Merge pull request #7418 from xkqian/big_number_ecc_update_comment
Update SEC1 link in ecp.c
diff --git a/ChangeLog.d/add-missing-md-includes.txt b/ChangeLog.d/add-missing-md-includes.txt
new file mode 100644
index 0000000..408c361
--- /dev/null
+++ b/ChangeLog.d/add-missing-md-includes.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Add missing md.h includes to some of the external programs from
+ the programs directory. Without this, even though the configuration
+ was sufficient for a particular program to work, it would only print
+ a message that one of the required defines is missing.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f8c5948..e84da60 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -40,6 +40,8 @@
#include "mbedtls/dhm.h"
#endif
+#include "mbedtls/md.h"
+
#if defined(MBEDTLS_ECDH_C)
#include "mbedtls/ecdh.h"
#endif
@@ -106,7 +108,8 @@
/* Error space gap */
/* Error space gap */
/* Error space gap */
-/* Error space gap */
+/** Cache entry not found */
+#define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x7E80
/** Memory allocation failed */
#define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00
/** Hardware acceleration function returned with error */
diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h
index 55dcf77..08f98b5 100644
--- a/include/mbedtls/ssl_cache.h
+++ b/include/mbedtls/ssl_cache.h
@@ -102,6 +102,11 @@
* \param session_id_len The length of \p session_id in bytes.
* \param session The address at which to store the session
* associated with \p session_id, if present.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is
+ * no cache entry with specified session ID found, or
+ * any other negative error code for other failures.
*/
int mbedtls_ssl_cache_get(void *data,
unsigned char const *session_id,
@@ -117,6 +122,9 @@
* associated to \p session.
* \param session_id_len The length of \p session_id in bytes.
* \param session The session to store.
+ *
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_ssl_cache_set(void *data,
unsigned char const *session_id,
@@ -132,9 +140,10 @@
* associated to \p session.
* \param session_id_len The length of \p session_id in bytes.
*
- * \return 0: The cache entry for session with provided ID
- * is removed or does not exist.
- * Otherwise: fail.
+ * \return \c 0 on success. This indicates the cache entry for
+ * the session with provided ID is removed or does not
+ * exist.
+ * \return A negative error code on failure.
*/
int mbedtls_ssl_cache_remove(void *data,
unsigned char const *session_id,
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 45d743f..4e5293d 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -1104,9 +1104,10 @@
* - write the raw content of public key "pub" to a local buffer
* - compare the two buffers
*/
-static int eckey_check_pair_psa(const void *pub, const void *prv)
+static int eckey_check_pair_psa(const mbedtls_ecp_keypair *pub,
+ const mbedtls_ecp_keypair *prv)
{
- psa_status_t status;
+ psa_status_t status, destruction_status;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_ecp_keypair *prv_ctx = (mbedtls_ecp_keypair *) prv;
mbedtls_ecp_keypair *pub_ctx = (mbedtls_ecp_keypair *) pub;
@@ -1133,20 +1134,21 @@
}
status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
- if (status != PSA_SUCCESS) {
- ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ if (ret != 0) {
return ret;
}
mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
- ret = PSA_PK_TO_MBEDTLS_ERR(psa_export_public_key(key_id,
- prv_key_buf,
- sizeof(prv_key_buf),
- &prv_key_len));
- status = psa_destroy_key(key_id);
- if (ret != 0 || status != PSA_SUCCESS) {
- return (ret != 0) ? ret : PSA_PK_TO_MBEDTLS_ERR(status);
+ status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
+ &prv_key_len);
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ destruction_status = psa_destroy_key(key_id);
+ if (ret != 0) {
+ return ret;
+ } else if (destruction_status != PSA_SUCCESS) {
+ return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
}
ret = mbedtls_ecp_point_write_binary(&pub_ctx->grp, &pub_ctx->Q,
@@ -1172,8 +1174,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
(void) f_rng;
(void) p_rng;
- return eckey_check_pair_psa((const mbedtls_ecp_keypair *) pub,
- (const mbedtls_ecp_keypair *) prv);
+ return eckey_check_pair_psa(pub, prv);
#else /* MBEDTLS_USE_PSA_CRYPTO */
return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub,
(const mbedtls_ecp_keypair *) prv,
diff --git a/library/pkparse.c b/library/pkparse.c
index ccca692..fa61a06 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -48,6 +48,14 @@
#include "mbedtls/pkcs12.h"
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include "mbedtls/psa_util.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
#include "mbedtls/platform.h"
#if defined(MBEDTLS_FS_IO)
@@ -869,6 +877,57 @@
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Helper function for deriving a public key from its private counterpart by
+ * using PSA functions.
+ */
+static int pk_derive_public_key(mbedtls_ecp_group *grp, mbedtls_ecp_point *Q,
+ const mbedtls_mpi *d)
+{
+ psa_status_t status, destruction_status;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ size_t curve_bits;
+ psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp->id, &curve_bits);
+ /* This buffer is used to store the private key at first and then the
+ * public one (but not at the same time). Therefore we size it for the
+ * latter since it's bigger. */
+ unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+ size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ int ret;
+
+ psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+ psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
+
+ ret = mbedtls_mpi_write_binary(d, key_buf, key_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ status = psa_import_key(&key_attr, key_buf, key_len, &key_id);
+ ret = psa_pk_status_to_mbedtls(status);
+ if (ret != 0) {
+ return ret;
+ }
+
+ mbedtls_platform_zeroize(key_buf, sizeof(key_buf));
+
+ status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len);
+ ret = psa_pk_status_to_mbedtls(status);
+ destruction_status = psa_destroy_key(key_id);
+ if (ret != 0) {
+ return ret;
+ } else if (destruction_status != PSA_SUCCESS) {
+ return psa_pk_status_to_mbedtls(destruction_status);
+ }
+
+ ret = mbedtls_ecp_point_read_binary(grp, Q, key_buf, key_len);
+
+ return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
/*
* Parse a SEC1 encoded private EC key
*/
@@ -975,11 +1034,21 @@
}
}
- if (!pubkey_done &&
- (ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G,
- f_rng, p_rng)) != 0) {
- mbedtls_ecp_keypair_free(eck);
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ if (!pubkey_done) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ (void) f_rng;
+ (void) p_rng;
+ if ((ret = pk_derive_public_key(&eck->grp, &eck->Q, &eck->d)) != 0) {
+ mbedtls_ecp_keypair_free(eck);
+ return ret;
+ }
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+ if ((ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G,
+ f_rng, p_rng)) != 0) {
+ mbedtls_ecp_keypair_free(eck);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 048c21d..e29b0bc 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -29,6 +29,7 @@
#include "mbedtls/ssl_cache.h"
#include "ssl_misc.h"
+#include "mbedtls/error.h"
#include <string.h>
@@ -50,7 +51,7 @@
size_t session_id_len,
mbedtls_ssl_cache_entry **dst)
{
- int ret = 1;
+ int ret = MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND;
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t t = mbedtls_time(NULL);
#endif
@@ -87,7 +88,7 @@
size_t session_id_len,
mbedtls_ssl_session *session)
{
- int ret = 1;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
mbedtls_ssl_cache_entry *entry;
@@ -197,7 +198,7 @@
/* Create new entry */
cur = mbedtls_calloc(1, sizeof(mbedtls_ssl_cache_entry));
if (cur == NULL) {
- return 1;
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
/* Append to the end of the linked list. */
@@ -218,12 +219,13 @@
if (old == NULL) {
/* This should only happen on an ill-configured cache
* with max_entries == 0. */
- return 1;
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#else /* MBEDTLS_HAVE_TIME */
/* Reuse first entry in chain, but move to last place. */
if (cache->chain == NULL) {
- return 1;
+ /* This should never happen */
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
old = cache->chain;
@@ -259,7 +261,7 @@
size_t session_id_len,
const mbedtls_ssl_session *session)
{
- int ret = 1;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
mbedtls_ssl_cache_entry *cur;
@@ -283,7 +285,6 @@
* and allocate a sufficiently large buffer. */
ret = mbedtls_ssl_session_save(session, NULL, 0, &session_serialized_len);
if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
- ret = 1;
goto exit;
}
@@ -303,7 +304,7 @@
}
if (session_id_len > sizeof(cur->session_id)) {
- ret = 1;
+ ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
goto exit;
}
cur->session_id_len = session_id_len;
@@ -335,7 +336,7 @@
unsigned char const *session_id,
size_t session_id_len)
{
- int ret = 1;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
mbedtls_ssl_cache_entry *entry;
mbedtls_ssl_cache_entry *prev;
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 1fbf045..5a2c30f 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
@@ -45,13 +47,13 @@
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
- !defined(MBEDTLS_MD_CAN_SHA1)
+ !defined(MBEDTLS_SHA1_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
- "MBEDTLS_CTR_DRBG_C not defined.\n");
+ "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
mbedtls_exit(0);
}
#else
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index 66f7d6f..c940be0 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
@@ -45,13 +47,13 @@
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
- !defined(MBEDTLS_MD_CAN_SHA1)
+ !defined(MBEDTLS_SHA1_C)
int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
- "MBEDTLS_CTR_DRBG_C not defined.\n");
+ "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
mbedtls_exit(0);
}
#else
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index f3bcdb2..82cb6a1 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
@@ -38,7 +40,6 @@
#include "mbedtls/error.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/md.h"
#include "mbedtls/pk.h"
#include <stdio.h>
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index e24f27f..0c549e0 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_PK_PARSE_C) || \
@@ -34,7 +36,6 @@
#else
#include "mbedtls/error.h"
-#include "mbedtls/md.h"
#include "mbedtls/pk.h"
#include <stdio.h>
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index 051db07..64375e9 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
@@ -34,7 +36,6 @@
#else
#include "mbedtls/rsa.h"
-#include "mbedtls/md.h"
#include <stdio.h>
#include <string.h>
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 4fa3582..03882cd 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
@@ -37,7 +39,6 @@
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/md.h"
#include "mbedtls/rsa.h"
#include "mbedtls/pk.h"
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index e17d776..d525010 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
@@ -34,7 +36,6 @@
#else
#include "mbedtls/rsa.h"
-#include "mbedtls/md.h"
#include <stdio.h>
#include <string.h>
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index bbd8c17..e21e927 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
@@ -38,7 +40,6 @@
#include "mbedtls/md.h"
#include "mbedtls/pem.h"
#include "mbedtls/pk.h"
-#include "mbedtls/md.h"
#include <stdio.h>
#include <string.h>
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b2bd8b8..9eb23ca 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -671,7 +671,7 @@
#if defined(MBEDTLS_HAVE_TIME)
int cache_timeout; /* expiration delay of session cache entries*/
#endif
- int cache_remove; /* enable / disable cache removement */
+ int cache_remove; /* enable / disable cache entry removal */
char *sni; /* string describing sni information */
const char *curves; /* list of supported elliptic curves */
const char *sig_algs; /* supported TLS 1.3 signature algorithms */
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 01d09bc..396aaf3 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 99ede78..a822684 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -20,6 +20,8 @@
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
+/* md.h is included this early since MD_CAN_XXX macros are defined there. */
+#include "mbedtls/md.h"
#if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
@@ -41,7 +43,6 @@
#include "mbedtls/oid.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/md.h"
#include "mbedtls/error.h"
#include "test/helpers.h"
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index e7503c7..572b6cb 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -130,6 +130,9 @@
#endif
} mbedtls_test_handshake_test_options;
+/*
+ * Buffer structure for custom I/O callbacks.
+ */
typedef struct mbedtls_test_ssl_buffer {
size_t start;
size_t content_length;
@@ -311,13 +314,13 @@
/*
* Setup and teardown functions for mock sockets.
*/
-void mbedtls_mock_socket_init(mbedtls_test_mock_socket *socket);
+void mbedtls_test_mock_socket_init(mbedtls_test_mock_socket *socket);
/*
* Closes the socket \p socket.
*
* \p socket must have been previously initialized by calling
- * mbedtls_mock_socket_init().
+ * mbedtls_test_mock_socket_init().
*
* This function frees all allocated resources and both sockets are aware of the
* new connection state.
@@ -332,7 +335,7 @@
* Establishes a connection between \p peer1 and \p peer2.
*
* \p peer1 and \p peer2 must have been previously initialized by calling
- * mbedtls_mock_socket_init().
+ * mbedtls_test_mock_socket_init().
*
* The capacities of the internal buffers are set to \p bufsize. Setting this to
* the correct value allows for simulation of MTU, sanity testing the mock
@@ -374,7 +377,8 @@
int mbedtls_test_message_socket_setup(
mbedtls_test_ssl_message_queue *queue_input,
mbedtls_test_ssl_message_queue *queue_output,
- size_t queue_capacity, mbedtls_test_mock_socket *socket,
+ size_t queue_capacity,
+ mbedtls_test_mock_socket *socket,
mbedtls_test_message_socket_context *ctx);
/*
@@ -411,8 +415,7 @@
* mbedtls_test_mock_tcp_recv_b failed.
*
* This function will also return any error other than
- * MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED from
- * mbedtls_test_message_queue_peek_info.
+ * MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED from test_ssl_message_queue_peek_info.
*/
int mbedtls_test_mock_tcp_recv_msg(void *ctx,
unsigned char *buf, size_t buf_len);
@@ -488,6 +491,12 @@
} \
} while (0)
+#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
+#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
+#else
+#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_OUT_LEN_MAX
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_AES_C)
int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
@@ -544,10 +553,11 @@
*
* \retval 0 on success, otherwise error code.
*/
-int mbedtls_exchange_data(mbedtls_ssl_context *ssl_1,
- int msg_len_1, const int expected_fragments_1,
- mbedtls_ssl_context *ssl_2,
- int msg_len_2, const int expected_fragments_2);
+int mbedtls_test_ssl_exchange_data(
+ mbedtls_ssl_context *ssl_1,
+ int msg_len_1, const int expected_fragments_1,
+ mbedtls_ssl_context *ssl_2,
+ int msg_len_2, const int expected_fragments_2);
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
void mbedtls_test_ssl_perform_handshake(
@@ -566,7 +576,7 @@
* is expected to fail. All zeroes if no
* MBEDTLS_SSL_CHK_BUF_READ_PTR failure is expected.
*/
-int tweak_tls13_certificate_msg_vector_len(
+int mbedtls_test_tweak_tls13_certificate_msg_vector_len(
unsigned char *buf, unsigned char **end, int tweak,
int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args);
#endif /* MBEDTLS_TEST_HOOKS */
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 08956e8..e79d152 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -124,10 +124,6 @@
}
#endif /* MBEDTLS_TEST_HOOKS */
-/*
- * Buffer structure for custom I/O callbacks.
- */
-
void mbedtls_test_ssl_buffer_init(mbedtls_test_ssl_buffer *buf)
{
memset(buf, 0, sizeof(*buf));
@@ -233,8 +229,8 @@
return (output_len > INT_MAX) ? INT_MAX : (int) output_len;
}
-int mbedtls_test_ssl_message_queue_setup(mbedtls_test_ssl_message_queue *queue,
- size_t capacity)
+int mbedtls_test_ssl_message_queue_setup(
+ mbedtls_test_ssl_message_queue *queue, size_t capacity)
{
queue->messages = (size_t *) mbedtls_calloc(capacity, sizeof(size_t));
if (NULL == queue->messages) {
@@ -248,7 +244,8 @@
return 0;
}
-void mbedtls_test_ssl_message_queue_free(mbedtls_test_ssl_message_queue *queue)
+void mbedtls_test_ssl_message_queue_free(
+ mbedtls_test_ssl_message_queue *queue)
{
if (queue == NULL) {
return;
@@ -315,8 +312,9 @@
* set to the full message length so that the
* caller knows what portion of the message can be dropped.
*/
-int mbedtls_test_message_queue_peek_info(mbedtls_test_ssl_message_queue *queue,
- size_t buf_len, size_t *msg_len)
+static int test_ssl_message_queue_peek_info(
+ mbedtls_test_ssl_message_queue *queue,
+ size_t buf_len, size_t *msg_len)
{
if (queue == NULL || msg_len == NULL) {
return MBEDTLS_TEST_ERROR_ARG_NULL;
@@ -329,7 +327,7 @@
return (*msg_len > buf_len) ? MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED : 0;
}
-void mbedtls_mock_socket_init(mbedtls_test_mock_socket *socket)
+void mbedtls_test_mock_socket_init(mbedtls_test_mock_socket *socket)
{
memset(socket, 0, sizeof(*socket));
}
@@ -459,7 +457,8 @@
return mbedtls_test_ssl_buffer_get(socket->input, buf, len);
}
-void mbedtls_test_message_socket_init(mbedtls_test_message_socket_context *ctx)
+void mbedtls_test_message_socket_init(
+ mbedtls_test_message_socket_context *ctx)
{
ctx->queue_input = NULL;
ctx->queue_output = NULL;
@@ -480,12 +479,13 @@
ctx->queue_input = queue_input;
ctx->queue_output = queue_output;
ctx->socket = socket;
- mbedtls_mock_socket_init(socket);
+ mbedtls_test_mock_socket_init(socket);
return 0;
}
-void mbedtls_test_message_socket_close(mbedtls_test_message_socket_context *ctx)
+void mbedtls_test_message_socket_close(
+ mbedtls_test_message_socket_context *ctx)
{
if (ctx == NULL) {
return;
@@ -544,7 +544,7 @@
/* Peek first, so that in case of a socket error the data remains in
* the queue. */
- ret = mbedtls_test_message_queue_peek_info(queue, buf_len, &msg_len);
+ ret = test_ssl_message_queue_peek_info(queue, buf_len, &msg_len);
if (ret == MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED) {
/* Calculate how much to drop */
drop_len = msg_len - buf_len;
@@ -578,7 +578,7 @@
/*
* Deinitializes certificates from endpoint represented by \p ep.
*/
-void mbedtls_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
+static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
{
mbedtls_test_ssl_endpoint_certificate *cert = &(ep->cert);
if (cert != NULL) {
@@ -730,7 +730,7 @@
exit:
if (ret != 0) {
- mbedtls_endpoint_certificate_free(ep);
+ test_ssl_endpoint_certificate_free(ep);
}
return ret;
@@ -781,7 +781,7 @@
100, &(ep->socket),
dtls_context) == 0);
} else {
- mbedtls_mock_socket_init(&(ep->socket));
+ mbedtls_test_mock_socket_init(&(ep->socket));
}
/* Non-blocking callbacks without timeout */
@@ -868,7 +868,7 @@
mbedtls_test_ssl_endpoint *ep,
mbedtls_test_message_socket_context *context)
{
- mbedtls_endpoint_certificate_free(ep);
+ test_ssl_endpoint_certificate_free(ep);
mbedtls_ssl_free(&(ep->ssl));
mbedtls_ssl_config_free(&(ep->conf));
@@ -941,7 +941,7 @@
/* Used for DTLS and the message size larger than MFL. In that case
* the message can not be fragmented and the library should return
* MBEDTLS_ERR_SSL_BAD_INPUT_DATA error. This error must be returned
- * to prevent a dead loop inside mbedtls_exchange_data(). */
+ * to prevent a dead loop inside mbedtls_test_ssl_exchange_data(). */
return ret;
} else if (expected_fragments == 1) {
/* Used for TLS/DTLS and the message size lower than MFL */
@@ -1004,8 +1004,9 @@
return -1;
}
-void set_ciphersuite(mbedtls_ssl_config *conf, const char *cipher,
- int *forced_ciphersuite)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+static void set_ciphersuite(mbedtls_ssl_config *conf, const char *cipher,
+ int *forced_ciphersuite)
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
forced_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
@@ -1030,9 +1031,13 @@
exit:
return;
}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
- const unsigned char *name, size_t name_len)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
+ defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
+ defined(MBEDTLS_SSL_SRV_C)
+static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
+ const unsigned char *name, size_t name_len)
{
(void) p_info;
(void) ssl;
@@ -1041,12 +1046,9 @@
return 0;
}
-
-#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
-#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
-#else
-#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_OUT_LEN_MAX
-#endif
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED &&
+ MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
+ MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_AES_C)
@@ -1600,10 +1602,11 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-int mbedtls_exchange_data(mbedtls_ssl_context *ssl_1,
- int msg_len_1, const int expected_fragments_1,
- mbedtls_ssl_context *ssl_2,
- int msg_len_2, const int expected_fragments_2)
+int mbedtls_test_ssl_exchange_data(
+ mbedtls_ssl_context *ssl_1,
+ int msg_len_1, const int expected_fragments_1,
+ mbedtls_ssl_context *ssl_2,
+ int msg_len_2, const int expected_fragments_2)
{
unsigned char *msg_buf_1 = malloc(msg_len_1);
unsigned char *msg_buf_2 = malloc(msg_len_2);
@@ -1709,12 +1712,18 @@
*
* \retval 0 on success, otherwise error code.
*/
-int exchange_data(mbedtls_ssl_context *ssl_1,
- mbedtls_ssl_context *ssl_2)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
+ (defined(MBEDTLS_SSL_RENEGOTIATION) || \
+ defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH))
+static int exchange_data(mbedtls_ssl_context *ssl_1,
+ mbedtls_ssl_context *ssl_2)
{
- return mbedtls_exchange_data(ssl_1, 256, 1,
- ssl_2, 256, 1);
+ return mbedtls_test_ssl_exchange_data(ssl_1, 256, 1,
+ ssl_2, 256, 1);
}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED &&
+ (MBEDTLS_SSL_RENEGOTIATION ||
+ MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
static int check_ssl_version(
@@ -1755,7 +1764,6 @@
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
void mbedtls_test_ssl_perform_handshake(
mbedtls_test_handshake_test_options *options)
@@ -1964,10 +1972,11 @@
if (options->cli_msg_len != 0 || options->srv_msg_len != 0) {
/* Start data exchanging test */
- TEST_ASSERT(mbedtls_exchange_data(&(client.ssl), options->cli_msg_len,
- options->expected_cli_fragments,
- &(server.ssl), options->srv_msg_len,
- options->expected_srv_fragments)
+ TEST_ASSERT(mbedtls_test_ssl_exchange_data(
+ &(client.ssl), options->cli_msg_len,
+ options->expected_cli_fragments,
+ &(server.ssl), options->srv_msg_len,
+ options->expected_srv_fragments)
== 0);
}
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
@@ -2024,12 +2033,10 @@
#endif
/* Retest writing/reading */
if (options->cli_msg_len != 0 || options->srv_msg_len != 0) {
- TEST_ASSERT(mbedtls_exchange_data(
- &(client.ssl),
- options->cli_msg_len,
+ TEST_ASSERT(mbedtls_test_ssl_exchange_data(
+ &(client.ssl), options->cli_msg_len,
options->expected_cli_fragments,
- &(server.ssl),
- options->srv_msg_len,
+ &(server.ssl), options->srv_msg_len,
options->expected_srv_fragments)
== 0);
}
@@ -2126,7 +2133,7 @@
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_TEST_HOOKS)
-int tweak_tls13_certificate_msg_vector_len(
+int mbedtls_test_tweak_tls13_certificate_msg_vector_len(
unsigned char *buf, unsigned char **end, int tweak,
int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args)
{
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index 1a6858f..d7c2d0b 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -101,6 +101,7 @@
mbedtls_pk_context ctx;
int res;
+ USE_PSA_INIT();
mbedtls_pk_init(&ctx);
res = mbedtls_pk_parse_keyfile(&ctx, key_file, password,
@@ -117,6 +118,7 @@
exit:
mbedtls_pk_free(&ctx);
+ USE_PSA_DONE();
}
/* END_CASE */
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 68c5878..e9efebf 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -209,17 +209,17 @@
unsigned char received[MSGLEN] = { 0 };
mbedtls_test_mock_socket socket;
- mbedtls_mock_socket_init(&socket);
+ mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
- mbedtls_mock_socket_init(&socket);
+ mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_recv_b(&socket, received, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
- mbedtls_mock_socket_init(&socket);
+ mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_send_nb(&socket, message, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
- mbedtls_mock_socket_init(&socket);
+ mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_recv_nb(&socket, received, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
@@ -257,8 +257,8 @@
recv = mbedtls_test_mock_tcp_recv_b;
}
- mbedtls_mock_socket_init(&client);
- mbedtls_mock_socket_init(&server);
+ mbedtls_test_mock_socket_init(&client);
+ mbedtls_test_mock_socket_init(&server);
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
@@ -355,8 +355,8 @@
recv = mbedtls_test_mock_tcp_recv_b;
}
- mbedtls_mock_socket_init(&client);
- mbedtls_mock_socket_init(&server);
+ mbedtls_test_mock_socket_init(&client);
+ mbedtls_test_mock_socket_init(&server);
/* Fill up the buffers with structured data so that unwanted changes
* can be detected */
@@ -3153,10 +3153,11 @@
server.ssl.session_negotiate->id_len = 33;
if (options.cli_msg_len != 0 || options.srv_msg_len != 0) {
/* Start data exchanging test */
- TEST_ASSERT(mbedtls_exchange_data(&(client.ssl), options.cli_msg_len,
- options.expected_cli_fragments,
- &(server.ssl), options.srv_msg_len,
- options.expected_srv_fragments)
+ TEST_ASSERT(mbedtls_test_ssl_exchange_data(
+ &(client.ssl), options.cli_msg_len,
+ options.expected_cli_fragments,
+ &(server.ssl), options.srv_msg_len,
+ options.expected_srv_fragments)
== 0);
}
@@ -3431,7 +3432,7 @@
* Tweak server Certificate message and parse it.
*/
- ret = tweak_tls13_certificate_msg_vector_len(
+ ret = mbedtls_test_tweak_tls13_certificate_msg_vector_len(
buf, &end, step, &expected_result, &expected_chk_buf_ptr_args);
if (ret != 0) {