends_curves () {
+ msg "test/build: curves.pl (gcc)" # ~ 4 min
+ record_status tests/scripts/curves.pl
+}
-msg "test/build: curves.pl (gcc)" # ~ 4 min
-cleanup
-record_status tests/scripts/curves.pl
+component_test_depends_hashes () {
+ msg "test/build: depends-hashes.pl (gcc)" # ~ 2 min
+ record_status tests/scripts/depends-hashes.pl
+}
-msg "test/build: depends-hashes.pl (gcc)" # ~ 2 min
-cleanup
-record_status tests/scripts/depends-hashes.pl
+component_test_depends_pkalgs () {
+ msg "test/build: depends-pkalgs.pl (gcc)" # ~ 2 min
+ record_status tests/scripts/depends-pkalgs.pl
+}
-msg "test/build: depends-pkalgs.pl (gcc)" # ~ 2 min
-cleanup
-record_status tests/scripts/depends-pkalgs.pl
+component_build_key_exchanges () {
+ msg "test/build: key-exchanges (gcc)" # ~ 1 min
+ record_status tests/scripts/key-exchanges.pl
+}
-msg "test/build: key-exchanges (gcc)" # ~ 1 min
-cleanup
-record_status tests/scripts/key-exchanges.pl
+component_build_default_make_gcc () {
+ msg "build: Unix make, -Os (gcc)" # ~ 30s
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
+}
-msg "build: Unix make, -Os (gcc)" # ~ 30s
-cleanup
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
+component_test_no_platform () {
+ # Full configuration build, without platform support, file IO and net sockets.
+ # This should catch missing mbedtls_printf definitions, and by disabling file
+ # IO, it should catch missing '#include <stdio.h>'
+ msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_PLATFORM_C
+ scripts/config.pl unset MBEDTLS_NET_C
+ scripts/config.pl unset MBEDTLS_PLATFORM_MEMORY
+ scripts/config.pl unset MBEDTLS_PLATFORM_PRINTF_ALT
+ scripts/config.pl unset MBEDTLS_PLATFORM_FPRINTF_ALT
+ scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT
+ scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT
+ scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
+ scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ scripts/config.pl unset MBEDTLS_FS_IO
+ # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
+ # to re-enable platform integration features otherwise disabled in C99 builds
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' test
+}
-# Full configuration build, without platform support, file IO and net sockets.
-# This should catch missing mbedtls_printf definitions, and by disabling file
-# IO, it should catch missing '#include <stdio.h>'
-msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_PLATFORM_C
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_PLATFORM_MEMORY
-scripts/config.pl unset MBEDTLS_PLATFORM_PRINTF_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_FPRINTF_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
-scripts/config.pl unset MBEDTLS_FS_IO
-# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
-# to re-enable platform integration features otherwise disabled in C99 builds
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' test
+component_build_no_std_function () {
+ # catch compile bugs in _uninit functions
+ msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+ scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+}
-# catch compile bugs in _uninit functions
-msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+component_build_no_ssl_srv () {
+ msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_SSL_SRV_C
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+}
-msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_SSL_SRV_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+component_build_no_ssl_cli () {
+ msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_SSL_CLI_C
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+}
-msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_SSL_CLI_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+component_build_no_sockets () {
+ # Note, C99 compliance can also be tested with the sockets support disabled,
+ # as that requires a POSIX platform (which isn't the same as C99).
+ msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
+ scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
+}
-# Note, C99 compliance can also be tested with the sockets support disabled,
-# as that requires a POSIX platform (which isn't the same as C99).
-msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
+component_test_no_max_fragment_length () {
+ msg "build: default config except MFL extension (ASan build)" # ~ 30s
+ scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "build: default config except MFL extension (ASan build)" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+ msg "test: ssl-opt.sh, MFL-related tests"
+ if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
+}
-msg "test: ssl-opt.sh, MFL-related tests"
-if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
+component_test_null_entropy () {
+ msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
+ scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
+ scripts/config.pl set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ scripts/config.pl set MBEDTLS_ENTROPY_C
+ scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT
+ scripts/config.pl unset MBEDTLS_HAVEGE_C
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON .
+ make
-msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
-scripts/config.pl set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-scripts/config.pl set MBEDTLS_ENTROPY_C
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT
-scripts/config.pl unset MBEDTLS_HAVEGE_C
-CC=gcc cmake -D UNSAFE_BUILD=ON -D CMAKE_C_FLAGS:String="-fsanitize=address -fno-common -O3" .
-make
+ msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)"
+ make test
+}
-msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)"
-make test
+component_test_platform_calloc_macro () {
+ msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
+ scripts/config.pl set MBEDTLS_PLATFORM_MEMORY
+ scripts/config.pl set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
+ scripts/config.pl set MBEDTLS_PLATFORM_FREE_MACRO free
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_PLATFORM_MEMORY
-scripts/config.pl set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
-scripts/config.pl set MBEDTLS_PLATFORM_FREE_MACRO free
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+ msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
+ make test
+}
-msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
-make test
-
-if uname -a | grep -F Linux >/dev/null; then
+component_test_make_shared () {
msg "build/test: make shared" # ~ 40s
- cleanup
make SHARED=1 all check
-fi
+}
-if uname -a | grep -F x86_64 >/dev/null; then
+component_test_m32_o0 () {
# Build once with -O0, to compile out the i386 specific inline assembly
msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s
- cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.pl full
make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address'
msg "test: i386, make, gcc -O0 (ASan build)"
make test
+}
+support_test_m32_o0 () {
+ case $(uname -m) in
+ *64*) true;;
+ *) false;;
+ esac
+}
+component_test_m32_o1 () {
# Build again with -O1, to compile in the i386 specific inline assembly
msg "build: i386, make, gcc -O1 (ASan build)" # ~ 30s
- cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.pl full
make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address'
msg "test: i386, make, gcc -O1 (ASan build)"
make test
+}
+support_test_m32_o1 () {
+ support_test_m32_o0 "$@"
+}
+component_test_mx32 () {
msg "build: 64-bit ILP32, make, gcc" # ~ 30s
- cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.pl full
make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32'
msg "test: 64-bit ILP32, make, gcc"
make test
-fi # x86_64
+}
+support_test_mx32 () {
+ case $(uname -m) in
+ amd64|x86_64) true;;
+ *) false;;
+ esac
+}
-msg "build: gcc, force 32-bit bignum limbs"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_HAVE_ASM
-scripts/config.pl unset MBEDTLS_AESNI_C
-scripts/config.pl unset MBEDTLS_PADLOCK_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
+component_test_min_mpi_window_size () {
+ msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
+ scripts/config.pl set MBEDTLS_MPI_WINDOW_SIZE 1
+ CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+ make
-msg "test: gcc, force 32-bit bignum limbs"
-make test
+ msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
+ make test
+}
-msg "build: gcc, force 64-bit bignum limbs"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_HAVE_ASM
-scripts/config.pl unset MBEDTLS_AESNI_C
-scripts/config.pl unset MBEDTLS_PADLOCK_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
+component_test_have_int32 () {
+ msg "build: gcc, force 32-bit bignum limbs"
+ scripts/config.pl unset MBEDTLS_HAVE_ASM
+ scripts/config.pl unset MBEDTLS_AESNI_C
+ scripts/config.pl unset MBEDTLS_PADLOCK_C
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
-msg "test: gcc, force 64-bit bignum limbs"
-make test
+ msg "test: gcc, force 32-bit bignum limbs"
+ make test
+}
-msg "build: arm-none-eabi-gcc, make" # ~ 10s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_TIMING_C
-scripts/config.pl unset MBEDTLS_FS_IO
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
-# following things are not in the default config
-scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
-scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
-scripts/config.pl unset MBEDTLS_THREADING_C
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
+component_test_have_int64 () {
+ msg "build: gcc, force 64-bit bignum limbs"
+ scripts/config.pl unset MBEDTLS_HAVE_ASM
+ scripts/config.pl unset MBEDTLS_AESNI_C
+ scripts/config.pl unset MBEDTLS_PADLOCK_C
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
-msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_TIMING_C
-scripts/config.pl unset MBEDTLS_FS_IO
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
-# following things are not in the default config
-scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
-scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
-scripts/config.pl unset MBEDTLS_THREADING_C
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
-make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
-echo "Checking that software 64-bit division is not required"
-! grep __aeabi_uldiv library/*.o
+ msg "test: gcc, force 64-bit bignum limbs"
+ make test
+}
-msg "build: ARM Compiler 5, make"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_TIMING_C
-scripts/config.pl unset MBEDTLS_FS_IO
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl unset MBEDTLS_HAVE_TIME
-scripts/config.pl unset MBEDTLS_HAVE_TIME_DATE
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
-# following things are not in the default config
-scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
-scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
-scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
-scripts/config.pl unset MBEDTLS_THREADING_C
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
+component_build_arm_none_eabi_gcc () {
+ msg "build: arm-none-eabi-gcc, make" # ~ 10s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_NET_C
+ scripts/config.pl unset MBEDTLS_TIMING_C
+ scripts/config.pl unset MBEDTLS_FS_IO
+ scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+ # following things are not in the default config
+ scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+ scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+ scripts/config.pl unset MBEDTLS_THREADING_C
+ scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+ scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+ make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
+}
-if [ $RUN_ARMCC -ne 0 ]; then
+component_build_arm_none_eabi_gcc_no_udbl_division () {
+ msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_NET_C
+ scripts/config.pl unset MBEDTLS_TIMING_C
+ scripts/config.pl unset MBEDTLS_FS_IO
+ scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+ # following things are not in the default config
+ scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+ scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+ scripts/config.pl unset MBEDTLS_THREADING_C
+ scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+ scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+ scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
+ make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
+ echo "Checking that software 64-bit division is not required"
+ if_build_succeeded not grep __aeabi_uldiv library/*.o
+}
+
+component_build_armcc () {
+ msg "build: ARM Compiler 5, make"
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_NET_C
+ scripts/config.pl unset MBEDTLS_TIMING_C
+ scripts/config.pl unset MBEDTLS_FS_IO
+ scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl unset MBEDTLS_HAVE_TIME
+ scripts/config.pl unset MBEDTLS_HAVE_TIME_DATE
+ scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+ # following things are not in the default config
+ scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
+ scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+ scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+ scripts/config.pl unset MBEDTLS_THREADING_C
+ scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+ scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+ scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
+
make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
make clean
@@ -798,46 +975,33 @@
# ARM Compiler 6 - Target ARMv8-A - AArch64
armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a"
-fi
+}
-msg "build: allow SHA1 in certificates by default"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
-make CFLAGS='-Werror -Wall -Wextra'
-msg "test: allow SHA1 in certificates by default"
-make test
-if_build_succeeded tests/ssl-opt.sh -f SHA-1
+component_test_allow_sha1 () {
+ msg "build: allow SHA1 in certificates by default"
+ scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+ make CFLAGS='-Werror -Wall -Wextra'
+ msg "test: allow SHA1 in certificates by default"
+ make test
+ if_build_succeeded tests/ssl-opt.sh -f SHA-1
+}
-msg "build: Default + MBEDTLS_RSA_NO_CRT (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_RSA_NO_CRT
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+component_build_mingw () {
+ msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
-msg "test: MBEDTLS_RSA_NO_CRT - main suites (inc. selftests) (ASan build)"
-make test
+ # note Make tests only builds the tests, but doesn't run them
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests
+ make WINDOWS_BUILD=1 clean
-msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
-cleanup
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
+ msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests
+ make WINDOWS_BUILD=1 clean
+}
-# note Make tests only builds the tests, but doesn't run them
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests
-make WINDOWS_BUILD=1 clean
-
-msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests
-make WINDOWS_BUILD=1 clean
-
-# MemSan currently only available on Linux 64 bits
-if uname -a | grep 'Linux.*x86_64' >/dev/null; then
-
+component_test_memsan () {
msg "build: MSan (clang)" # ~ 1 min 20s
- cleanup
- cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.pl unset MBEDTLS_AESNI_C # memsan doesn't grok asm
CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
make
@@ -854,11 +1018,10 @@
msg "test: compat.sh (MSan)" # ~ 6 min 20s
if_build_succeeded tests/compat.sh
fi
+}
-else # no MemSan
-
+component_test_valgrind () {
msg "build: Release (clang)"
- cleanup
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make
@@ -878,33 +1041,33 @@
msg "test: compat.sh --memcheck (Release)"
if_build_succeeded tests/compat.sh --memcheck
fi
+}
-fi # MemSan
+component_test_cmake_out_of_source () {
+ msg "build: cmake 'out-of-source' build"
+ MBEDTLS_ROOT_DIR="$PWD"
+ mkdir "$OUT_OF_SOURCE_DIR"
+ cd "$OUT_OF_SOURCE_DIR"
+ cmake "$MBEDTLS_ROOT_DIR"
+ make
-msg "build: cmake 'out-of-source' build"
-cleanup
-MBEDTLS_ROOT_DIR="$PWD"
-mkdir "$OUT_OF_SOURCE_DIR"
-cd "$OUT_OF_SOURCE_DIR"
-cmake "$MBEDTLS_ROOT_DIR"
-make
-
-msg "test: cmake 'out-of-source' build"
-make test
-# Test an SSL option that requires an auxiliary script in test/scripts/.
-# Also ensure that there are no error messages such as
-# "No such file or directory", which would indicate that some required
-# file is missing (ssl-opt.sh tolerates the absence of some files so
-# may exit with status 0 but emit errors).
-if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err
-if [ -s ssl-opt.err ]; then
- cat ssl-opt.err >&2
- record_status [ ! -s ssl-opt.err ]
- rm ssl-opt.err
-fi
-cd "$MBEDTLS_ROOT_DIR"
-rm -rf "$OUT_OF_SOURCE_DIR"
-unset MBEDTLS_ROOT_DIR
+ msg "test: cmake 'out-of-source' build"
+ make test
+ # Test an SSL option that requires an auxiliary script in test/scripts/.
+ # Also ensure that there are no error messages such as
+ # "No such file or directory", which would indicate that some required
+ # file is missing (ssl-opt.sh tolerates the absence of some files so
+ # may exit with status 0 but emit errors).
+ if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err
+ if [ -s ssl-opt.err ]; then
+ cat ssl-opt.err >&2
+ record_status [ ! -s ssl-opt.err ]
+ rm ssl-opt.err
+ fi
+ cd "$MBEDTLS_ROOT_DIR"
+ rm -rf "$OUT_OF_SOURCE_DIR"
+ unset MBEDTLS_ROOT_DIR
+}
@@ -912,7 +1075,51 @@
#### Termination
################################################################
-msg "Done, cleaning up"
+post_report () {
+ msg "Done, cleaning up"
+ cleanup
+
+ final_report
+}
+
+
+
+################################################################
+#### Run all the things
+################################################################
+
+# Run one component and clean up afterwards.
+run_component () {
+ # Back up the configuration in case the component modifies it.
+ # The cleanup function will restore it.
+ cp -p "$CONFIG_H" "$CONFIG_BAK"
+ current_component="$1"
+ "$@"
+ cleanup
+}
+
+# Preliminary setup
+pre_check_environment
+pre_initialize_variables
+pre_parse_command_line "$@"
+
+pre_check_git
+build_status=0
+if [ $KEEP_GOING -eq 1 ]; then
+ pre_setup_keep_going
+else
+ record_status () {
+ "$@"
+ }
+fi
+pre_print_configuration
+pre_check_tools
cleanup
-final_report
+# Run the requested tests.
+for component in $RUN_COMPONENTS; do
+ run_component "component_$component"
+done
+
+# We're done.
+post_report
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index fbe757d..97120ea 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -91,7 +91,7 @@
OPENSSL_CMD="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" \
GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
- sh compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' | \
+ sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' | \
tee -a compat-test-$TEST_OUTPUT
echo
diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
index d0d4046..1c9dc1d 100755
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -4,19 +4,24 @@
#
# This file is part of mbed TLS (https://tls.mbed.org)
#
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
-#
-# Purpose
-#
-# Executes all the available test suites, and provides a basic summary of the
-# results.
-#
-# Usage: run-test-suites.pl [-v]
-#
-# Options :
-# -v|--verbose - Provide a pass/fail/skip breakdown per test suite and
-# in total
-#
+# Copyright (c) 2015-2018, ARM Limited, All Rights Reserved
+
+=head1 SYNOPSIS
+
+Execute all the test suites and print a summary of the results.
+
+ run-test-suites.pl [[-v|--verbose] [VERBOSITY]] [--skip=SUITE[...]]
+
+Options:
+
+ -v|--verbose Print detailed failure information.
+ -v 2|--verbose=2 Print detailed failure information and summary messages.
+ -v 3|--verbose=3 Print detailed information about every test case.
+ --skip=SUITE[,SUITE...]
+ Skip the specified SUITE(s). This option can be used
+ multiple times.
+
+=cut
use warnings;
use strict;
@@ -24,10 +29,15 @@
use utf8;
use open qw(:std utf8);
-use Getopt::Long;
+use Getopt::Long qw(:config auto_help gnu_compat);
+use Pod::Usage;
my $verbose = 0;
-GetOptions( "verbose|v:1" => \$verbose );
+my @skip_patterns = ();
+GetOptions(
+ 'skip=s' => \@skip_patterns,
+ 'verbose|v:1' => \$verbose,
+ ) or die;
# All test suites = executable files, excluding source files, debug
# and profiling information, etc. We can't just grep {! /\./} because
@@ -36,6 +46,17 @@
@suites = grep { !/\.c$/ && !/\.data$/ && -f } @suites;
die "$0: no test suite found\n" unless @suites;
+# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar"
+# but not "test_suite_foobar".
+my $skip_re =
+ ( '\Atest_suite_(' .
+ join('|', map {
+ s/[ ,;]/|/g; # allow any of " ,;|" as separators
+ s/\./\./g; # "." in the input means ".", not "any character"
+ $_
+ } @skip_patterns) .
+ ')(\z|\.)' );
+
# in case test suites are linked dynamically
$ENV{'LD_LIBRARY_PATH'} = '../library';
$ENV{'DYLD_LIBRARY_PATH'} = '../library';
@@ -45,6 +66,7 @@
my ($failed_suites, $total_tests_run, $failed, $suite_cases_passed,
$suite_cases_failed, $suite_cases_skipped, $total_cases_passed,
$total_cases_failed, $total_cases_skipped );
+my $suites_skipped = 0;
sub pad_print_center {
my( $width, $padchar, $string ) = @_;
@@ -55,6 +77,12 @@
for my $suite (@suites)
{
print "$suite ", "." x ( 72 - length($suite) - 2 - 4 ), " ";
+ if( $suite =~ /$skip_re/o ) {
+ print "SKIP\n";
+ ++$suites_skipped;
+ next;
+ }
+
my $command = "$prefix$suite";
if( $verbose ) {
$command .= ' -v';
@@ -101,7 +129,10 @@
print "-" x 72, "\n";
print $failed_suites ? "FAILED" : "PASSED";
-printf " (%d suites, %d tests run)\n", scalar @suites, $total_tests_run;
+printf( " (%d suites, %d tests run%s)\n",
+ scalar(@suites) - $suites_skipped,
+ $total_tests_run,
+ $suites_skipped ? ", $suites_skipped suites skipped" : "" );
if( $verbose > 1 ) {
print " test cases passed :", $total_cases_passed, "\n";
@@ -111,8 +142,11 @@
"\n";
print " of available tests :",
( $total_cases_passed + $total_cases_failed + $total_cases_skipped ),
- "\n"
+ "\n";
+ if( $suites_skipped != 0 ) {
+ print "Note: $suites_skipped suites were skipped.\n";
}
+}
exit( $failed_suites ? 1 : 0 );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 22bc078..fbd0367 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -3708,26 +3708,37 @@
# Tests for ciphersuites per version
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
run_test "Per-version suites: SSL3" \
- "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+ "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=ssl3" \
0 \
- -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
+ -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
run_test "Per-version suites: TLS 1.0" \
- "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+ "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=tls1 arc4=1" \
0 \
-c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
run_test "Per-version suites: TLS 1.1" \
- "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+ "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=tls1_1" \
0 \
-c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
run_test "Per-version suites: TLS 1.2" \
- "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+ "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=tls1_2" \
0 \
-c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
@@ -3736,7 +3747,7 @@
requires_gnutls
run_test "ClientHello without extensions, SHA-1 allowed" \
- "$P_SRV debug_level=3" \
+ "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
0 \
-s "dumping 'client hello extensions' (0 bytes)"
diff --git a/tests/suites/test_suite_timing.data b/tests/suites/test_suite_timing.data
index 4dddcf7..2522da1 100644
--- a/tests/suites/test_suite_timing.data
+++ b/tests/suites/test_suite_timing.data
@@ -1,41 +1,17 @@
-Timing: basic timer operation
-timing_timer_simple:
-
-Timing: timer reset
-timing_timer_reset:
-
-Timing: two parallel timers, delay 0
-timing_two_timers:0:
-
-Timing: two parallel timers, delay 100
-timing_two_timers:100:
-
-Timing: two parallel timers, delay 1000
-timing_two_timers:1000:
-
-Timing: two parallel timers, delay 10000
-timing_two_timers:10000:
-
-Timing: delay 0ms, 0ms
-timing_delay:0:0:
-
-Timing: delay 0ms, 50ms
-timing_delay:0:50:
-
-Timing: delay 50ms, 50ms
-timing_delay:50:50:
-
-Timing: delay 50ms, 100ms
-timing_delay:50:100:
-
-Timing: delay 50ms, 200ms
-timing_delay:50:200:
-
-Timing: alarm in 0 second
-timing_alarm:0:
-
-Timing: alarm in 1 second
-timing_alarm:1:
-
Timing: hardclock
timing_hardclock:
+
+Timing: get timer
+timing_get_timer:
+
+Timing: set alarm with no delay
+timing_set_alarm:0:
+
+Timing: set alarm with 1s delay
+timing_set_alarm:1:
+
+Timing: delay 0ms
+timing_delay:0:
+
+Timing: delay 100ms
+timing_delay:100:
diff --git a/tests/suites/test_suite_timing.function b/tests/suites/test_suite_timing.function
index 1610155..74dc823 100644
--- a/tests/suites/test_suite_timing.function
+++ b/tests/suites/test_suite_timing.function
@@ -1,51 +1,14 @@
/* BEGIN_HEADER */
-/* This test module exercises the timing module. One of the expected failure
- modes is for timers to never expire, which could lead to an infinite loop.
- The function timing_timer_simple is protected against this failure mode and
- checks that timers do expire. Other functions will terminate if their
- timers do expire. Therefore it is recommended to run timing_timer_simple
- first and run other test functions only if that timing_timer_simple
- succeeded. */
+/* This test module exercises the timing module. Since, depending on the
+ * underlying operating system, the timing routines are not always reliable,
+ * this suite only performs very basic sanity checks of the timing API.
+ */
#include <limits.h>
#include "mbedtls/timing.h"
-/* Wait this many milliseconds for a short timing test. This duration
- should be large enough that, in practice, if you read the timer
- value twice in a row, it won't have jumped by that much. */
-#define TIMING_SHORT_TEST_MS 100
-
-/* A loop that waits TIMING_SHORT_TEST_MS must not take more than this many
- iterations. This value needs to be large enough to accommodate fast
- platforms (e.g. at 4GHz and 10 cycles/iteration a CPU can run through 20
- million iterations in 50ms). The only motivation to keep this value low is
- to avoid having an infinite loop if the timer functions are not implemented
- correctly. Ideally this value should be based on the processor speed but we
- don't have this information! */
-#define TIMING_SHORT_TEST_ITERATIONS_MAX 1e8
-
-/* alarm(0) must fire in no longer than this amount of time. */
-#define TIMING_ALARM_0_DELAY_MS TIMING_SHORT_TEST_MS
-
-static int expected_delay_status( uint32_t int_ms, uint32_t fin_ms,
- unsigned long actual_ms )
-{
- return( fin_ms == 0 ? -1 :
- actual_ms >= fin_ms ? 2 :
- actual_ms >= int_ms ? 1 :
- 0 );
-}
-
-/* Some conditions in timing_timer_simple suggest that timers are unreliable.
- Most other test cases rely on timers to terminate, and could loop
- indefinitely if timers are too broken. So if timing_timer_simple detected a
- timer that risks not terminating (going backwards, or not reaching the
- desired count in the alloted clock cycles), set this flag to immediately
- fail those other tests without running any timers. */
-static int timers_are_badly_broken = 0;
-
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -54,350 +17,58 @@
*/
/* BEGIN_CASE */
-void timing_timer_simple( )
+void timing_hardclock( )
{
- struct mbedtls_timing_hr_time timer;
- unsigned long millis = 0;
- unsigned long new_millis = 0;
- unsigned long iterations = 0;
- /* Start the timer. */
- (void) mbedtls_timing_get_timer( &timer, 1 );
- /* Busy-wait loop for a few milliseconds. */
- do
- {
- new_millis = mbedtls_timing_get_timer( &timer, 0 );
- ++iterations;
- /* Check that the timer didn't go backwards */
- TEST_ASSERT( new_millis >= millis );
- millis = new_millis;
- }
- while( millis < TIMING_SHORT_TEST_MS &&
- iterations <= TIMING_SHORT_TEST_ITERATIONS_MAX );
- /* The wait duration should have been large enough for at least a
- few runs through the loop, even on the slowest realistic platform. */
- TEST_ASSERT( iterations >= 2 );
- /* The wait duration shouldn't have overflowed the iteration count. */
- TEST_ASSERT( iterations < TIMING_SHORT_TEST_ITERATIONS_MAX );
- return;
-
-exit:
- if( iterations >= TIMING_SHORT_TEST_ITERATIONS_MAX ||
- new_millis < millis )
- {
- /* The timer was very unreliable: it didn't increment and the loop ran
- out, or it went backwards. Other tests that use timers might go
- into an infinite loop, so we'll skip them. */
- timers_are_badly_broken = 1;
- }
-
- /* No cleanup needed, but show some diagnostic iterations, because timing
- problems can be hard to reproduce. */
- mbedtls_fprintf( stdout, " Finished with millis=%lu new_millis=%lu get(timer)<=%lu iterations=%lu\n",
- millis, new_millis, mbedtls_timing_get_timer( &timer, 0 ),
- iterations );
+ (void) mbedtls_timing_hardclock();
+ /* This goto is added to avoid warnings from the generated code. */
+ goto exit;
}
/* END_CASE */
/* BEGIN_CASE */
-void timing_timer_reset( )
+void timing_get_timer( )
{
- struct mbedtls_timing_hr_time timer;
- unsigned long millis = 0;
- unsigned long iterations = 0;
-
- /* Skip this test if it looks like timers don't work at all, to avoid an
- infinite loop below. */
- TEST_ASSERT( !timers_are_badly_broken );
-
- /* Start the timer. Timers are always reset to 0. */
- TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 );
- /* Busy-wait loop for a few milliseconds */
- do
- {
- ++iterations;
- millis = mbedtls_timing_get_timer( &timer, 0 );
- }
- while( millis < TIMING_SHORT_TEST_MS );
-
- /* Reset the timer and check that it has restarted. */
- TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 );
- /* Read the timer immediately after reset. It should be 0 or close
- to it. */
- TEST_ASSERT( mbedtls_timing_get_timer( &timer, 0 ) < TIMING_SHORT_TEST_MS );
- return;
-
-exit:
- /* No cleanup needed, but show some diagnostic information, because timing
- problems can be hard to reproduce. */
- if( !timers_are_badly_broken )
- mbedtls_fprintf( stdout, " Finished with millis=%lu get(timer)<=%lu iterations=%lu\n",
- millis, mbedtls_timing_get_timer( &timer, 0 ),
- iterations );
+ struct mbedtls_timing_hr_time time;
+ (void) mbedtls_timing_get_timer( &time, 1 );
+ (void) mbedtls_timing_get_timer( &time, 0 );
+ /* This goto is added to avoid warnings from the generated code. */
+ goto exit;
}
/* END_CASE */
/* BEGIN_CASE */
-void timing_two_timers( int delta )
+void timing_set_alarm( int seconds )
{
- struct mbedtls_timing_hr_time timer1, timer2;
- unsigned long millis1 = 0, millis2 = 0;
-
- /* Skip this test if it looks like timers don't work at all, to avoid an
- infinite loop below. */
- TEST_ASSERT( !timers_are_badly_broken );
-
- /* Start the first timer and wait for a short time. */
- (void) mbedtls_timing_get_timer( &timer1, 1 );
- do
+ if( seconds == 0 )
{
- millis1 = mbedtls_timing_get_timer( &timer1, 0 );
- }
- while( millis1 < TIMING_SHORT_TEST_MS );
-
- /* Do a short busy-wait, so that the difference between timer1 and timer2
- doesn't practically always end up being very close to a whole number of
- milliseconds. */
- while( delta > 0 )
- --delta;
-
- /* Start the second timer and compare it with the first. */
- mbedtls_timing_get_timer( &timer2, 1 );
- do
- {
- millis1 = mbedtls_timing_get_timer( &timer1, 0 );
- millis2 = mbedtls_timing_get_timer( &timer2, 0 );
- /* The first timer should always be ahead of the first. */
- TEST_ASSERT( millis1 > millis2 );
- /* The timers shouldn't drift apart, i.e. millis2-millis1 should stay
- roughly constant, but this is hard to test reliably, especially in
- a busy environment such as an overloaded continuous integration
- system, so we don't test it it. */
- }
- while( millis2 < TIMING_SHORT_TEST_MS );
-
- return;
-
-exit:
- /* No cleanup needed, but show some diagnostic iterations, because timing
- problems can be hard to reproduce. */
- if( !timers_are_badly_broken )
- mbedtls_fprintf( stdout, " Finished with millis1=%lu get(timer1)<=%lu millis2=%lu get(timer2)<=%lu\n",
- millis1, mbedtls_timing_get_timer( &timer1, 0 ),
- millis2, mbedtls_timing_get_timer( &timer2, 0 ) );
-}
-/* END_CASE */
-
-/* BEGIN_CASE */
-void timing_alarm( int seconds )
-{
- struct mbedtls_timing_hr_time timer;
- unsigned long millis = 0;
- /* We check that about the desired number of seconds has elapsed. Be
- slightly liberal with the lower bound, so as to allow platforms where
- the alarm (with second resolution) and the timer (with millisecond
- resolution) are based on different clocks. Be very liberal with the
- upper bound, because the platform might be busy. */
- unsigned long millis_min = ( seconds > 0 ?
- seconds * 900 :
- 0 );
- unsigned long millis_max = ( seconds > 0 ?
- seconds * 1100 + 400 :
- TIMING_ALARM_0_DELAY_MS );
- unsigned long iterations = 0;
-
- /* Skip this test if it looks like timers don't work at all, to avoid an
- infinite loop below. */
- TEST_ASSERT( !timers_are_badly_broken );
-
- /* Set an alarm and count how long it takes with a timer. */
- (void) mbedtls_timing_get_timer( &timer, 1 );
- mbedtls_set_alarm( seconds );
-
- if( seconds > 0 )
- {
- /* We set the alarm for at least 1 second. It should not have fired
- immediately, even on a slow and busy platform. */
- TEST_ASSERT( !mbedtls_timing_alarmed );
- }
- /* A 0-second alarm should fire quickly, but we don't guarantee that it
- fires immediately, so mbedtls_timing_alarmed may or may not be set at
- this point. */
-
- /* Busy-wait until the alarm rings */
- do
- {
- ++iterations;
- millis = mbedtls_timing_get_timer( &timer, 0 );
- }
- while( !mbedtls_timing_alarmed && millis <= millis_max );
-
- TEST_ASSERT( mbedtls_timing_alarmed );
- TEST_ASSERT( millis >= millis_min );
- TEST_ASSERT( millis <= millis_max );
-
- mbedtls_timing_alarmed = 0;
- return;
-
-exit:
- /* Show some diagnostic iterations, because timing
- problems can be hard to reproduce. */
- if( !timers_are_badly_broken )
- mbedtls_fprintf( stdout, " Finished with alarmed=%d millis=%lu get(timer)<=%lu iterations=%lu\n",
- mbedtls_timing_alarmed,
- millis, mbedtls_timing_get_timer( &timer, 0 ),
- iterations );
- /* Cleanup */
- mbedtls_timing_alarmed = 0;
-}
-/* END_CASE */
-
-/* BEGIN_CASE */
-void timing_delay( int int_ms, int fin_ms )
-{
- /* This function assumes that if int_ms is nonzero then it is large
- enough that we have time to read all timers at least once in an
- interval of time lasting int_ms milliseconds, and likewise for (fin_ms
- - int_ms). So don't call it with arguments that are too small. */
-
- mbedtls_timing_delay_context delay;
- struct mbedtls_timing_hr_time timer;
- unsigned long delta = 0; /* delay started between timer=0 and timer=delta */
- unsigned long before = 0, after = 0;
- unsigned long iterations = 0;
- int status = -2;
- int saw_status_1 = 0;
- int warn_inconclusive = 0;
-
- assert( int_ms >= 0 );
- assert( fin_ms >= 0 );
-
- /* Skip this test if it looks like timers don't work at all, to avoid an
- infinite loop below. */
- TEST_ASSERT( !timers_are_badly_broken );
-
- /* Start a reference timer. Program a delay, and verify that the status of
- the delay is consistent with the time given by the reference timer. */
- (void) mbedtls_timing_get_timer( &timer, 1 );
- mbedtls_timing_set_delay( &delay, int_ms, fin_ms );
- /* Set delta to an upper bound for the interval between the start of timer
- and the start of delay. Reading timer after starting delay gives us an
- upper bound for the interval, rounded to a 1ms precision. Since this
- might have been rounded down, but we need an upper bound, we add 1. */
- delta = mbedtls_timing_get_timer( &timer, 0 ) + 1;
-
- status = mbedtls_timing_get_delay( &delay );
- if( fin_ms == 0 )
- {
- /* Cancelled timer. Just check the correct status for this case. */
- TEST_ASSERT( status == -1 );
- return;
- }
-
- /* Initially, none of the delays must be passed yet if they're nonzero.
- This could fail for very small values of int_ms and fin_ms, where "very
- small" depends how fast and how busy the platform is. */
- if( int_ms > 0 )
- {
- TEST_ASSERT( status == 0 );
+ mbedtls_set_alarm( seconds );
+ TEST_ASSERT( mbedtls_timing_alarmed == 1 );
}
else
{
- TEST_ASSERT( status == 1 );
+ mbedtls_set_alarm( seconds );
+ TEST_ASSERT( mbedtls_timing_alarmed == 0 ||
+ mbedtls_timing_alarmed == 1 );
}
-
- do
- {
- unsigned long delay_min, delay_max;
- int status_min, status_max;
- ++iterations;
- before = mbedtls_timing_get_timer( &timer, 0 );
- status = mbedtls_timing_get_delay( &delay );
- after = mbedtls_timing_get_timer( &timer, 0 );
- /* At a time between before and after, the delay's status was status.
- Check that this is consistent given that the delay was started
- between times 0 and delta. */
- delay_min = ( before > delta ? before - delta : 0 );
- status_min = expected_delay_status( int_ms, fin_ms, delay_min );
- delay_max = after;
- status_max = expected_delay_status( int_ms, fin_ms, delay_max );
- TEST_ASSERT( status >= status_min );
- TEST_ASSERT( status <= status_max );
- if( status == 1 )
- saw_status_1 = 1;
- }
- while ( before <= fin_ms + delta && status != 2 );
-
- /* Since we've waited at least fin_ms, the delay must have fully
- expired. */
- TEST_ASSERT( status == 2 );
-
- /* If the second delay is more than the first, then there must have been a
- point in time when the first delay was passed but not the second delay.
- This could fail for very small values of (fin_ms - int_ms), where "very
- small" depends how fast and how busy the platform is. In practice, this
- is the test that's most likely to fail on a heavily loaded machine. */
- if( fin_ms > int_ms )
- {
- warn_inconclusive = 1;
- TEST_ASSERT( saw_status_1 );
- }
-
- return;
-
-exit:
- /* No cleanup needed, but show some diagnostic iterations, because timing
- problems can be hard to reproduce. */
- if( !timers_are_badly_broken )
- mbedtls_fprintf( stdout, " Finished with delta=%lu before=%lu after=%lu status=%d iterations=%lu\n",
- delta, before, after, status, iterations );
- if( warn_inconclusive )
- mbedtls_fprintf( stdout, " Inconclusive test, try running it on a less heavily loaded machine.\n" );
- }
+}
/* END_CASE */
/* BEGIN_CASE */
-void timing_hardclock( )
+void timing_delay( int fin_ms )
{
- /* We make very few guarantees about mbedtls_timing_hardclock: its rate is
- platform-dependent, it can wrap around. So there isn't much we can
- test. But we do at least test that it doesn't crash, stall or return
- completely nonsensical values. */
-
- struct mbedtls_timing_hr_time timer;
- unsigned long hardclock0 = -1, hardclock1 = -1, delta1 = -1;
-
- /* Skip this test if it looks like timers don't work at all, to avoid an
- infinite loop below. */
- TEST_ASSERT( !timers_are_badly_broken );
-
- hardclock0 = mbedtls_timing_hardclock( );
- /* Wait 2ms to ensure a nonzero delay. Since the timer interface has 1ms
- resolution and unspecified precision, waiting 1ms might be a very small
- delay that's rounded up. */
- (void) mbedtls_timing_get_timer( &timer, 1 );
- while( mbedtls_timing_get_timer( &timer, 0 ) < 2 )
- /*busy-wait loop*/;
- hardclock1 = mbedtls_timing_hardclock( );
-
- /* Although the hardclock counter can wrap around, the difference
- (hardclock1 - hardclock0) is taken modulo the type size, so it is
- correct as long as the counter only wrapped around at most once. We
- further require the difference to be nonzero (after a wait of more than
- 1ms, the counter must have changed), and not to be overly large (after
- a wait of less than 3ms, plus time lost because other processes were
- scheduled on the CPU). If the hardclock counter runs at 4GHz, then
- 1000000000 (which is 1/4 of the counter wraparound on a 32-bit machine)
- allows 250ms. */
- delta1 = hardclock1 - hardclock0;
- TEST_ASSERT( delta1 > 0 );
- TEST_ASSERT( delta1 < 1000000000 );
- return;
-
-exit:
- /* No cleanup needed, but show some diagnostic iterations, because timing
- problems can be hard to reproduce. */
- if( !timers_are_badly_broken )
- mbedtls_fprintf( stdout, " Finished with hardclock=%lu,%lu\n",
- hardclock0, hardclock1 );
+ mbedtls_timing_delay_context ctx;
+ int result;
+ if( fin_ms == 0 )
+ {
+ mbedtls_timing_set_delay( &ctx, 0, 0 );
+ result = mbedtls_timing_get_delay( &ctx );
+ TEST_ASSERT( result == -1 );
+ }
+ else
+ {
+ mbedtls_timing_set_delay( &ctx, fin_ms / 2, fin_ms );
+ result = mbedtls_timing_get_delay( &ctx );
+ TEST_ASSERT( result >= 0 && result <= 2 );
+ }
}
/* END_CASE */
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 5b54d85..c196625 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -1,78 +1,86 @@
Certificate Request check Server1 SHA1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0
Certificate Request check Server1 SHA224
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0
Certificate Request check Server1 SHA256
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0
Certificate Request check Server1 SHA384
depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0
Certificate Request check Server1 SHA512
depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0
Certificate Request check Server1 MD4
depends_on:MBEDTLS_MD4_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0:0:0
Certificate Request check Server1 MD5
depends_on:MBEDTLS_MD5_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0
Certificate Request check Server1 key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0
+
+Certificate Request check Server1 key_usage empty
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0
Certificate Request check Server1 ns_cert_type
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1
+
+Certificate Request check Server1 ns_cert_type empty
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1
Certificate Request check Server1 key_usage + ns_cert_type
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1
Certificate Request check Server5 ECDSA, key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
+x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0
Certificate write check Server1 SHA1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0
Certificate write check Server1 SHA1, key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0
Certificate write check Server1 SHA1, ns_cert_type
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0
Certificate write check Server1 SHA1, version 1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
Certificate write check Server1 SHA1, RSA_ALT
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1
Certificate write check Server1 SHA1, RSA_ALT, key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1
Certificate write check Server1 SHA1, RSA_ALT, version 1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
X509 String to Names #1
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 62f82e8..aba23d4 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -35,8 +35,9 @@
*/
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
-void x509_csr_check( char *key_file, char *cert_req_check_file,
- int md_type, int key_usage, int cert_type )
+void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
+ int key_usage, int set_key_usage, int cert_type,
+ int set_cert_type )
{
mbedtls_pk_context key;
mbedtls_x509write_csr req;
@@ -58,9 +59,9 @@
mbedtls_x509write_csr_set_md_alg( &req, md_type );
mbedtls_x509write_csr_set_key( &req, &key );
TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 );
- if( key_usage != 0 )
+ if( set_key_usage != 0 )
TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
- if( cert_type != 0 )
+ if( set_cert_type != 0 )
TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
@@ -99,7 +100,8 @@
char *subject_name, char *issuer_key_file,
char *issuer_pwd, char *issuer_name,
char *serial_str, char *not_before, char *not_after,
- int md_type, int key_usage, int cert_type, int auth_ident,
+ int md_type, int key_usage, int set_key_usage,
+ int cert_type, int set_cert_type, int auth_ident,
int ver, char *cert_check_file, int rsa_alt )
{
mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
@@ -167,9 +169,9 @@
TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
if( auth_ident )
TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
- if( key_usage != 0 )
+ if( set_key_usage != 0 )
TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
- if( cert_type != 0 )
+ if( set_cert_type != 0 )
TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
}