Merge pull request #9395 from sezrab/mbedtls_test_ssl_message_queue_pop_info-3.6
[Backport 3.6] tests/ssl_helpers: Check that message queue is popped
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d5135f5..10f4f53 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -22,6 +22,10 @@
include(CMakePackageConfigHelpers)
+# Include convenience functions for printing properties and variables, like
+# cmake_print_properties(), cmake_print_variables().
+include(CMakePrintHelpers)
+
# https://cmake.org/cmake/help/latest/policy/CMP0011.html
# Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD
# policy setting is deprecated, and will be removed in future versions.
diff --git a/docs/requirements.txt b/docs/requirements.txt
index a1bfd82..2287b2a 100644
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,63 +1,66 @@
#
-# This file is autogenerated by pip-compile with Python 3.9
+# This file is autogenerated by pip-compile with Python 3.8
# by the following command:
#
# pip-compile requirements.in
#
alabaster==0.7.13
# via sphinx
-babel==2.12.1
+babel==2.15.0
# via sphinx
breathe==4.35.0
# via -r requirements.in
-certifi==2022.12.7
+certifi==2024.7.4
# via requests
-charset-normalizer==3.1.0
+charset-normalizer==3.3.2
# via requests
-click==8.1.3
+click==8.1.7
# via readthedocs-cli
-docutils==0.17.1
+docutils==0.20.1
# via
# breathe
# sphinx
# sphinx-rtd-theme
-idna==3.4
+idna==3.7
# via requests
imagesize==1.4.1
# via sphinx
-importlib-metadata==6.0.0
+importlib-metadata==8.0.0
# via sphinx
-jinja2==3.1.2
+jinja2==3.1.4
# via sphinx
-markdown-it-py==2.2.0
+markdown-it-py==3.0.0
# via rich
-markupsafe==2.1.2
+markupsafe==2.1.5
# via jinja2
mdurl==0.1.2
# via markdown-it-py
-packaging==23.0
+packaging==24.1
# via sphinx
-pygments==2.14.0
+pygments==2.18.0
# via
# rich
# sphinx
-pyyaml==6.0
+pytz==2024.1
+ # via babel
+pyyaml==6.0.1
# via readthedocs-cli
readthedocs-cli==4
# via -r requirements.in
-requests==2.28.2
+requests==2.32.3
# via
# readthedocs-cli
# sphinx
-rich==13.3.5
+rich==13.7.1
# via readthedocs-cli
snowballstemmer==2.2.0
# via sphinx
-sphinx==4.5.0
+sphinx==7.1.2
# via
# breathe
# sphinx-rtd-theme
-sphinx-rtd-theme==1.2.0
+ # sphinxcontrib-jquery
+sphinx-rtd-theme==2.0.0
# via -r requirements.in
sphinxcontrib-applehelp==1.0.4
# via sphinx
@@ -65,7 +68,7 @@
# via sphinx
sphinxcontrib-htmlhelp==2.0.1
# via sphinx
-sphinxcontrib-jquery==2.0.0
+sphinxcontrib-jquery==4.1
# via sphinx-rtd-theme
sphinxcontrib-jsmath==1.0.1
# via sphinx
@@ -73,10 +76,9 @@
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
-urllib3==1.26.15
+typing-extensions==4.12.2
+ # via rich
+urllib3==2.2.2
# via requests
-zipp==3.15.0
+zipp==3.19.2
# via importlib-metadata
-
-# The following packages are considered to be unsafe in a requirements file:
-# setuptools
diff --git a/framework b/framework
index 8853c84..331565b 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 8853c8471200e62448413d1f40d6801a19796a83
+Subproject commit 331565b041f794df2da76394b3b0039abce30355
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index 7dafbae..7a375d8 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -4,7 +4,7 @@
*
* This is an internal header. Do not include it directly.
*
- * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
+ * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
* configurations need to be explicitly enabled by the user: enabling
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
* compilation error. However, we do automatically enable certain options
@@ -433,7 +433,7 @@
#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
#endif
-/* Some internal helpers to determine which keys are availble. */
+/* Some internal helpers to determine which keys are available. */
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
#define MBEDTLS_SSL_HAVE_AES
@@ -447,7 +447,7 @@
#define MBEDTLS_SSL_HAVE_CAMELLIA
#endif
-/* Some internal helpers to determine which operation modes are availble. */
+/* Some internal helpers to determine which operation modes are available. */
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
#define MBEDTLS_SSL_HAVE_CBC
diff --git a/include/mbedtls/config_adjust_ssl.h b/include/mbedtls/config_adjust_ssl.h
index 309524a..1f82d9c 100644
--- a/include/mbedtls/config_adjust_ssl.h
+++ b/include/mbedtls/config_adjust_ssl.h
@@ -4,7 +4,7 @@
*
* This is an internal header. Do not include it directly.
*
- * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
+ * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
* configurations need to be explicitly enabled by the user: enabling
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
* compilation error. However, we do automatically enable certain options
diff --git a/include/mbedtls/config_adjust_x509.h b/include/mbedtls/config_adjust_x509.h
index c063251..cfb2d88 100644
--- a/include/mbedtls/config_adjust_x509.h
+++ b/include/mbedtls/config_adjust_x509.h
@@ -4,7 +4,7 @@
*
* This is an internal header. Do not include it directly.
*
- * Automatically enable certain dependencies. Generally, MBEDLTS_xxx
+ * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
* configurations need to be explicitly enabled by the user: enabling
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
* compilation error. However, we do automatically enable certain options
diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h
index a0909d6..a6a5069 100644
--- a/include/mbedtls/ecdh.h
+++ b/include/mbedtls/ecdh.h
@@ -325,7 +325,7 @@
* \brief This function sets up an ECDH context from an EC key.
*
* It is used by clients and servers in place of the
- * ServerKeyEchange for static ECDH, and imports ECDH
+ * ServerKeyExchange for static ECDH, and imports ECDH
* parameters from the EC key information of a certificate.
*
* \see ecp.h
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index d8f73ae..623910b 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -216,7 +216,7 @@
* range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
* which is congruent mod \p P to the given MPI, and is close enough to \p pbits
* in size, so that it may be efficiently brought in the 0..P-1 range by a few
- * additions or subtractions. Therefore, it is only an approximative modular
+ * additions or subtractions. Therefore, it is only an approximate modular
* reduction. It must return 0 on success and non-zero on failure.
*
* \note Alternative implementations of the ECP module must obey the
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 3592141..c59dd68 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1118,7 +1118,7 @@
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
* \warning If SHA-256 is provided only by a PSA driver, you must call
- * psa_crypto_init() before the first hanshake (even if
+ * psa_crypto_init() before the first handshake (even if
* MBEDTLS_USE_PSA_CRYPTO is disabled).
*
* This enables the following ciphersuites (if other requisites are
@@ -2625,7 +2625,7 @@
* The CTR_DRBG generator uses AES-256 by default.
* To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
*
- * AES support can either be achived through builtin (MBEDTLS_AES_C) or PSA.
+ * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
* Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
* is used.
*
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index f9db4dd..3525da2 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -3865,8 +3865,8 @@
* psa_key_derivation_abort().
*
* \param[in,out] operation The key derivation operation object to read from.
- * \param[in] expected_output Buffer containing the expected derivation output.
- * \param output_length Length of the expected output; this is also the
+ * \param[in] expected Buffer containing the expected derivation output.
+ * \param expected_length Length of the expected output; this is also the
* number of bytes that will be read.
*
* \retval #PSA_SUCCESS \emptydescription
@@ -3896,8 +3896,8 @@
*/
psa_status_t psa_key_derivation_verify_bytes(
psa_key_derivation_operation_t *operation,
- const uint8_t *expected_output,
- size_t output_length);
+ const uint8_t *expected,
+ size_t expected_length);
/** Compare output data from a key derivation operation to an expected value
* stored in a key object.
diff --git a/library/platform_util.c b/library/platform_util.c
index 0741bf5..19ef07a 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -149,7 +149,7 @@
#include <time.h>
#if !defined(_WIN32) && (defined(unix) || \
defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
- defined(__MACH__)) || defined__midipix__)
+ defined(__MACH__)) || defined(__midipix__))
#include <unistd.h>
#endif /* !_WIN32 && (unix || __unix || __unix__ ||
* (__APPLE__ && __MACH__) || __midipix__) */
diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile
index 828e518..71cba0b 100644
--- a/programs/fuzz/Makefile
+++ b/programs/fuzz/Makefile
@@ -9,9 +9,7 @@
LOCAL_LDFLAGS += -lFuzzingEngine
endif
-# A test application is built for each suites/test_suite_*.data file.
-# Application name is same as .data file's base name and can be
-# constructed by stripping path 'suites/' and extension .data.
+# A test application is built for each fuzz_*.c file.
APPS = $(basename $(wildcard fuzz_*.c))
# Construct executable name by adding OS specific suffix $(EXEXT).
diff --git a/programs/test/metatest.c b/programs/test/metatest.c
index c52e579..75829ec 100644
--- a/programs/test/metatest.c
+++ b/programs/test/metatest.c
@@ -381,7 +381,7 @@
void (*entry_point)(const char *name);
} metatest_t;
-/* The list of availble meta-tests. Remember to register new functions here!
+/* The list of available meta-tests. Remember to register new functions here!
*
* Note that we always compile all the functions, so that `metatest --list`
* will always list all the available meta-tests.
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 041508c..b909c4e 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -69,7 +69,8 @@
# Derive generated file paths in the build directory. The generated data
# files go into the suites/ subdirectory.
set(base_generated_data_files
- ${base_bignum_generated_data_files} ${base_ecp_generated_data_files} ${base_psa_generated_data_files})
+ ${base_bignum_generated_data_files} ${base_config_generated_data_files}
+ ${base_ecp_generated_data_files} ${base_psa_generated_data_files})
string(REGEX REPLACE "([^;]+)" "suites/\\1"
all_generated_data_files "${base_generated_data_files}")
set(bignum_generated_data_files "")
@@ -197,6 +198,7 @@
# Get the test names of the tests with generated .data files
# from the generated_data_files list in parent scope.
set(bignum_generated_data_names "")
+ set(config_generated_data_names "")
set(ecp_generated_data_names "")
set(psa_generated_data_names "")
foreach(generated_data_file ${bignum_generated_data_files})
@@ -208,6 +210,15 @@
string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
list(APPEND bignum_generated_data_names ${generated_data_name})
endforeach()
+ foreach(generated_data_file ${config_generated_data_files})
+ # Get the plain filename
+ get_filename_component(generated_data_name ${generated_data_file} NAME)
+ # Remove the ".data" extension
+ get_name_without_last_ext(generated_data_name ${generated_data_name})
+ # Remove leading "test_suite_"
+ string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
+ list(APPEND config_generated_data_names ${generated_data_name})
+ endforeach()
foreach(generated_data_file ${ecp_generated_data_files})
# Get the plain filename
get_filename_component(generated_data_name ${generated_data_file} NAME)
@@ -234,7 +245,7 @@
elseif(";${config_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
- set(dependency test_suite_bignum_generated_data)
+ set(dependency test_suite_config_generated_data)
elseif(";${ecp_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
diff --git a/tests/include/test/psa_test_wrappers.h b/tests/include/test/psa_test_wrappers.h
index e6d712b..9551855 100644
--- a/tests/include/test/psa_test_wrappers.h
+++ b/tests/include/test/psa_test_wrappers.h
@@ -17,7 +17,6 @@
!defined(RECORD_PSA_STATUS_COVERAGE_LOG)
#include <psa/crypto.h>
-
#include <test/memory.h>
#include <test/psa_crypto_helpers.h>
#include <test/psa_test_wrappers.h>
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index f8147d1..993e23c 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -357,6 +357,12 @@
'Key ASN1 (Encrypted key PKCS5, trailing garbage data)',
re.compile(r'Parse (RSA|EC) Key .*\(.* ([Ee]ncrypted|password).*\)'),
],
+ # Encrypted keys are not supported so far.
+ 'ssl-opt': [
+ 'TLS: password protected server key',
+ 'TLS: password protected client key',
+ 'TLS: password protected server key, two certificates',
+ ],
}
}
},
diff --git a/tests/src/psa_test_wrappers.c b/tests/src/psa_test_wrappers.c
index 24e05c8..7415e29 100644
--- a/tests/src/psa_test_wrappers.c
+++ b/tests/src/psa_test_wrappers.c
@@ -10,7 +10,6 @@
!defined(RECORD_PSA_STATUS_COVERAGE_LOG)
#include <psa/crypto.h>
-
#include <test/memory.h>
#include <test/psa_crypto_helpers.h>
#include <test/psa_test_wrappers.h>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 1cc1115..0b8f129 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -595,6 +595,7 @@
*) PSK_ONLY="NO";;
esac
+HAS_ALG_MD5="NO"
HAS_ALG_SHA_1="NO"
HAS_ALG_SHA_224="NO"
HAS_ALG_SHA_256="NO"
@@ -613,7 +614,10 @@
else
CURR_ALG=MBEDTLS_${1}_C
# Remove the second underscore to match MBEDTLS_* naming convention
- CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2')
+ # MD5 is an exception to this convention
+ if [ "${1}" != "MD5" ]; then
+ CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2')
+ fi
fi
case $CONFIGS_ENABLED in
@@ -627,7 +631,7 @@
populate_enabled_hash_algs()
{
- for hash_alg in SHA_1 SHA_224 SHA_256 SHA_384 SHA_512; do
+ for hash_alg in SHA_1 SHA_224 SHA_256 SHA_384 SHA_512 MD5; do
if check_for_hash_alg "$hash_alg"; then
hash_alg_variable=HAS_ALG_${hash_alg}
eval ${hash_alg_variable}=YES
@@ -640,6 +644,7 @@
HASH_DEFINE="Invalid"
HAS_HASH_ALG="NO"
case $1 in
+ MD5):;;
SHA_1):;;
SHA_224):;;
SHA_256):;;
@@ -1814,7 +1819,7 @@
# a maximum fragment length.
# first argument ($1) is MFL for SSL client
# second argument ($2) is memory usage for SSL client with default MFL (16k)
-run_test_memory_after_hanshake_with_mfl()
+run_test_memory_after_handshake_with_mfl()
{
# The test passes if the difference is around 2*(16k-MFL)
MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
@@ -1834,7 +1839,7 @@
# Test that the server's memory usage after a handshake is reduced when a client specifies
# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
-run_tests_memory_after_hanshake()
+run_tests_memory_after_handshake()
{
# all tests in this sequence requires the same configuration (see requires_config_enabled())
SKIP_THIS_TESTS="$SKIP_NEXT"
@@ -1850,16 +1855,16 @@
-F "handshake_memory_get MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
- run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
+ run_test_memory_after_handshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
- run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
+ run_test_memory_after_handshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
- run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
+ run_test_memory_after_handshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
- run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
+ run_test_memory_after_handshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
}
cleanup() {
@@ -2109,11 +2114,11 @@
-c "Key size is 128"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_config_enabled MBEDTLS_MD_CAN_MD5
# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
# module does not support PSA dispatching so we need builtin support.
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
requires_config_enabled MBEDTLS_AES_C
+requires_hash_alg MD5
requires_hash_alg SHA_256
run_test "TLS: password protected client key" \
"$P_SRV force_version=tls12 auth_mode=required" \
@@ -2121,11 +2126,11 @@
0
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
-requires_config_enabled MBEDTLS_MD_CAN_MD5
# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
# module does not support PSA dispatching so we need builtin support.
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
requires_config_enabled MBEDTLS_AES_C
+requires_hash_alg MD5
requires_hash_alg SHA_256
run_test "TLS: password protected server key" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \
@@ -2134,11 +2139,11 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_MD_CAN_MD5
# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
# module does not support PSA dispatching so we need builtin support.
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
requires_config_enabled MBEDTLS_AES_C
+requires_hash_alg MD5
requires_hash_alg SHA_256
run_test "TLS: password protected server key, two certificates" \
"$P_SRV force_version=tls12\
@@ -5549,7 +5554,7 @@
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
- -C "ssl_hanshake() returned" \
+ -C "ssl_handshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@@ -5563,7 +5568,7 @@
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
- -C "ssl_hanshake() returned" \
+ -C "ssl_handshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@@ -5607,7 +5612,7 @@
-c "client hello, adding renegotiation extension" \
-C "found renegotiation extension" \
-c "=> renegotiate" \
- -C "ssl_hanshake() returned" \
+ -C "ssl_handshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
@@ -14143,7 +14148,7 @@
requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
requires_max_content_len 16384
-run_tests_memory_after_hanshake
+run_tests_memory_after_handshake
if [ "$LIST_TESTS" -eq 0 ]; then