Merge pull request #9094 from davidhorstmann-arm/move-mbedtls-dev-to-framework
Move `mbedtls_dev` to framework submodule
diff --git a/.gitignore b/.gitignore
index 4f29d5b..12c775d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,3 +67,6 @@
compile_commands.json
# clangd index files
/.cache/clangd/index/
+
+# VScode folder to store local debug files and configurations
+.vscode
diff --git a/ChangeLog.d/pk-norsa-warning.txt b/ChangeLog.d/pk-norsa-warning.txt
new file mode 100644
index 0000000..d00aa8a
--- /dev/null
+++ b/ChangeLog.d/pk-norsa-warning.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h
index 19e09d9..be785b7 100644
--- a/configs/config-ccm-psk-dtls1_2.h
+++ b/configs/config-ccm-psk-dtls1_2.h
@@ -23,19 +23,20 @@
* See README.txt for usage instructions.
*/
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
/* System support */
//#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
/* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
/* Mbed TLS modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_MD_C
#define MBEDTLS_NET_C
-#define MBEDTLS_SHA256_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_SRV_C
@@ -81,11 +82,6 @@
*/
#define MBEDTLS_ENTROPY_MAX_SOURCES 2
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
-
/* Error messages and TLS debugging traces
* (huge code size increase, needed for tests/ssl-opt.sh) */
//#define MBEDTLS_DEBUG_C
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index d49adfd..d8f4f9c 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -22,19 +22,20 @@
* See README.txt for usage instructions.
*/
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
/* System support */
//#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */
/* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
/* Mbed TLS modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_MD_C
#define MBEDTLS_NET_C
-#define MBEDTLS_SHA256_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
#define MBEDTLS_SSL_TLS_C
@@ -72,11 +73,6 @@
*/
#define MBEDTLS_ENTROPY_MAX_SOURCES 2
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
-
/* Error messages and TLS debugging traces
* (huge code size increase, needed for tests/ssl-opt.sh) */
//#define MBEDTLS_DEBUG_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index 9bba6e6..cdea16e 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -21,36 +21,29 @@
* See README.txt for usage instructions.
*/
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
/* System support */
#define MBEDTLS_HAVE_ASM
#define MBEDTLS_HAVE_TIME
/* Mbed TLS feature support */
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2
/* Mbed TLS modules */
-#define MBEDTLS_AES_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ECDH_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_GCM_C
-#define MBEDTLS_MD_C
#define MBEDTLS_NET_C
#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SHA384_C
-#define MBEDTLS_SHA512_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
#define MBEDTLS_SSL_TLS_C
@@ -95,11 +88,6 @@
#define MBEDTLS_SSL_IN_CONTENT_LEN 1024
#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
-
/* Error messages and TLS debugging traces
* (huge code size increase, needed for tests/ssl-opt.sh) */
//#define MBEDTLS_DEBUG_C
diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index 512dd76..13e4d26 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -8,70 +8,43 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
/* System support */
//#define MBEDTLS_HAVE_ASM
#define MBEDTLS_HAVE_TIME
#define MBEDTLS_HAVE_TIME_DATE
/* Mbed TLS feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_CIPHER_MODE_CFB
-#define MBEDTLS_CIPHER_MODE_CTR
-#define MBEDTLS_CIPHER_MODE_OFB
-#define MBEDTLS_CIPHER_MODE_XTS
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#define MBEDTLS_CIPHER_PADDING_ZEROS
#define MBEDTLS_ERROR_STRERROR_DUMMY
#define MBEDTLS_FS_IO
#define MBEDTLS_ENTROPY_NV_SEED
#define MBEDTLS_SELF_TEST
-#define MBEDTLS_USE_PSA_CRYPTO
#define MBEDTLS_VERSION_FEATURES
/* Mbed TLS modules */
-#define MBEDTLS_AES_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BASE64_C
-#define MBEDTLS_CAMELLIA_C
-#define MBEDTLS_ARIA_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CHACHA20_C
-#define MBEDTLS_CHACHAPOLY_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_CMAC_C
#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_DES_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_ERROR_C
-#define MBEDTLS_GCM_C
-#define MBEDTLS_HKDF_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_NIST_KW_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_MD5_C
#define MBEDTLS_OID_C
#define MBEDTLS_PEM_PARSE_C
#define MBEDTLS_PEM_WRITE_C
#define MBEDTLS_PKCS5_C
#define MBEDTLS_PKCS12_C
#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_POLY1305_C
-#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_PSA_CRYPTO_SE_C
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
#define MBEDTLS_PSA_ITS_FILE_C
-#define MBEDTLS_RIPEMD160_C
-#define MBEDTLS_SHA1_C
-/* The library does not currently support enabling SHA-224 without SHA-256.
- * A future version of the library will have this option disabled
- * by default. */
-#define MBEDTLS_SHA224_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SHA384_C
-#define MBEDTLS_SHA512_C
+
//#define MBEDTLS_THREADING_C
#define MBEDTLS_TIMING_C
#define MBEDTLS_VERSION_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index 2f81f90..160aded 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -17,15 +17,21 @@
* - no X.509
* - support for experimental EC J-PAKE key exchange
*
+ * To be used in conjunction with configs/crypto-config-thread.h.
* See README.txt for usage instructions.
*/
+#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_USE_PSA_CRYPTO
+
/* System support */
#define MBEDTLS_HAVE_ASM
/* Mbed TLS feature support */
#define MBEDTLS_AES_ROM_TABLES
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
@@ -35,23 +41,15 @@
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
/* Mbed TLS modules */
-#define MBEDTLS_AES_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_CMAC_C
-#define MBEDTLS_ECJPAKE_C
-#define MBEDTLS_ECP_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_MD_C
#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_SHA256_C
#define MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
@@ -69,8 +67,3 @@
/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
-
-/* These defines are present so that the config modifying scripts can enable
- * them during tests/scripts/test-ref-configs.pl */
-//#define MBEDTLS_USE_PSA_CRYPTO
-//#define MBEDTLS_PSA_CRYPTO_C
diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h
index 7f8d587..68a9c0a 100644
--- a/configs/crypto-config-ccm-aes-sha256.h
+++ b/configs/crypto-config-ccm-aes-sha256.h
@@ -2,7 +2,7 @@
* \file configs/crypto-config-ccm-aes-sha256.h
*
* \brief PSA crypto configuration with only symmetric cryptography: CCM-AES,
- * SHA-256, HMAC and key derivation
+ * SHA-256 and key derivation (uses HMAC).
*/
/*
* Copyright The Mbed TLS Contributors
@@ -13,12 +13,10 @@
#define PSA_CRYPTO_CONFIG_H
#define PSA_WANT_ALG_CCM 1
-#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_SHA_256 1
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_KEY_TYPE_DERIVE 1
-#define PSA_WANT_KEY_TYPE_HMAC 1
#define PSA_WANT_KEY_TYPE_AES 1
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h
new file mode 100644
index 0000000..f4928e2
--- /dev/null
+++ b/configs/crypto-config-ccm-psk-tls1_2.h
@@ -0,0 +1,25 @@
+/**
+ * \file crypto-config-ccm-psk-tls1_2.h
+ *
+ * \brief Minimal crypto configuration for TLS 1.2 with
+ * PSK and AES-CCM ciphersuites
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * To be used in conjunction with configs/config-ccm-psk-tls1_2.h
+ * or configs/config-ccm-psk-dtls1_2.h. */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_CCM 1
+#define PSA_WANT_ALG_SHA_256 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
+
+#define PSA_WANT_KEY_TYPE_AES 1
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h
new file mode 100644
index 0000000..ec20919
--- /dev/null
+++ b/configs/crypto-config-suite-b.h
@@ -0,0 +1,41 @@
+/**
+ * \file crypto-config-symmetric-only.h
+ *
+ * \brief \brief Minimal crypto configuration for
+ * TLS NSA Suite B Profile (RFC 6460).
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * Minimal crypto configuration for TLS NSA Suite B Profile (RFC 6460)
+ *
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - optimized for low RAM usage
+ *
+ * Possible improvements:
+ * - if 128-bit security is enough, disable secp384r1 and SHA-512
+ *
+ * To be used in conjunction with configs/config-suite-b.h. */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_ECDH 1
+#define PSA_WANT_ALG_ECDSA 1
+#define PSA_WANT_ALG_GCM 1
+#define PSA_WANT_ALG_SHA_256 1
+#define PSA_WANT_ALG_SHA_384 1
+#define PSA_WANT_ALG_SHA_512 1
+#define PSA_WANT_ECC_SECP_R1_256 1
+#define PSA_WANT_ECC_SECP_R1_384 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h
new file mode 100644
index 0000000..5d6bf85
--- /dev/null
+++ b/configs/crypto-config-symmetric-only.h
@@ -0,0 +1,58 @@
+/**
+ * \file crypto-config-symmetric-only.h
+ *
+ * \brief Crypto configuration without any asymmetric cryptography.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * To be used in conjunction with configs/config-symmetric-only.h. */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_CBC_NO_PADDING 1
+#define PSA_WANT_ALG_CBC_PKCS7 1
+#define PSA_WANT_ALG_CCM 1
+#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
+#define PSA_WANT_ALG_CFB 1
+#define PSA_WANT_ALG_CHACHA20_POLY1305 1
+#define PSA_WANT_ALG_CMAC 1
+#define PSA_WANT_ALG_CTR 1
+#define PSA_WANT_ALG_ECB_NO_PADDING 1
+#define PSA_WANT_ALG_GCM 1
+#define PSA_WANT_ALG_HKDF 1
+#define PSA_WANT_ALG_HKDF_EXTRACT 1
+#define PSA_WANT_ALG_HKDF_EXPAND 1
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_ALG_MD5 1
+#define PSA_WANT_ALG_OFB 1
+#define PSA_WANT_ALG_RIPEMD160 1
+#define PSA_WANT_ALG_SHA_1 1
+#define PSA_WANT_ALG_STREAM_CIPHER 1
+#define PSA_WANT_ALG_SHA_224 1
+#define PSA_WANT_ALG_SHA_256 1
+#define PSA_WANT_ALG_SHA_384 1
+#define PSA_WANT_ALG_SHA_512 1
+#define PSA_WANT_ALG_SHA3_224 1
+#define PSA_WANT_ALG_SHA3_256 1
+#define PSA_WANT_ALG_SHA3_384 1
+#define PSA_WANT_ALG_SHA3_512 1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
+
+/* XTS is not yet supported via the PSA API in Mbed TLS. */
+//#define PSA_WANT_ALG_XTS 1
+
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_KEY_TYPE_ARIA 1
+#define PSA_WANT_KEY_TYPE_CAMELLIA 1
+#define PSA_WANT_KEY_TYPE_CHACHA20 1
+#define PSA_WANT_KEY_TYPE_DES 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h
new file mode 100644
index 0000000..3c5fe24
--- /dev/null
+++ b/configs/crypto-config-thread.h
@@ -0,0 +1,47 @@
+/**
+ * \file crypto-config-thread.h
+ *
+ * \brief Minimal crypto configuration for using TLS as part of Thread
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * Minimal crypto configuration for using TLS as part of Thread
+ * http://threadgroup.org/
+ *
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - no X.509
+ * - support for experimental EC J-PAKE key exchange
+ * - support for PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching
+ * algorithm.
+ *
+ * To be used in conjunction with configs/config-thread.h.
+ * See README.txt for usage instructions.
+ */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_CCM 1
+#define PSA_WANT_ALG_ECB_NO_PADDING 1
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_ALG_JPAKE 1
+#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 1
+#define PSA_WANT_ALG_SHA_256 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
+#define PSA_WANT_ECC_SECP_R1_256 1
+
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_KEY_TYPE_DERIVE 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+#define PSA_WANT_KEY_TYPE_RAW_DATA 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index 4095d8e..5d950b0 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md
@@ -277,6 +277,11 @@
`[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
removing builtin support (i.e. `MBEDTLS_DHM_C`).
+Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the
+Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer
+of Mbed TLS only supports DHE cipher suites if built-in FFDH
+(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+
RSA
---
diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h
index 0091e24..0e4759d 100644
--- a/include/mbedtls/config_adjust_legacy_from_psa.h
+++ b/include/mbedtls/config_adjust_legacy_from_psa.h
@@ -498,7 +498,6 @@
* The PSA implementation has its own implementation of HKDF, separate from
* hkdf.c. No need to enable MBEDTLS_HKDF_C here.
*/
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
#endif /* PSA_WANT_ALG_HKDF */
@@ -509,7 +508,6 @@
* The PSA implementation has its own implementation of HKDF, separate from
* hkdf.c. No need to enable MBEDTLS_HKDF_C here.
*/
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
#endif /* PSA_WANT_ALG_HKDF_EXTRACT */
@@ -520,7 +518,6 @@
* The PSA implementation has its own implementation of HKDF, separate from
* hkdf.c. No need to enable MBEDTLS_HKDF_C here.
*/
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
#endif /* PSA_WANT_ALG_HKDF_EXPAND */
@@ -630,9 +627,6 @@
#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
#define PSA_HAVE_SOFT_PBKDF2_HMAC 1
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 17da61b..de961ec 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -22,6 +22,8 @@
#include "psa/crypto_adjust_config_synonyms.h"
+#include "psa/crypto_adjust_config_dependencies.h"
+
#include "mbedtls/config_adjust_psa_superset_legacy.h"
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
new file mode 100644
index 0000000..5a22205
--- /dev/null
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -0,0 +1,43 @@
+/**
+ * \file psa/crypto_adjust_config_dependencies.h
+ * \brief Adjust PSA configuration by resolving some dependencies.
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * See docs/proposed/psa-conditional-inclusion-c.md.
+ * If the Mbed TLS implementation of a cryptographic mechanism A depends on a
+ * cryptographic mechanism B then if the cryptographic mechanism A is enabled
+ * and not accelerated enable B. Note that if A is enabled and accelerated, it
+ * is not necessary to enable B for A support.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+
+#if (defined(PSA_WANT_ALG_TLS12_PRF) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \
+ (defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \
+ (defined(PSA_WANT_ALG_HKDF) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \
+ (defined(PSA_WANT_ALG_HKDF_EXTRACT) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \
+ (defined(PSA_WANT_ALG_HKDF_EXPAND) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \
+ (defined(PSA_WANT_ALG_PBKDF2_HMAC) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC))
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+#endif
+
+#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \
+ !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128))
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_ALG_CMAC 1
+#endif
+
+#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */
diff --git a/library/pk.c b/library/pk.c
index e33a243..3fe51ea 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -868,7 +868,6 @@
psa_status_t status;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
- psa_algorithm_t alg_type;
size_t key_bits;
/* Use a buffer size large enough to contain either a key pair or public key. */
unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE];
@@ -899,7 +898,6 @@
key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type);
}
key_bits = psa_get_key_bits(&key_attr);
- alg_type = psa_get_key_algorithm(&key_attr);
#if defined(MBEDTLS_RSA_C)
if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) ||
@@ -919,6 +917,7 @@
goto exit;
}
+ psa_algorithm_t alg_type = psa_get_key_algorithm(&key_attr);
mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) {
md_type = mbedtls_md_type_from_psa_alg(alg_type);
diff --git a/tests/.gitignore b/tests/.gitignore
index 973ebb5..838ea69 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -21,4 +21,6 @@
/suites/*.generated.data
/suites/test_suite_psa_crypto_storage_format.v[0-9]*.data
/suites/test_suite_psa_crypto_storage_format.current.data
+/src/test_keys.h
+/src/test_certs.h
###END_GENERATED_FILES###
diff --git a/tests/Makefile b/tests/Makefile
index 3d7a605..b7429ac 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -182,6 +182,7 @@
rm -f include/test/instrument_record_status.h
rm -f include/alt-extra/*/*_alt.h
rm -rf libtestdriver1
+ rm -rf libpsaclient libpsaserver
rm -f ../library/libtestdriver1.a
else
if exist *.c del /Q /F *.c
diff --git a/tests/psa-client-server/psasim/Makefile b/tests/psa-client-server/psasim/Makefile
index a84483c..db0c412 100644
--- a/tests/psa-client-server/psasim/Makefile
+++ b/tests/psa-client-server/psasim/Makefile
@@ -1,23 +1,62 @@
-CFLAGS ?= -Wall -Werror -std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L
+CFLAGS += -Wall -Werror -std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L
ifeq ($(DEBUG),1)
- CFLAGS += -DDEBUG -O0 -g
+CFLAGS += -DDEBUG -O0 -g
endif
-.PHONY: all lib test run
+LIBPSACLIENT := -Llibpsaclient/ -lmbedcrypto -lmbedx509 -lmbedtls
+LIBPSASERVER := -Llibpsaserver/ -lmbedcrypto
-all: lib test
+MBEDTLS_ROOT_PATH = ../../..
+COMMON_INCLUDE := -I./include -I$(MBEDTLS_ROOT_PATH)/include
-lib:
- $(MAKE) -C src CFLAGS="$(CFLAGS)"
+TEST_BIN = test/psa_client \
+ test/psa_partition
-test: lib
- $(MAKE) -C test CFLAGS="$(CFLAGS)"
+GENERATED_H_FILES = include/psa_manifest/manifest.h \
+ include/psa_manifest/pid.h \
+ include/psa_manifest/sid.h
+
+PSA_CLIENT_SRC = src/psa_ff_client.c \
+ src/client.c
+
+PARTITION_SERVER_BOOTSTRAP = src/psa_ff_bootstrap_TEST_PARTITION.c
+
+PSA_SERVER_SRC = $(PARTITION_SERVER_BOOTSTRAP) \
+ src/psa_ff_server.c
+
+.PHONY: all clean libpsaclient libpsaserver
+
+all: $(TEST_BIN)
+
+test/seedfile:
+ dd if=/dev/urandom of=./test/seedfile bs=64 count=1
+
+test/psa_client: $(PSA_CLIENT_SRC) $(GENERATED_H_FILES)
+ $(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_CLIENT_SRC) $(LIBPSACLIENT) $(LDFLAGS) -o $@
+
+test/psa_partition: $(PSA_SERVER_SRC) $(GENERATED_H_FILES) test/seedfile
+ $(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_SERVER_SRC) $(LIBPSASERVER) $(LDFLAGS) -o $@
+
+$(PARTITION_SERVER_BOOTSTRAP) $(GENERATED_H_FILES): src/manifest.json src/server.c
+ tools/psa_autogen.py src/manifest.json
+
+# Build MbedTLS libraries (crypto, x509 and tls) and copy them locally to
+# build client/server applications.
+#
+# Note: these rules assume that mbedtls_config.h is already configured by all.sh.
+# If not using all.sh then the user must do it manually.
+libpsaclient libpsaserver:
+ $(MAKE) -C $(MBEDTLS_ROOT_PATH)/library CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a libmbedx509.a libmbedtls.a
+ mkdir -p $@
+ cp $(MBEDTLS_ROOT_PATH)/library/libmbed*.a $@/
+ $(MAKE) -C $(MBEDTLS_ROOT_PATH) clean
clean:
- rm -f $(PSA_LIB) $(PSA_LIB_OBJS)
- $(MAKE) -C test clean
- $(MAKE) -C src clean
-
-run: test
- cd test && ./run_test.sh
+ rm -f $(TEST_BIN)
+ rm -f $(PARTITION_SERVER_BOOTSTRAP)
+ rm -rf libpsaclient libpsaserver
+ rm -rf include/psa_manifest
+ rm -f test/psa_service_* test/psa_notify_*
+ rm -f test/*.log
+ rm -f test/seedfile
diff --git a/tests/psa-client-server/psasim/include/psa/client.h b/tests/psa-client-server/psasim/include/client.h
similarity index 97%
rename from tests/psa-client-server/psasim/include/psa/client.h
rename to tests/psa-client-server/psasim/include/client.h
index d1af993..d48498e 100644
--- a/tests/psa-client-server/psasim/include/psa/client.h
+++ b/tests/psa-client-server/psasim/include/client.h
@@ -15,7 +15,9 @@
#include <stdint.h>
#include <stddef.h>
-#include "psa/error.h"
+#include "psa/crypto.h"
+
+#include "error_ext.h"
/*********************** PSA Client Macros and Types *************************/
#define PSA_FRAMEWORK_VERSION (0x0100)
diff --git a/tests/psa-client-server/psasim/include/psa/common.h b/tests/psa-client-server/psasim/include/common.h
similarity index 96%
rename from tests/psa-client-server/psasim/include/psa/common.h
rename to tests/psa-client-server/psasim/include/common.h
index d0205d2..ee5b5a3 100644
--- a/tests/psa-client-server/psasim/include/psa/common.h
+++ b/tests/psa-client-server/psasim/include/common.h
@@ -27,7 +27,6 @@
#define NON_SECURE (1 << 30)
-typedef int32_t psa_status_t;
typedef int32_t psa_handle_t;
#define PSA_MAX_IOVEC (4u)
diff --git a/tests/psa-client-server/psasim/include/error_ext.h b/tests/psa-client-server/psasim/include/error_ext.h
new file mode 100644
index 0000000..6c82b8a
--- /dev/null
+++ b/tests/psa-client-server/psasim/include/error_ext.h
@@ -0,0 +1,19 @@
+/* PSA status codes used by psasim. */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_ERROR_H
+#define PSA_ERROR_H
+
+#include <stdint.h>
+
+#include "common.h"
+
+#define PSA_ERROR_PROGRAMMER_ERROR ((psa_status_t) -129)
+#define PSA_ERROR_CONNECTION_REFUSED ((psa_status_t) -130)
+#define PSA_ERROR_CONNECTION_BUSY ((psa_status_t) -131)
+
+#endif
diff --git a/tests/psa-client-server/psasim/include/psasim/init.h b/tests/psa-client-server/psasim/include/init.h
similarity index 94%
rename from tests/psa-client-server/psasim/include/psasim/init.h
rename to tests/psa-client-server/psasim/include/init.h
index 9496fc2..de95d90 100644
--- a/tests/psa-client-server/psasim/include/psasim/init.h
+++ b/tests/psa-client-server/psasim/include/init.h
@@ -6,7 +6,7 @@
*/
#include <stdint.h>
-#include <psa/service.h>
+#include <service.h>
void raise_signal(psa_signal_t signal);
void __init_psasim(const char **array,
int size,
diff --git a/tests/psa-client-server/psasim/include/psa/lifecycle.h b/tests/psa-client-server/psasim/include/lifecycle.h
similarity index 100%
rename from tests/psa-client-server/psasim/include/psa/lifecycle.h
rename to tests/psa-client-server/psasim/include/lifecycle.h
diff --git a/tests/psa-client-server/psasim/include/psa/error.h b/tests/psa-client-server/psasim/include/psa/error.h
deleted file mode 100644
index 44fc0b1..0000000
--- a/tests/psa-client-server/psasim/include/psa/error.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/* PSA status codes used by psasim. */
-
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#ifndef PSA_ERROR_H
-#define PSA_ERROR_H
-
-#include <stdint.h>
-
-#include "psa/common.h"
-
-#define PSA_SUCCESS ((psa_status_t) 0)
-
-#define PSA_ERROR_PROGRAMMER_ERROR ((psa_status_t) -129)
-#define PSA_ERROR_CONNECTION_REFUSED ((psa_status_t) -130)
-#define PSA_ERROR_CONNECTION_BUSY ((psa_status_t) -131)
-#define PSA_ERROR_GENERIC_ERROR ((psa_status_t) -132)
-#define PSA_ERROR_NOT_PERMITTED ((psa_status_t) -133)
-#define PSA_ERROR_NOT_SUPPORTED ((psa_status_t) -134)
-#define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t) -135)
-#define PSA_ERROR_INVALID_HANDLE ((psa_status_t) -136)
-#define PSA_ERROR_BAD_STATE ((psa_status_t) -137)
-#define PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t) -138)
-#define PSA_ERROR_ALREADY_EXISTS ((psa_status_t) -139)
-#define PSA_ERROR_DOES_NOT_EXIST ((psa_status_t) -140)
-#define PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t) -141)
-#define PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t) -142)
-#define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t) -143)
-#define PSA_ERROR_SERVICE_FAILURE ((psa_status_t) -144)
-#define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t) -145)
-#define PSA_ERROR_STORAGE_FAILURE ((psa_status_t) -146)
-#define PSA_ERROR_HARDWARE_FAILURE ((psa_status_t) -147)
-#define PSA_ERROR_INVALID_SIGNATURE ((psa_status_t) -149)
-
-#endif
diff --git a/tests/psa-client-server/psasim/include/psa/service.h b/tests/psa-client-server/psasim/include/service.h
similarity index 99%
rename from tests/psa-client-server/psasim/include/psa/service.h
rename to tests/psa-client-server/psasim/include/service.h
index c8c0024..cbcb918 100644
--- a/tests/psa-client-server/psasim/include/psa/service.h
+++ b/tests/psa-client-server/psasim/include/service.h
@@ -15,7 +15,9 @@
#include <stdint.h>
#include <stddef.h>
-#include "psa/common.h"
+#include "common.h"
+
+#include "psa/crypto.h"
/********************** PSA Secure Partition Macros and Types ****************/
diff --git a/tests/psa-client-server/psasim/include/psa/util.h b/tests/psa-client-server/psasim/include/util.h
similarity index 96%
rename from tests/psa-client-server/psasim/include/psa/util.h
rename to tests/psa-client-server/psasim/include/util.h
index c3669a1..558149f 100644
--- a/tests/psa-client-server/psasim/include/psa/util.h
+++ b/tests/psa-client-server/psasim/include/util.h
@@ -5,7 +5,7 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#include "psa/service.h"
+#include "service.h"
#define PRINT(fmt, ...) \
fprintf(stdout, fmt "\n", ##__VA_ARGS__)
diff --git a/tests/psa-client-server/psasim/src/Makefile b/tests/psa-client-server/psasim/src/Makefile
deleted file mode 100644
index fc6ba25..0000000
--- a/tests/psa-client-server/psasim/src/Makefile
+++ /dev/null
@@ -1,17 +0,0 @@
-INCLUDE = -I../include/
-PSA_LIB = libpsaff.a
-
-PSA_LIB_OBJS = client.o service.o
-
-.PHONY: all lib
-
-all: $(PSA_LIB)
-
-%.o: %.c
- $(CC) $(INCLUDE) $(CFLAGS) -c $< -o $@
-
-$(PSA_LIB): $(PSA_LIB_OBJS)
- $(AR) rcs $(PSA_LIB) client.o service.o
-
-clean:
- rm -f $(PSA_LIB) $(PSA_LIB_OBJS)
diff --git a/tests/psa-client-server/psasim/src/client.c b/tests/psa-client-server/psasim/src/client.c
index 5a3986e..550a6e8 100644
--- a/tests/psa-client-server/psasim/src/client.c
+++ b/tests/psa-client-server/psasim/src/client.c
@@ -1,392 +1,54 @@
-/* PSA firmware framework client API */
+/* psasim test client */
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#include <stdint.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <assert.h>
#include <stdio.h>
-#include <string.h>
-#include <strings.h>
-#include <inttypes.h>
-#include <sys/types.h>
-#include <sys/ipc.h>
-#include <sys/msg.h>
+#include <unistd.h>
-#include "psa/client.h"
-#include "psa/common.h"
-#include "psa/error.h"
-#include "psa/util.h"
+/* Includes from psasim */
+#include <client.h>
+#include <util.h>
+#include "psa_manifest/sid.h"
+#include "psa_functions_codes.h"
-typedef struct internal_handle {
- int server_qid;
- int client_qid;
- int internal_server_qid;
- int valid;
-} internal_handle_t;
+/* Includes from mbedtls */
+#include "mbedtls/version.h"
+#include "psa/crypto.h"
-typedef struct vectors {
- const psa_invec *in_vec;
- size_t in_len;
- psa_outvec *out_vec;
- size_t out_len;
-} vectors_t;
+#define CLIENT_PRINT(fmt, ...) \
+ PRINT("Client: " fmt, ##__VA_ARGS__)
-/* Note that this implementation is functional and not secure */
-int __psa_ff_client_security_state = NON_SECURE;
-
-/* Access to this global is not thread safe */
-#define MAX_HANDLES 32
-static internal_handle_t handles[MAX_HANDLES] = { { 0 } };
-
-static int get_next_free_handle()
+int main()
{
- /* Never return handle 0 as it's a special null handle */
- for (int i = 1; i < MAX_HANDLES; i++) {
- if (handles[i].valid == 0) {
- return i;
- }
- }
- return -1;
-}
+ char mbedtls_version[18];
+ // psa_invec invecs[1];
+ // psa_outvec outvecs[1];
+ psa_status_t status;
-static int handle_is_valid(psa_handle_t handle)
-{
- if (handle > 0 && handle < MAX_HANDLES) {
- if (handles[handle].valid == 1) {
- return 1;
- }
+ mbedtls_version_get_string_full(mbedtls_version);
+ CLIENT_PRINT("%s", mbedtls_version);
+
+ CLIENT_PRINT("My PID: %d", getpid());
+
+ CLIENT_PRINT("PSA version: %u", psa_version(PSA_SID_CRYPTO_SID));
+ psa_handle_t h = psa_connect(PSA_SID_CRYPTO_SID, 1);
+
+ if (h < 0) {
+ CLIENT_PRINT("Couldn't connect %d", h);
+ return 1;
}
- ERROR("ERROR: Invalid handle");
+
+ status = psa_call(h, PSA_CRYPTO_INIT, NULL, 0, NULL, 0);
+ CLIENT_PRINT("PSA_CRYPTO_INIT returned: %d", status);
+
+ CLIENT_PRINT("Closing handle");
+ psa_close(h);
+
+ if (status != PSA_SUCCESS) {
+ return 1;
+ }
return 0;
}
-
-static int get_queue_info(char *path, int *cqid, int *sqid)
-{
-
- key_t server_queue_key;
- int rx_qid, server_qid;
-
- INFO("Attempting to contact a RoT service queue");
-
- if ((rx_qid = msgget(IPC_PRIVATE, 0660)) == -1) {
- ERROR("msgget: rx_qid");
- return -1;
- }
-
- if ((server_queue_key = ftok(path, PROJECT_ID)) == -1) {
- ERROR("ftok");
- return -2;
- }
-
- if ((server_qid = msgget(server_queue_key, 0)) == -1) {
- ERROR("msgget: server_qid");
- return -3;
- }
-
- *cqid = rx_qid;
- *sqid = server_qid;
-
- return 0;
-}
-
-static psa_status_t process_response(int rx_qid, vectors_t *vecs, int type,
- int *internal_server_qid)
-{
-
- struct message response, request;
- psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED;
- size_t invec_seek[4] = { 0 };
- size_t data_size;
- psa_status_t invec, outvec; /* TODO: Should these be size_t ? */
-
- assert(internal_server_qid > 0);
-
- while (1) {
- data_size = 0;
- invec = 0;
- outvec = 0;
-
- // read response from server
- if (msgrcv(rx_qid, &response, sizeof(struct message_text), 0, 0) == -1) {
- ERROR(" msgrcv failed");
- return ret;
- }
-
- // process return message from server
- switch (response.message_type) {
- case PSA_REPLY:
- memcpy(&ret, response.message_text.buf, sizeof(psa_status_t));
- INFO(" Message received from server: %d", ret);
- if (type == PSA_IPC_CONNECT && ret > 0) {
- *internal_server_qid = ret;
- INFO(" ASSSIGNED q ID %d", *internal_server_qid);
- ret = PSA_SUCCESS;
- }
- return ret;
- break;
- case READ_REQUEST:
- /* read data request */
- request.message_type = READ_RESPONSE;
-
- assert(vecs != 0);
-
- memcpy(&invec, response.message_text.buf, sizeof(psa_status_t));
- memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t));
- INFO(" Partition asked for %lu bytes from invec %d", data_size, invec);
-
- /* need to add more checks here */
- assert(invec >= 0 && invec < PSA_MAX_IOVEC);
-
- if (data_size > MAX_FRAGMENT_SIZE) {
- data_size = MAX_FRAGMENT_SIZE;
- }
-
- /* send response */
- INFO(" invec_seek[invec] is %lu", invec_seek[invec]);
- INFO(" Reading from offset %p", vecs->in_vec[invec].base + invec_seek[invec]);
- memcpy(request.message_text.buf,
- (vecs->in_vec[invec].base + invec_seek[invec]),
- data_size);
-
- /* update invec base TODO: check me */
- invec_seek[invec] = invec_seek[invec] + data_size;
-
- INFO(" Sending message of type %li", request.message_type);
- INFO(" with content %s", request.message_text.buf);
-
- if (msgsnd(*internal_server_qid, &request,
- sizeof(int) + sizeof(uint32_t) + data_size, 0) == -1) {
- ERROR("Internal error: failed to respond to read request");
- }
- break;
- case WRITE_REQUEST:
- assert(vecs != 0);
-
- request.message_type = WRITE_RESPONSE;
-
- memcpy(&outvec, response.message_text.buf, sizeof(psa_status_t));
- memcpy(&data_size, response.message_text.buf + sizeof(size_t), sizeof(size_t));
- INFO(" Partition wants to write %lu bytes to outvec %d", data_size, outvec);
-
- assert(outvec >= 0 && outvec < PSA_MAX_IOVEC);
-
- /* copy memory into message and send back amount written */
- size_t sofar = vecs->out_vec[outvec].len;
- memcpy(vecs->out_vec[outvec].base + sofar,
- response.message_text.buf+(sizeof(size_t)*2), data_size);
- INFO(" Data size is %lu", data_size);
- vecs->out_vec[outvec].len += data_size;
-
- INFO(" Sending message of type %li", request.message_type);
-
- /* send response */
- if (msgsnd(*internal_server_qid, &request, sizeof(int) + data_size, 0) == -1) {
- ERROR("Internal error: failed to respond to write request");
- }
- break;
- case SKIP_REQUEST:
- memcpy(&invec, response.message_text.buf, sizeof(psa_status_t));
- memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t));
- INFO(" Partition asked to skip %lu bytes in invec %d", data_size, invec);
- assert(invec >= 0 && invec < PSA_MAX_IOVEC);
- /* update invec base TODO: check me */
- invec_seek[invec] = invec_seek[invec] + data_size;
- break;
-
- default:
- FATAL(" ERROR: unknown internal message type: %ld",
- response.message_type);
- return ret;
- }
- }
-}
-
-static psa_status_t send(int rx_qid, int server_qid, int *internal_server_qid,
- int32_t type, uint32_t minor_version, vectors_t *vecs)
-{
- {
- psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED;
- size_t request_msg_size = (sizeof(int) + sizeof(long)); /* msg type plus queue id */
- struct message request;
- request.message_type = 1; /* TODO: change this */
- request.message_text.psa_type = type;
- vector_sizes_t vec_sizes;
-
- /* If the client is non-secure then set the NS bit */
- if (__psa_ff_client_security_state != 0) {
- request.message_type |= NON_SECURE;
- }
-
- assert(request.message_type >= 0);
-
- INFO("SEND: Sending message of type %ld with psa_type %d", request.message_type, type);
- INFO(" internal_server_qid = %i", *internal_server_qid);
-
- request.message_text.qid = rx_qid;
-
- if (type == PSA_IPC_CONNECT) {
- memcpy(request.message_text.buf, &minor_version, sizeof(minor_version));
- request_msg_size = request_msg_size + sizeof(minor_version);
- INFO(" Request msg size is %lu", request_msg_size);
- } else {
- assert(internal_server_qid > 0);
- }
-
- if (vecs != NULL && type >= PSA_IPC_CALL) {
-
- memset(&vec_sizes, 0, sizeof(vec_sizes));
-
- /* Copy invec sizes */
- for (size_t i = 0; i < (vecs->in_len); i++) {
- vec_sizes.invec_sizes[i] = vecs->in_vec[i].len;
- INFO(" Client sending vector %lu: %lu", i, vec_sizes.invec_sizes[i]);
- }
-
- /* Copy outvec sizes */
- for (size_t i = 0; i < (vecs->out_len); i++) {
- vec_sizes.outvec_sizes[i] = vecs->out_vec[i].len;
-
- /* Reset to 0 since we need to eventually fill in with bytes written */
- vecs->out_vec[i].len = 0;
- }
-
- memcpy(request.message_text.buf, &vec_sizes, sizeof(vec_sizes));
- request_msg_size = request_msg_size + sizeof(vec_sizes);
- }
-
- INFO(" Sending and then waiting");
-
- // send message to server
- if (msgsnd(server_qid, &request, request_msg_size, 0) == -1) {
- ERROR(" msgsnd failed");
- return ret;
- }
-
- return process_response(rx_qid, vecs, type, internal_server_qid);
- }
-}
-
-
-uint32_t psa_framework_version(void)
-{
- return PSA_FRAMEWORK_VERSION;
-}
-
-psa_handle_t psa_connect(uint32_t sid, uint32_t minor_version)
-{
-
- int idx;
- psa_status_t ret;
- char pathname[PATHNAMESIZE] = { 0 };
-
- idx = get_next_free_handle();
-
- /* if there's a free handle available */
- if (idx >= 0) {
- snprintf(pathname, PATHNAMESIZE - 1, TMP_FILE_BASE_PATH "psa_service_%u", sid);
- INFO("Attempting to contact RoT service at %s", pathname);
-
- /* if communication is possible */
- if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) {
-
- ret = send(handles[idx].client_qid,
- handles[idx].server_qid,
- &handles[idx].internal_server_qid,
- PSA_IPC_CONNECT,
- minor_version,
- NULL);
-
- /* if connection accepted by RoT service */
- if (ret >= 0) {
- handles[idx].valid = 1;
- return idx;
- } else {
- INFO("Server didn't like you");
- }
- } else {
- INFO("Couldn't contact RoT service. Does it exist?");
-
- if (__psa_ff_client_security_state == 0) {
- ERROR("Invalid SID");
- }
- }
- }
-
- INFO("Couldn't obtain a free handle");
- return PSA_ERROR_CONNECTION_REFUSED;
-}
-
-uint32_t psa_version(uint32_t sid)
-{
- int idx;
- psa_status_t ret;
- char pathname[PATHNAMESIZE] = { 0 };
-
- idx = get_next_free_handle();
-
- if (idx >= 0) {
- snprintf(pathname, PATHNAMESIZE, TMP_FILE_BASE_PATH "psa_service_%u", sid);
- if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) {
- ret = send(handles[idx].client_qid,
- handles[idx].server_qid,
- &handles[idx].internal_server_qid,
- VERSION_REQUEST,
- 0,
- NULL);
- INFO("psa_version: Recieved from server %d", ret);
- if (ret > 0) {
- return ret;
- }
- }
- }
- INFO("psa_version failed: does the service exist?");
- return PSA_VERSION_NONE;
-}
-
-psa_status_t psa_call(psa_handle_t handle,
- int32_t type,
- const psa_invec *in_vec,
- size_t in_len,
- psa_outvec *out_vec,
- size_t out_len)
-{
-
- handle_is_valid(handle);
-
- if ((in_len + out_len) > PSA_MAX_IOVEC) {
- ERROR("Too many iovecs: %lu + %lu", in_len, out_len);
- }
-
- vectors_t vecs = { 0 };
- vecs.in_vec = in_vec;
- vecs.in_len = in_len;
- vecs.out_vec = out_vec;
- vecs.out_len = out_len;
-
- return send(handles[handle].client_qid,
- handles[handle].server_qid,
- &handles[handle].internal_server_qid,
- type,
- 0,
- &vecs);
-}
-
-void psa_close(psa_handle_t handle)
-{
- handle_is_valid(handle);
- if (send(handles[handle].client_qid, handles[handle].server_qid,
- &handles[handle].internal_server_qid, PSA_IPC_DISCONNECT, 0, NULL)) {
- ERROR("ERROR: Couldn't send disconnect msg");
- } else {
- if (msgctl(handles[handle].client_qid, IPC_RMID, NULL) != 0) {
- ERROR("ERROR: Failed to delete msg queue");
- }
- }
- INFO("Closing handle %u", handle);
- handles[handle].valid = 0;
-}
diff --git a/tests/psa-client-server/psasim/src/common.c b/tests/psa-client-server/psasim/src/common.c
deleted file mode 100644
index 287bb50..0000000
--- a/tests/psa-client-server/psasim/src/common.c
+++ /dev/null
@@ -1,8 +0,0 @@
-/* Common code between clients and services */
-
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#include "psa/common.h"
diff --git a/tests/psa-client-server/psasim/test/manifest.json b/tests/psa-client-server/psasim/src/manifest.json
similarity index 83%
rename from tests/psa-client-server/psasim/test/manifest.json
rename to tests/psa-client-server/psasim/src/manifest.json
index 0ab83ef..e67b636 100644
--- a/tests/psa-client-server/psasim/test/manifest.json
+++ b/tests/psa-client-server/psasim/src/manifest.json
@@ -3,14 +3,14 @@
"name":"TEST_PARTITION",
"type":"PSA-ROT",
"priority":"LOW",
- "entry_point":"psa_sha256_main",
+ "entry_point":"psa_server_main",
"stack_size":"0x400",
"heap_size":"0x100",
"services":[
{
- "name":"PSA_SID_SHA256",
+ "name":"PSA_SID_CRYPTO",
"sid":"0x0000F000",
- "signal":"PSA_SHA256",
+ "signal":"PSA_CRYPTO",
"non_secure_clients": "true",
"minor_version":1,
"minor_policy":"STRICT"
diff --git a/tests/psa-client-server/psasim/src/psa_ff_client.c b/tests/psa-client-server/psasim/src/psa_ff_client.c
new file mode 100644
index 0000000..21a43b3
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_ff_client.c
@@ -0,0 +1,386 @@
+/* PSA firmware framework client API */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include <strings.h>
+#include <inttypes.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/msg.h>
+
+#include "client.h"
+#include "common.h"
+#include "error_ext.h"
+#include "util.h"
+
+typedef struct internal_handle {
+ int server_qid;
+ int client_qid;
+ int internal_server_qid;
+ int valid;
+} internal_handle_t;
+
+typedef struct vectors {
+ const psa_invec *in_vec;
+ size_t in_len;
+ psa_outvec *out_vec;
+ size_t out_len;
+} vectors_t;
+
+/* Note that this implementation is functional and not secure */
+int __psa_ff_client_security_state = NON_SECURE;
+
+/* Access to this global is not thread safe */
+#define MAX_HANDLES 32
+static internal_handle_t handles[MAX_HANDLES] = { { 0 } };
+
+static int get_next_free_handle()
+{
+ /* Never return handle 0 as it's a special null handle */
+ for (int i = 1; i < MAX_HANDLES; i++) {
+ if (handles[i].valid == 0) {
+ return i;
+ }
+ }
+ return -1;
+}
+
+static int handle_is_valid(psa_handle_t handle)
+{
+ if (handle > 0 && handle < MAX_HANDLES) {
+ if (handles[handle].valid == 1) {
+ return 1;
+ }
+ }
+ ERROR("ERROR: Invalid handle");
+ return 0;
+}
+
+static int get_queue_info(char *path, int *cqid, int *sqid)
+{
+ key_t server_queue_key;
+ int rx_qid, server_qid;
+
+ INFO("Attempting to contact a RoT service queue");
+
+ if ((rx_qid = msgget(IPC_PRIVATE, 0660)) == -1) {
+ ERROR("msgget: rx_qid");
+ return -1;
+ }
+
+ if ((server_queue_key = ftok(path, PROJECT_ID)) == -1) {
+ ERROR("ftok");
+ return -2;
+ }
+
+ if ((server_qid = msgget(server_queue_key, 0)) == -1) {
+ ERROR("msgget: server_qid");
+ return -3;
+ }
+
+ *cqid = rx_qid;
+ *sqid = server_qid;
+
+ return 0;
+}
+
+static psa_status_t process_response(int rx_qid, vectors_t *vecs, int type,
+ int *internal_server_qid)
+{
+ struct message response, request;
+ psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED;
+ size_t invec_seek[4] = { 0 };
+ size_t data_size;
+ psa_status_t invec, outvec; /* TODO: Should these be size_t ? */
+
+ assert(internal_server_qid > 0);
+
+ while (1) {
+ data_size = 0;
+ invec = 0;
+ outvec = 0;
+
+ /* read response from server */
+ if (msgrcv(rx_qid, &response, sizeof(struct message_text), 0, 0) == -1) {
+ ERROR(" msgrcv failed");
+ return ret;
+ }
+
+ /* process return message from server */
+ switch (response.message_type) {
+ case PSA_REPLY:
+ memcpy(&ret, response.message_text.buf, sizeof(psa_status_t));
+ INFO(" Message received from server: %d", ret);
+ if (type == PSA_IPC_CONNECT && ret > 0) {
+ *internal_server_qid = ret;
+ INFO(" ASSSIGNED q ID %d", *internal_server_qid);
+ ret = PSA_SUCCESS;
+ }
+ return ret;
+ break;
+ case READ_REQUEST:
+ /* read data request */
+ request.message_type = READ_RESPONSE;
+
+ assert(vecs != 0);
+
+ memcpy(&invec, response.message_text.buf, sizeof(psa_status_t));
+ memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t));
+ INFO(" Partition asked for %lu bytes from invec %d", data_size, invec);
+
+ /* need to add more checks here */
+ assert(invec >= 0 && invec < PSA_MAX_IOVEC);
+
+ if (data_size > MAX_FRAGMENT_SIZE) {
+ data_size = MAX_FRAGMENT_SIZE;
+ }
+
+ /* send response */
+ INFO(" invec_seek[invec] is %lu", invec_seek[invec]);
+ INFO(" Reading from offset %p", vecs->in_vec[invec].base + invec_seek[invec]);
+ memcpy(request.message_text.buf,
+ (vecs->in_vec[invec].base + invec_seek[invec]),
+ data_size);
+
+ /* update invec base TODO: check me */
+ invec_seek[invec] = invec_seek[invec] + data_size;
+
+ INFO(" Sending message of type %li", request.message_type);
+ INFO(" with content %s", request.message_text.buf);
+
+ if (msgsnd(*internal_server_qid, &request,
+ sizeof(int) + sizeof(uint32_t) + data_size, 0) == -1) {
+ ERROR("Internal error: failed to respond to read request");
+ }
+ break;
+ case WRITE_REQUEST:
+ assert(vecs != 0);
+
+ request.message_type = WRITE_RESPONSE;
+
+ memcpy(&outvec, response.message_text.buf, sizeof(psa_status_t));
+ memcpy(&data_size, response.message_text.buf + sizeof(size_t), sizeof(size_t));
+ INFO(" Partition wants to write %lu bytes to outvec %d", data_size, outvec);
+
+ assert(outvec >= 0 && outvec < PSA_MAX_IOVEC);
+
+ /* copy memory into message and send back amount written */
+ size_t sofar = vecs->out_vec[outvec].len;
+ memcpy(vecs->out_vec[outvec].base + sofar,
+ response.message_text.buf+(sizeof(size_t)*2), data_size);
+ INFO(" Data size is %lu", data_size);
+ vecs->out_vec[outvec].len += data_size;
+
+ INFO(" Sending message of type %li", request.message_type);
+
+ /* send response */
+ if (msgsnd(*internal_server_qid, &request, sizeof(int) + data_size, 0) == -1) {
+ ERROR("Internal error: failed to respond to write request");
+ }
+ break;
+ case SKIP_REQUEST:
+ memcpy(&invec, response.message_text.buf, sizeof(psa_status_t));
+ memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t));
+ INFO(" Partition asked to skip %lu bytes in invec %d", data_size, invec);
+ assert(invec >= 0 && invec < PSA_MAX_IOVEC);
+ /* update invec base TODO: check me */
+ invec_seek[invec] = invec_seek[invec] + data_size;
+ break;
+
+ default:
+ FATAL(" ERROR: unknown internal message type: %ld",
+ response.message_type);
+ return ret;
+ }
+ }
+}
+
+static psa_status_t send(int rx_qid, int server_qid, int *internal_server_qid,
+ int32_t type, uint32_t minor_version, vectors_t *vecs)
+{
+ psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED;
+ size_t request_msg_size = (sizeof(int) + sizeof(long)); /* msg type plus queue id */
+ struct message request;
+ request.message_type = 1; /* TODO: change this */
+ request.message_text.psa_type = type;
+ vector_sizes_t vec_sizes;
+
+ /* If the client is non-secure then set the NS bit */
+ if (__psa_ff_client_security_state != 0) {
+ request.message_type |= NON_SECURE;
+ }
+
+ assert(request.message_type >= 0);
+
+ INFO("SEND: Sending message of type %ld with psa_type %d", request.message_type, type);
+ INFO(" internal_server_qid = %i", *internal_server_qid);
+
+ request.message_text.qid = rx_qid;
+
+ if (type == PSA_IPC_CONNECT) {
+ memcpy(request.message_text.buf, &minor_version, sizeof(minor_version));
+ request_msg_size = request_msg_size + sizeof(minor_version);
+ INFO(" Request msg size is %lu", request_msg_size);
+ } else {
+ assert(internal_server_qid > 0);
+ }
+
+ if (vecs != NULL && type >= PSA_IPC_CALL) {
+
+ memset(&vec_sizes, 0, sizeof(vec_sizes));
+
+ /* Copy invec sizes */
+ for (size_t i = 0; i < (vecs->in_len); i++) {
+ vec_sizes.invec_sizes[i] = vecs->in_vec[i].len;
+ INFO(" Client sending vector %lu: %lu", i, vec_sizes.invec_sizes[i]);
+ }
+
+ /* Copy outvec sizes */
+ for (size_t i = 0; i < (vecs->out_len); i++) {
+ vec_sizes.outvec_sizes[i] = vecs->out_vec[i].len;
+
+ /* Reset to 0 since we need to eventually fill in with bytes written */
+ vecs->out_vec[i].len = 0;
+ }
+
+ memcpy(request.message_text.buf, &vec_sizes, sizeof(vec_sizes));
+ request_msg_size = request_msg_size + sizeof(vec_sizes);
+ }
+
+ INFO(" Sending and then waiting");
+
+ /* send message to server */
+ if (msgsnd(server_qid, &request, request_msg_size, 0) == -1) {
+ ERROR(" msgsnd failed");
+ return ret;
+ }
+
+ return process_response(rx_qid, vecs, type, internal_server_qid);
+}
+
+
+uint32_t psa_framework_version(void)
+{
+ return PSA_FRAMEWORK_VERSION;
+}
+
+psa_handle_t psa_connect(uint32_t sid, uint32_t minor_version)
+{
+ int idx;
+ psa_status_t ret;
+ char pathname[PATHNAMESIZE] = { 0 };
+
+ idx = get_next_free_handle();
+
+ /* if there's a free handle available */
+ if (idx >= 0) {
+ snprintf(pathname, PATHNAMESIZE - 1, TMP_FILE_BASE_PATH "psa_service_%u", sid);
+ INFO("Attempting to contact RoT service at %s", pathname);
+
+ /* if communication is possible */
+ if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) {
+
+ ret = send(handles[idx].client_qid,
+ handles[idx].server_qid,
+ &handles[idx].internal_server_qid,
+ PSA_IPC_CONNECT,
+ minor_version,
+ NULL);
+
+ /* if connection accepted by RoT service */
+ if (ret >= 0) {
+ handles[idx].valid = 1;
+ return idx;
+ } else {
+ INFO("Server didn't like you");
+ }
+ } else {
+ INFO("Couldn't contact RoT service. Does it exist?");
+
+ if (__psa_ff_client_security_state == 0) {
+ ERROR("Invalid SID");
+ }
+ }
+ }
+
+ INFO("Couldn't obtain a free handle");
+ return PSA_ERROR_CONNECTION_REFUSED;
+}
+
+uint32_t psa_version(uint32_t sid)
+{
+ int idx;
+ psa_status_t ret;
+ char pathname[PATHNAMESIZE] = { 0 };
+
+ idx = get_next_free_handle();
+
+ if (idx >= 0) {
+ snprintf(pathname, PATHNAMESIZE, TMP_FILE_BASE_PATH "psa_service_%u", sid);
+ if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) {
+ ret = send(handles[idx].client_qid,
+ handles[idx].server_qid,
+ &handles[idx].internal_server_qid,
+ VERSION_REQUEST,
+ 0,
+ NULL);
+ INFO("psa_version: Recieved from server %d", ret);
+ if (ret > 0) {
+ return ret;
+ }
+ }
+ }
+ INFO("psa_version failed: does the service exist?");
+ return PSA_VERSION_NONE;
+}
+
+psa_status_t psa_call(psa_handle_t handle,
+ int32_t type,
+ const psa_invec *in_vec,
+ size_t in_len,
+ psa_outvec *out_vec,
+ size_t out_len)
+{
+ handle_is_valid(handle);
+
+ if ((in_len + out_len) > PSA_MAX_IOVEC) {
+ ERROR("Too many iovecs: %lu + %lu", in_len, out_len);
+ }
+
+ vectors_t vecs = { 0 };
+ vecs.in_vec = in_vec;
+ vecs.in_len = in_len;
+ vecs.out_vec = out_vec;
+ vecs.out_len = out_len;
+
+ return send(handles[handle].client_qid,
+ handles[handle].server_qid,
+ &handles[handle].internal_server_qid,
+ type,
+ 0,
+ &vecs);
+}
+
+void psa_close(psa_handle_t handle)
+{
+ handle_is_valid(handle);
+ if (send(handles[handle].client_qid, handles[handle].server_qid,
+ &handles[handle].internal_server_qid, PSA_IPC_DISCONNECT, 0, NULL)) {
+ ERROR("ERROR: Couldn't send disconnect msg");
+ } else {
+ if (msgctl(handles[handle].client_qid, IPC_RMID, NULL) != 0) {
+ ERROR("ERROR: Failed to delete msg queue");
+ }
+ }
+ INFO("Closing handle %u", handle);
+ handles[handle].valid = 0;
+}
diff --git a/tests/psa-client-server/psasim/src/service.c b/tests/psa-client-server/psasim/src/psa_ff_server.c
similarity index 98%
rename from tests/psa-client-server/psasim/src/service.c
rename to tests/psa-client-server/psasim/src/psa_ff_server.c
index b2b6a08..ea797d8 100644
--- a/tests/psa-client-server/psasim/src/service.c
+++ b/tests/psa-client-server/psasim/src/psa_ff_server.c
@@ -16,11 +16,11 @@
#include <time.h>
#include <assert.h>
-#include "psa/service.h"
-#include "psasim/init.h"
-#include "psa/error.h"
-#include "psa/common.h"
-#include "psa/util.h"
+#include "service.h"
+#include "init.h"
+#include "error_ext.h"
+#include "common.h"
+#include "util.h"
#define MAX_CLIENTS 128
#define MAX_MESSAGES 32
@@ -34,7 +34,7 @@
};
/* Note that this implementation is functional and not secure. */
-extern int __psa_ff_client_security_state;
+int __psa_ff_client_security_state = NON_SECURE;
static psa_msg_t messages[MAX_MESSAGES]; /* Message slots */
static uint8_t pending_message[MAX_MESSAGES] = { 0 }; /* Booleans indicating active message slots */
diff --git a/tests/psa-client-server/psasim/src/psa_functions_codes.h b/tests/psa-client-server/psasim/src/psa_functions_codes.h
new file mode 100644
index 0000000..34897b9
--- /dev/null
+++ b/tests/psa-client-server/psasim/src/psa_functions_codes.h
@@ -0,0 +1,9 @@
+#ifndef _PSA_FUNCTIONS_CODES_H_
+#define _PSA_FUNCTIONS_CODES_H_
+
+enum {
+ PSA_CRYPTO_INIT = 0x00,
+ /* Add other PSA functions here */
+};
+
+#endif /* _PSA_FUNCTIONS_CODES_H_ */
diff --git a/tests/psa-client-server/psasim/test/server.c b/tests/psa-client-server/psasim/src/server.c
similarity index 68%
rename from tests/psa-client-server/psasim/test/server.c
rename to tests/psa-client-server/psasim/src/server.c
index c4b6d9c..630bd73 100644
--- a/tests/psa-client-server/psasim/test/server.c
+++ b/tests/psa-client-server/psasim/src/server.c
@@ -8,10 +8,16 @@
#include <unistd.h>
#include <stdio.h>
-#include "psa/service.h"
-#include "psa/error.h"
-#include "psa/util.h"
+/* Includes from psasim */
+#include "service.h"
+#include "error_ext.h"
+#include "util.h"
#include "psa_manifest/manifest.h"
+#include "psa_functions_codes.h"
+
+/* Includes from mbedtls */
+#include "mbedtls/version.h"
+#include "psa/crypto.h"
#define SERVER_PRINT(fmt, ...) \
PRINT("Server: " fmt, ##__VA_ARGS__)
@@ -36,13 +42,16 @@
}
}
-int psa_sha256_main(int argc, char *argv[])
+int psa_server_main(int argc, char *argv[])
{
psa_status_t ret = PSA_ERROR_PROGRAMMER_ERROR;
psa_msg_t msg = { -1 };
- char foo[BUF_SIZE] = { 0 };
const int magic_num = 66;
int client_disconnected = 0;
+ char mbedtls_version[18];
+
+ mbedtls_version_get_string_full(mbedtls_version);
+ SERVER_PRINT("%s", mbedtls_version);
parse_input_args(argc, argv);
SERVER_PRINT("Starting");
@@ -54,10 +63,9 @@
SERVER_PRINT("Signals: 0x%08x", signals);
}
- if (signals & PSA_SHA256_SIGNAL) {
- if (PSA_SUCCESS == psa_get(PSA_SHA256_SIGNAL, &msg)) {
- SERVER_PRINT("My handle is %d", msg.handle);
- SERVER_PRINT("My rhandle is %p", (int *) msg.rhandle);
+ if (signals & PSA_CRYPTO_SIGNAL) {
+ if (PSA_SUCCESS == psa_get(PSA_CRYPTO_SIGNAL, &msg)) {
+ SERVER_PRINT("handle: %d - rhandle: %p", msg.handle, (int *) msg.rhandle);
switch (msg.type) {
case PSA_IPC_CONNECT:
SERVER_PRINT("Got a connection message");
@@ -69,34 +77,23 @@
ret = PSA_SUCCESS;
client_disconnected = 1;
break;
-
default:
SERVER_PRINT("Got an IPC call of type %d", msg.type);
- ret = 42;
- size_t size = msg.in_size[0];
-
- if ((size > 0) && (size <= sizeof(foo))) {
- psa_read(msg.handle, 0, foo, 6);
- foo[(BUF_SIZE-1)] = '\0';
- SERVER_PRINT("Reading payload: %s", foo);
- psa_read(msg.handle, 0, foo+6, 6);
- foo[(BUF_SIZE-1)] = '\0';
- SERVER_PRINT("Reading payload: %s", foo);
+ switch (msg.type) {
+ case PSA_CRYPTO_INIT:
+ ret = psa_crypto_init();
+ break;
+ default:
+ SERVER_PRINT("Unknown PSA function code");
+ break;
}
-
- size = msg.out_size[0];
- if ((size > 0)) {
- SERVER_PRINT("Writing response");
- psa_write(msg.handle, 0, "RESP", 4);
- psa_write(msg.handle, 0, "ONSE", 4);
- }
+ SERVER_PRINT("Internal function call returned %d", ret);
if (msg.client_id > 0) {
psa_notify(msg.client_id);
} else {
SERVER_PRINT("Client is non-secure, so won't notify");
}
-
}
psa_reply(msg.handle, ret);
diff --git a/tests/psa-client-server/psasim/test/Makefile b/tests/psa-client-server/psasim/test/Makefile
deleted file mode 100644
index 34b86b6..0000000
--- a/tests/psa-client-server/psasim/test/Makefile
+++ /dev/null
@@ -1,29 +0,0 @@
-INCLUDE := -I../include/ -I./psa_manifest
-LIB := -L../src -lpsaff
-
-TEST_BIN = psa_client \
- psa_partition
-
-GENERATED_H_FILES = psa_manifest/manifest.h \
- psa_manifest/pid.h \
- psa_manifest/sid.h
-
-PARTITION_SERVER_BOOTSTRAP = psa_ff_bootstrap_TEST_PARTITION.c
-
-.PHONY: all clean
-
-all: $(TEST_BIN)
-
-psa_client: client.c $(GENERATED_H_FILES)
- $(CC) $(INCLUDE) $(CFLAGS) $< $(LIB) -o $@
-
-psa_partition: $(PARTITION_SERVER_BOOTSTRAP) $(GENERATED_H_FILES)
- $(CC) $(INCLUDE) $(CFLAGS) $< $(LIB) -o $@
-
-$(PARTITION_SERVER_BOOTSTRAP) $(GENERATED_H_FILES): manifest.json server.c
- ../tools/psa_autogen.py $<
-
-clean:
- rm -f $(TEST_BIN) psa_ff_bootstrap_*.c
- rm -f psa_notify_* psa_service_*
- rm -f psa_manifest/*
diff --git a/tests/psa-client-server/psasim/test/client.c b/tests/psa-client-server/psasim/test/client.c
deleted file mode 100644
index 5bde82f..0000000
--- a/tests/psa-client-server/psasim/test/client.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/* psasim test client */
-
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#include <psa/client.h>
-#include <psa/util.h>
-#include "psa_manifest/sid.h"
-#include <stdio.h>
-#include <unistd.h>
-
-#define CLIENT_PRINT(fmt, ...) \
- PRINT("Client: " fmt, ##__VA_ARGS__)
-
-int main()
-{
- const char *text = "FOOBARCOOL!!";
- char output[100] = { 0 };
- CLIENT_PRINT("My PID: %d", getpid());
-
- CLIENT_PRINT("PSA version: %u", psa_version(PSA_SID_SHA256_SID));
- psa_handle_t h = psa_connect(PSA_SID_SHA256_SID, 1);
-
- if (h < 0) {
- CLIENT_PRINT("Couldn't connect %d", h);
- return 1;
- } else {
- int type = 2;
- CLIENT_PRINT("psa_call() w/o invec returned: %d", psa_call(h, type, NULL, 0, NULL, 0));
- psa_invec invecs[1];
- psa_outvec outvecs[1];
- invecs[0].base = text;
- invecs[0].len = sizeof(text);
- outvecs[0].base = output;
- outvecs[0].len = sizeof(output);
-
- CLIENT_PRINT("invec len: %lu", invecs[0].len);
- CLIENT_PRINT("psa_call() w/ invec returned: %d", psa_call(h, type, invecs, 1, outvecs, 1));
- CLIENT_PRINT("Received payload len: %ld", outvecs[0].len);
- CLIENT_PRINT("Received payload content: %s", output);
- CLIENT_PRINT("Closing handle");
- psa_close(h);
- }
-
- return 0;
-}
diff --git a/tests/psa-client-server/psasim/test/run_test.sh b/tests/psa-client-server/psasim/test/run_test.sh
index f0e7a62..6a5605f 100755
--- a/tests/psa-client-server/psasim/test/run_test.sh
+++ b/tests/psa-client-server/psasim/test/run_test.sh
@@ -11,7 +11,10 @@
set -e
+cd "$(dirname "$0")"
+
function clean_run() {
+ rm -f psa_notify_*
pkill psa_partition || true
pkill psa_client || true
ipcs | grep q | awk '{ printf " -q " $$2 }' | xargs ipcrm > /dev/null 2>&1 || true
@@ -21,14 +24,14 @@
# event as signal that the server is ready so that we can start client(s).
function wait_for_server_startup() {
while [ ! -f ./psa_notify_* ]; do
- sleep 0.1
+ sleep 0.1
done
}
clean_run
-./psa_partition -k &
+./psa_partition -k > psa_partition.log 2>&1 &
SERV_PID=$!
wait_for_server_startup
-./psa_client
+./psa_client > psa_client.log 2>&1
wait $SERV_PID
diff --git a/tests/psa-client-server/psasim/tools/psa_autogen.py b/tests/psa-client-server/psasim/tools/psa_autogen.py
index 53b1fea..fbc9806 100755
--- a/tests/psa-client-server/psasim/tools/psa_autogen.py
+++ b/tests/psa-client-server/psasim/tools/psa_autogen.py
@@ -15,6 +15,13 @@
FILENAME = str(sys.argv[1])
+SCRIPT_PATH = os.path.dirname(__file__)
+GENERATED_H_PATH = os.path.join(SCRIPT_PATH, "..", "include", "psa_manifest")
+GENERATED_C_PATH = os.path.join(SCRIPT_PATH, "..", "src")
+
+MANIFEST_FILE = os.path.join(GENERATED_H_PATH, "manifest.h")
+PID_FILE = os.path.join(GENERATED_H_PATH, "pid.h")
+SID_FILE = os.path.join(GENERATED_H_PATH, "sid.h")
with open(str(FILENAME), "r") as read_file:
data = json.load(read_file)
@@ -32,14 +39,14 @@
irqs = []
try:
- os.mkdir("psa_manifest")
+ os.mkdir(GENERATED_H_PATH)
print("Generating psa_manifest directory")
except OSError:
- print ("PSA manifest directory already exists")
+ print("PSA manifest directory already exists")
- man = open(str("psa_manifest/" + FILENAME + ".h"), "w")
- pids = open("psa_manifest/pid.h", "a")
- sids = open("psa_manifest/sid.h", "a")
+ manifest_content = []
+ pids_content = []
+ sids_content = []
if len(services) > 28:
print ("Unsupported number of services")
@@ -60,8 +67,8 @@
# Go through all the services to make sid.h and pid.h
for svc in services:
- man.write("#define {}_SIGNAL 0x{:08x}\n".format(svc['signal'], 2**count))
- sids.write("#define {}_SID {}\n".format(svc['name'], svc['sid']))
+ manifest_content.append("#define {}_SIGNAL 0x{:08x}".format(svc['signal'], 2**count))
+ sids_content.append("#define {}_SID {}".format(svc['name'], svc['sid']))
qcode = qcode + "\"" + queue_path + str(int(svc['sid'], 16)) + "\","
ns_clients = svc['non_secure_clients']
print(str(svc))
@@ -91,7 +98,7 @@
handlercode = "void __sig_handler(int signo) {\n"
irqcount = count
for irq in irqs:
- man.write("#define {} 0x{:08x}\n".format(irq['signal'], 2**irqcount))
+ manifest_content.append("#define {} 0x{:08x}".format(irq['signal'], 2**irqcount))
sigcode = sigcode + " signal({}, __sig_handler);\n".format(irq['source'])
handlercode = handlercode + \
" if (signo == {}) {{ raise_signal(0x{:08x}); }};\n".format(irq['source'], 2**irqcount)
@@ -111,28 +118,28 @@
versions = versions + "};\n"
policy = policy + "};\n"
- pids.close()
- sids.close()
- man.close()
+ with open(MANIFEST_FILE, "wt") as output:
+ output.write("\n".join(manifest_content))
+ with open(SID_FILE, "wt") as output:
+ output.write("\n".join(sids_content))
+ with open(PID_FILE, "wt") as output:
+ output.write("\n".join(pids_content))
symbols = []
- # Go through all the files in the current directory and look for the entrypoint
- for root, directories, filenames in os.walk('.'):
+ # Go through source files and look for the entrypoint
+ for root, directories, filenames in os.walk(GENERATED_C_PATH):
for filename in filenames:
-
if "psa_ff_bootstrap" in filename or filename == "psa_manifest":
continue
-
try:
fullpath = os.path.join(root,filename)
with open(fullpath, encoding='utf-8') as currentFile:
text = currentFile.read()
if str(entry_point + "(") in text:
- symbols.append(fullpath)
+ symbols.append(filename)
except IOError:
print("Couldn't open " + filename)
-
except UnicodeDecodeError:
pass
@@ -144,22 +151,24 @@
print("Duplicate entrypoint symbol detected: " + str(symbols))
sys.exit(2)
else:
- bs = open(str("psa_ff_bootstrap_" + str(partition_name) + ".c"), "w")
- bs.write("#include <psasim/init.h>\n")
- bs.write("#include \"" + symbols[0] + "\"\n")
- bs.write("#include <signal.h>\n\n")
- bs.write(qcode)
- bs.write(nsacl)
- bs.write(policy)
- bs.write(versions)
- bs.write("\n")
- bs.write(handlercode)
- bs.write("\n")
- bs.write("int main(int argc, char *argv[]) {\n")
- bs.write(" (void) argc;\n")
- bs.write(sigcode)
- bs.write(" __init_psasim(psa_queues, 32, ns_allowed, versions, strict_policy);\n")
- bs.write(" " + entry_point + "(argc, argv);\n}\n")
- bs.close()
+ C_FILENAME = os.path.join(GENERATED_C_PATH, "psa_ff_bootstrap_" + partition_name + ".c")
+ c_content = []
+ c_content.append("#include <init.h>")
+ c_content.append("#include \"" + symbols[0] + "\"")
+ c_content.append("#include <signal.h>")
+ c_content.append(qcode)
+ c_content.append(nsacl)
+ c_content.append(policy)
+ c_content.append(versions)
+ c_content.append(handlercode)
+ c_content.append("int main(int argc, char *argv[]) {")
+ c_content.append(" (void) argc;")
+ c_content.append(sigcode)
+ c_content.append(" __init_psasim(psa_queues, 32, ns_allowed, versions,"
+ "strict_policy);")
+ c_content.append(" " + entry_point + "(argc, argv);")
+ c_content.append("}")
+ with open(C_FILENAME, "wt") as output:
+ output.write("\n".join(c_content))
print("Success")
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 8158c8d..4f0e9bb 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -945,6 +945,39 @@
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@"
}
+# $1: target which can be "client" or "server"
+helper_crypto_client_build() {
+ TARGET=$1
+ shift
+ TARGET_LIB=libpsa$TARGET
+
+ if [ "$TARGET" == "client" ]; then
+ scripts/config.py full
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
+ # Dynamic secure element support is a deprecated feature and it is not
+ # available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled.
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
+ # Disable potentially problematic features
+ scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
+ else
+ scripts/config.py crypto_full
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ fi
+
+ make -C tests/psa-client-server/psasim/ CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $TARGET_LIB "$@"
+
+ # cleanup() will restore some backed-up files which include $CONFIG_H and
+ # $CRYPTO_CONFIG_H. Built libraries were already copied to psasim at this
+ # point.
+ cleanup
+}
+
################################################################
#### Configuration helpers
################################################################
@@ -1731,6 +1764,7 @@
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
else
@@ -4076,6 +4110,7 @@
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
# Disable direct dependency on AES_C
scripts/config.py unset MBEDTLS_NIST_KW_C
@@ -5276,9 +5311,11 @@
make clean
msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
- # In the user config, disable one feature, which will reflect on the
- # mbedtls configuration so we can query it with query_compile_time_config.
+ # In the user config, disable one feature and its dependencies, which will
+ # reflect on the mbedtls configuration so we can query it with
+ # query_compile_time_config.
echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
+ echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
scripts/config.py unset MBEDTLS_CMAC_C
make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
not programs/test/query_compile_time_config MBEDTLS_CMAC_C
@@ -6175,11 +6212,21 @@
}
component_test_psasim() {
+ msg "build library for client"
+
+ helper_crypto_client_build client
+
+ msg "build library for server"
+
+ scripts/config.py crypto
+
+ helper_crypto_client_build server
+
msg "build psasim"
- make -C tests/psa-client-server/psasim
+ make -C tests/psa-client-server/psasim CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test psasim"
- make -C tests/psa-client-server/psasim run
+ tests/psa-client-server/psasim/test/run_test.sh
msg "clean psasim"
make -C tests/psa-client-server/psasim clean
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 5b4deb6..eb24694 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -85,6 +85,17 @@
def analyze_coverage(results: Results, outcomes: Outcomes,
allow_list: typing.List[str], full_coverage: bool) -> None:
"""Check that all available test cases are executed at least once."""
+ # Make sure that the generated data files are present (and up-to-date).
+ # This allows analyze_outcomes.py to run correctly on a fresh Git
+ # checkout.
+ cp = subprocess.run(['make', 'generated_files'],
+ cwd='tests',
+ stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
+ check=False)
+ if cp.returncode != 0:
+ sys.stderr.write(cp.stdout.decode('utf-8'))
+ results.error("Failed \"make generated_files\" in tests. "
+ "Coverage analysis may be incorrect.")
available = check_test_cases.collect_available_test_cases()
for suite_case in available:
hit = any(suite_case in comp_outcomes.successes or
@@ -468,6 +479,12 @@
'bignum.generated', 'bignum.misc',
],
'ignored_tests': {
+ 'ssl-opt': [
+ # DHE support in TLS 1.2 requires built-in MBEDTLS_DHM_C
+ # (because it needs custom groups, which PSA does not
+ # provide), even with MBEDTLS_USE_PSA_CRYPTO.
+ re.compile(r'PSK callback:.*\bdhe-psk\b.*'),
+ ],
'test_suite_platform': [
# Incompatible with sanitizers (e.g. ASan). If the driver
# component uses a sanitizer but the reference component
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index 055023a..5557de3 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -17,32 +17,26 @@
my %configs = (
'config-ccm-psk-tls1_2.h' => {
- 'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
- 'test_again_with_use_psa' => 1
+ 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
},
'config-ccm-psk-dtls1_2.h' => {
- 'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+ 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
'opt' => ' ',
'opt_needs_debug' => 1,
- 'test_again_with_use_psa' => 1
},
'config-no-entropy.h' => {
},
'config-suite-b.h' => {
- 'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
- 'test_again_with_use_psa' => 1,
+ 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS",
'opt' => ' ',
'opt_needs_debug' => 1,
},
'config-symmetric-only.h' => {
- 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
},
'config-tfm.h' => {
- 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
},
'config-thread.h' => {
'opt' => '-f ECJPAKE.*nolog',
- 'test_again_with_use_psa' => 1,
},
);
@@ -148,7 +142,10 @@
}
foreach my $conf ( @configs_to_test ) {
- my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'};
+ system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null");
+ die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100;
+ my $test_with_psa = $? == 0;
+
if ( $test_with_psa )
{
perform_test( $conf, $configs{$conf}, $test_with_psa );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 3549a7b..f4c7f6d 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -70,6 +70,32 @@
# alternative versions of OpenSSL and GnuTLS (no default path)
+# If $OPENSSL is at least 1.1.1, use it as OPENSSL_NEXT as well.
+if [ -z "${OPENSSL_NEXT:-}" ]; then
+ case $($OPENSSL version) in
+ OpenSSL\ 1.1.[1-9]*) OPENSSL_NEXT=$OPENSSL;;
+ OpenSSL\ [3-9]*) OPENSSL_NEXT=$OPENSSL;;
+ esac
+fi
+
+# If $GNUTLS_CLI is at least 3.7, use it as GNUTLS_NEXT_CLI as well.
+if [ -z "${GNUTLS_NEXT_CLI:-}" ]; then
+ case $($GNUTLS_CLI --version) in
+ gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
+ gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
+ gnutls-cli\ [4-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
+ esac
+fi
+
+# If $GNUTLS_SERV is at least 3.7, use it as GNUTLS_NEXT_SERV as well.
+if [ -z "${GNUTLS_NEXT_SERV:-}" ]; then
+ case $($GNUTLS_SERV --version) in
+ gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
+ gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
+ gnutls-cli\ [4-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
+ esac
+fi
+
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key"
@@ -443,9 +469,9 @@
esac
case "$CMD_LINE" in
- *server5*|\
- *server7*|\
- *dir-maxpath*)
+ */server5*|\
+ */server7*|\
+ */dir-maxpath*)
if [ "$TLS_VERSION" = "TLS13" ]; then
# In case of TLS13 the support for ECDSA is enough
requires_pk_alg "ECDSA"
@@ -477,9 +503,15 @@
esac
case "$CMD_LINE" in
- *server2*|\
- *server7*)
- # server2 and server7 certificates use RSA encryption
+ */server1*|\
+ */server2*|\
+ */server7*)
+ # Certificates with an RSA key. The algorithm requirement is
+ # some subset of {PKCS#1v1.5 encryption, PKCS#1v1.5 signature,
+ # PSS signature}. We can't easily tell which subset works, and
+ # we aren't currently running ssl-opt.sh in configurations
+ # where partial RSA support is a problem, so generically, we
+ # just require RSA and it works out for our tests so far.
requires_config_enabled "MBEDTLS_RSA_C"
esac
@@ -494,9 +526,10 @@
adapt_cmd_for_psk () {
case "$2" in
- *openssl*) s='-psk abc123 -nocert';;
- *gnutls-*) s='--pskkey=abc123';;
- *) s='psk=abc123';;
+ *openssl*s_server*) s='-psk 73776f726466697368 -nocert';;
+ *openssl*) s='-psk 73776f726466697368';;
+ *gnutls-*) s='--pskusername=Client_identity --pskkey=73776f726466697368';;
+ *) s='psk=73776f726466697368';;
esac
eval $1='"$2 $s"'
unset s
@@ -2449,9 +2482,9 @@
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: RSA-PSK" \
"$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \
- psk=abc123 psk_identity=foo" \
+ psk=73776f726466697368 psk_identity=foo" \
"$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
- psk=abc123 psk_identity=foo" \
+ psk=73776f726466697368 psk_identity=foo" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-RSA-PSK-" \
@@ -2698,12 +2731,14 @@
-C "error"
# Tests for SHA-1 support
+requires_hash_alg SHA_1
run_test "SHA-1 forbidden by default in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI debug_level=2 force_version=tls12 allow_sha1=0" \
1 \
-c "The certificate is signed with an unacceptable hash"
+requires_hash_alg SHA_1
run_test "SHA-1 explicitly allowed in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI force_version=tls12 allow_sha1=1" \
@@ -2714,17 +2749,23 @@
"$P_CLI force_version=tls12 allow_sha1=0" \
0
+requires_hash_alg SHA_1
+requires_config_enabled MBEDTLS_RSA_C
run_test "SHA-1 forbidden by default in client certificate" \
"$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1 \
-s "The certificate is signed with an unacceptable hash"
+requires_hash_alg SHA_1
+requires_config_enabled MBEDTLS_RSA_C
run_test "SHA-1 explicitly allowed in client certificate" \
"$P_SRV force_version=tls12 auth_mode=required allow_sha1=1" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
0
+requires_config_enabled MBEDTLS_RSA_C
+requires_hash_alg SHA_256
run_test "SHA-256 allowed by default in client certificate" \
"$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
@@ -3820,7 +3861,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: openssl client" \
- "$P_SRV debug_level=3 tickets=1" \
+ "$P_SRV force_version=tls12 debug_level=3 tickets=1" \
"( $O_CLI -sess_out $SESSION; \
$O_CLI -sess_in $SESSION; \
rm -f $SESSION )" \
@@ -5626,6 +5667,7 @@
# Test for the "secure renegotiation" extension only (no actual renegotiation)
requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls server strict, client default" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
@@ -5636,6 +5678,7 @@
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls server unsafe, client default" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
@@ -5646,6 +5689,7 @@
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls server unsafe, client break legacy" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
@@ -5656,28 +5700,31 @@
-C "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls client strict, server default" \
"$P_SRV debug_level=3" \
- "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
+ "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION localhost" \
0 \
-s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-s "server hello, secure renegotiation extension"
requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls client unsafe, server default" \
"$P_SRV debug_level=3" \
- "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
+ "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
requires_gnutls
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Renego ext: gnutls client unsafe, server break legacy" \
"$P_SRV debug_level=3 allow_legacy=-1" \
- "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
+ "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \
1 \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
@@ -7789,7 +7836,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server2.key \
+ "$O_CLI -tls1_2 -key data_files/server2.key \
-cert data_files/server2.ku-ds.crt" \
0 \
-s "Verifying peer X.509 certificate... ok" \
@@ -7799,7 +7846,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server2.key \
+ "$O_CLI -tls1_2 -key data_files/server2.key \
-cert data_files/server2.ku-ke.crt" \
0 \
-s "bad certificate (usage extensions)" \
@@ -7807,8 +7854,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
- "$P_SRV debug_level=1 auth_mode=required" \
- "$O_CLI -key data_files/server2.key \
+ "$P_SRV debug_level=1 force_version=tls12 auth_mode=required" \
+ "$O_CLI -tls1_2 -key data_files/server2.key \
-cert data_files/server2.ku-ke.crt" \
1 \
-s "bad certificate (usage extensions)" \
@@ -7817,7 +7864,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.ku-ds.crt" \
0 \
-s "Verifying peer X.509 certificate... ok" \
@@ -7827,7 +7874,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.ku-ka.crt" \
0 \
-s "bad certificate (usage extensions)" \
@@ -8004,7 +8051,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "extKeyUsage cli-auth: clientAuth -> OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.eku-cli.crt" \
0 \
-S "bad certificate (usage extensions)" \
@@ -8013,7 +8060,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.eku-srv_cli.crt" \
0 \
-S "bad certificate (usage extensions)" \
@@ -8022,7 +8069,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.eku-cs_any.crt" \
0 \
-S "bad certificate (usage extensions)" \
@@ -8031,7 +8078,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
"$P_SRV debug_level=1 auth_mode=optional" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.eku-cs.crt" \
0 \
-s "bad certificate (usage extensions)" \
@@ -8040,7 +8087,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
"$P_SRV debug_level=1 auth_mode=required" \
- "$O_CLI -key data_files/server5.key \
+ "$O_CLI -tls1_2 -key data_files/server5.key \
-cert data_files/server5.eku-cs.crt" \
1 \
-s "bad certificate (usage extensions)" \
@@ -8183,9 +8230,9 @@
# Tests for PSK callback
run_test "PSK callback: psk, no callback" \
- "$P_SRV psk=abc123 psk_identity=foo" \
+ "$P_SRV psk=73776f726466697368 psk_identity=foo" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-S "SSL - The handshake negotiation failed" \
-S "SSL - Unknown identity received" \
@@ -8193,9 +8240,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8205,9 +8252,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8217,9 +8264,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8229,9 +8276,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8241,9 +8288,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8253,9 +8300,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8265,9 +8312,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8277,9 +8324,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8289,9 +8336,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8301,9 +8348,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8313,9 +8360,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8325,9 +8372,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8337,9 +8384,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8349,9 +8396,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8361,9 +8408,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8373,9 +8420,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \
- "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
+ "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 psk_opaque=1" \
+ psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8385,9 +8432,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8397,9 +8444,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8409,10 +8456,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8422,10 +8469,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8435,9 +8482,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \
- "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8447,9 +8494,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8459,10 +8506,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8472,10 +8519,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8485,9 +8532,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \
- "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8497,9 +8544,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8509,10 +8556,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8522,10 +8569,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8535,9 +8582,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \
- "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8547,9 +8594,9 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \
- "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
+ "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
0 \
-C "session hash for extended master secret"\
-S "session hash for extended master secret"\
@@ -8559,10 +8606,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8572,10 +8619,10 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
- "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
+ "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
- psk_identity=foo psk=abc123 extended_ms=1" \
+ psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@@ -8785,7 +8832,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
- "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@@ -8797,7 +8844,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
- "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@@ -8809,7 +8856,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
- "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@@ -8821,7 +8868,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
- "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@@ -8833,7 +8880,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
- "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
+ "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
1 \
@@ -8842,16 +8889,16 @@
run_test "PSK callback: no psk, no callback" \
"$P_SRV" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
1 \
-s "SSL - The handshake negotiation failed" \
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
run_test "PSK callback: callback overrides other settings" \
- "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
+ "$P_SRV psk=73776f726466697368 psk_identity=foo psk_list=abc,dead,def,beef" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
- psk_identity=foo psk=abc123" \
+ psk_identity=foo psk=73776f726466697368" \
1 \
-S "SSL - The handshake negotiation failed" \
-s "SSL - Unknown identity received" \
@@ -9069,11 +9116,25 @@
# Test for ClientHello without extensions
+# Without extensions, ECC is impossible (no curve negotiation).
+requires_config_enabled MBEDTLS_RSA_C
requires_gnutls
-run_test "ClientHello without extensions" \
+run_test "ClientHello without extensions: RSA" \
"$P_SRV force_version=tls12 debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
+ -s "Ciphersuite is .*-RSA-WITH-.*" \
+ -S "Ciphersuite is .*-EC.*" \
+ -s "dumping 'client hello extensions' (0 bytes)"
+
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+requires_gnutls
+run_test "ClientHello without extensions: PSK" \
+ "$P_SRV force_version=tls12 debug_level=3 psk=73776f726466697368" \
+ "$G_CLI --priority=NORMAL:+PSK:-RSA:-DHE-RSA:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION --pskusername=Client_identity --pskkey=73776f726466697368 localhost" \
+ 0 \
+ -s "Ciphersuite is .*-PSK-.*" \
+ -S "Ciphersuite is .*-EC.*" \
-s "dumping 'client hello extensions' (0 bytes)"
# Tests for mbedtls_ssl_get_bytes_avail()
@@ -9683,9 +9744,9 @@
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
run_test "SSL async private: decrypt RSA-PSK, delay=0" \
- "$P_SRV psk=abc123 \
+ "$P_SRV psk=73776f726466697368 \
async_operations=d async_private_delay1=0 async_private_delay2=0" \
- "$P_CLI psk=abc123 \
+ "$P_CLI psk=73776f726466697368 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
0 \
-s "Async decrypt callback: using key slot " \
@@ -9693,9 +9754,9 @@
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
run_test "SSL async private: decrypt RSA-PSK, delay=1" \
- "$P_SRV psk=abc123 \
+ "$P_SRV psk=73776f726466697368 \
async_operations=d async_private_delay1=1 async_private_delay2=1" \
- "$P_CLI psk=abc123 \
+ "$P_CLI psk=73776f726466697368 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
0 \
-s "Async decrypt callback: using key slot " \
@@ -10145,8 +10206,8 @@
-s "! Certificate verification was skipped"
run_test "DTLS wrong PSK: badmac alert" \
- "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
- "$P_CLI dtls=1 psk=abc124" \
+ "$P_SRV dtls=1 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
+ "$P_CLI dtls=1 psk=73776f726466697374" \
1 \
-s "SSL - Verification of the message MAC failed" \
-c "SSL - A fatal alert message was received from our peer"
@@ -11914,8 +11975,8 @@
requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
-p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
- "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
- "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
+ "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=73776f726466697368 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
+ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
0 \
-s "Buffer record from epoch 1" \
-s "Found buffered record from current epoch - load" \
@@ -11929,8 +11990,8 @@
run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ psk=73776f726466697368" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
-s "Extra-header:" \
@@ -12005,8 +12066,8 @@
run_test "DTLS proxy: 3d, min handshake, resumption" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123 debug_level=3" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ psk=73776f726466697368 debug_level=3" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -12020,8 +12081,8 @@
run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123 debug_level=3 nbio=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ psk=73776f726466697368 debug_level=3 nbio=2" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
0 \
@@ -12035,8 +12096,8 @@
run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123 renegotiation=1 debug_level=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ psk=73776f726466697368 renegotiation=1 debug_level=2" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -12050,8 +12111,8 @@
run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123 renegotiation=1 debug_level=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ psk=73776f726466697368 renegotiation=1 debug_level=2" \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -12065,9 +12126,9 @@
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
+ psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiation=1 exchanges=4 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -12081,9 +12142,9 @@
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
- psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
+ psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2 nbio=2" \
- "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
+ "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@@ -14062,8 +14123,8 @@
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: no HRR in case of PSK key exchange mode" \
- "$P_SRV nbio=2 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \
- "$P_CLI nbio=2 debug_level=3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \
+ "$P_SRV nbio=2 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \
+ "$P_CLI nbio=2 debug_level=3 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=all" \
0 \
-C "received HelloRetryRequest message" \
-c "Selected key exchange mode: psk$" \
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index ad7da32..1188137 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -1818,7 +1818,7 @@
int ret;
#endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
- mbedtls_ecp_group_id ecp_grp_id;
+ mbedtls_ecp_group_id ecp_grp_id = MBEDTLS_ECP_DP_NONE;
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
/*