Merge pull request #7203 from yuhaoth/pr/add-cpu-modifier-for-aesce
Add CPU modifier for AESCE
diff --git a/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt b/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt
new file mode 100644
index 0000000..1f2c563
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
+ len argument is 0 and buffer is NULL.
diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt
new file mode 100644
index 0000000..b60d187
--- /dev/null
+++ b/ChangeLog.d/pkcs7-parser.txt
@@ -0,0 +1,15 @@
+Features
+ * Added partial support for parsing the PKCS #7 Cryptographic Message
+ Syntax, as defined in RFC 2315. Currently, support is limited to the
+ following:
+ - Only the signed-data content type, version 1 is supported.
+ - Only DER encoding is supported.
+ - Only a single digest algorithm per message is supported.
+ - Certificates must be in X.509 format. A message must have either 0
+ or 1 certificates.
+ - There is no support for certificate revocation lists.
+ - The authenticated and unauthenticated attribute fields of SignerInfo
+ must be empty.
+ Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
+ contributing this feature, and to Demi-Marie Obenour for contributing
+ various improvements, tests and bug fixes.
diff --git a/README.md b/README.md
index f4bf4e1..288e692 100644
--- a/README.md
+++ b/README.md
@@ -61,10 +61,11 @@
The following tools are required:
* Perl, for some library source files and for Visual Studio build files.
-* Python 3 and some Python packages, for some library source files, sample programs and test data. To install the necessary packages, run
+* Python 3 and some Python packages, for some library source files, sample programs and test data. To install the necessary packages, run:
```
- python -m pip install -r scripts/basic.requirements.txt
+ python3 -m pip install --user -r scripts/basic.requirements.txt
```
+ Depending on your Python installation, you may need to invoke `python` instead of `python3`. To install the packages system-wide, omit the `--user` option.
* A C compiler for the host platform, for some test data.
If you are cross-compiling, you must set the `CC` environment variable to a C compiler for the host platform when generating the configuration-independent files.
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index e8b909d..1ea241c 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -2851,11 +2851,7 @@
/**
* \def MBEDTLS_PKCS7_C
*
- * This feature is a work in progress and not ready for production. Testing and
- * validation is incomplete, and handling of malformed inputs may not be robust.
- * The API may change.
- *
- * Enable PKCS7 core for using PKCS7 formatted signatures.
+ * Enable PKCS #7 core for using PKCS #7-formatted signatures.
* RFC Link - https://tools.ietf.org/html/rfc2315
*
* Module: library/pkcs7.c
@@ -2864,9 +2860,9 @@
* MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
* MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
*
- * This module is required for the PKCS7 parsing modules.
+ * This module is required for the PKCS #7 parsing modules.
*/
-//#define MBEDTLS_PKCS7_C
+#define MBEDTLS_PKCS7_C
/**
* \def MBEDTLS_PKCS12_C
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 126eac4..1231e34 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -1,7 +1,7 @@
/**
* \file pkcs7.h
*
- * \brief PKCS7 generic defines and structures
+ * \brief PKCS #7 generic defines and structures
* https://tools.ietf.org/html/rfc2315
*/
/*
@@ -22,27 +22,22 @@
*/
/**
- * This feature is a work in progress and not ready for production. The API may
- * change. Furthermore, please note that the implementation has only been
- * validated with well-formed inputs, not yet with untrusted inputs (which is
- * almost always the case in practice).
- *
- * Note: For the time being, this implementation of the PKCS7 cryptographic
+ * Note: For the time being, this implementation of the PKCS #7 cryptographic
* message syntax is a partial implementation of RFC 2315.
* Differences include:
* - The RFC specifies 6 different content types. The only type currently
- * supported in Mbed TLS is the signed data content type.
- * - The only supported PKCS7 Signed Data syntax version is version 1
+ * supported in Mbed TLS is the signed-data content type.
+ * - The only supported PKCS #7 Signed Data syntax version is version 1
* - The RFC specifies support for BER. This implementation is limited to
* DER only.
* - The RFC specifies that multiple digest algorithms can be specified
* in the Signed Data type. Only one digest algorithm is supported in Mbed TLS.
- * - The RFC specifies the Signed Data type can contain multiple X509 or PKCS6
+ * - The RFC specifies the Signed Data type can contain multiple X.509 or PKCS #6 extended
* certificates. In Mbed TLS, this list can only contain 0 or 1 certificates
- * and they must be in X509 format.
+ * and they must be in X.509 format.
* - The RFC specifies the Signed Data type can contain
- * certificate-revocation lists (crls). This implementation has no support
- * for crls so it is assumed to be an empty list.
+ * certificate-revocation lists (CRLs). This implementation has no support
+ * for CRLs so it is assumed to be an empty list.
* - The RFC allows for SignerInfo structure to optionally contain
* unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is
* assumed these fields are empty.
@@ -62,13 +57,13 @@
#include "mbedtls/x509_crt.h"
/**
- * \name PKCS7 Module Error codes
+ * \name PKCS #7 Module Error codes
* \{
*/
#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */
#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x5380 /**< Unavailable feature, e.g. anything other than signed data. */
-#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */
-#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS #7 version element is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS #7 content info is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */
@@ -76,11 +71,11 @@
#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */
#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */
#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */
-#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS7 date issued/expired dates are invalid */
+#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS #7 date issued/expired dates are invalid */
/* \} name */
/**
- * \name PKCS7 Supported Version
+ * \name PKCS #7 Supported Version
* \{
*/
#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01
@@ -91,12 +86,12 @@
#endif
/**
- * Type-length-value structure that allows for ASN1 using DER.
+ * Type-length-value structure that allows for ASN.1 using DER.
*/
typedef mbedtls_asn1_buf mbedtls_pkcs7_buf;
/**
- * Container for ASN1 named information objects.
+ * Container for ASN.1 named information objects.
* It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
*/
typedef mbedtls_asn1_named_data mbedtls_pkcs7_name;
@@ -107,7 +102,7 @@
typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence;
/**
- * PKCS7 types
+ * PKCS #7 types
*/
typedef enum {
MBEDTLS_PKCS7_NONE=0,
@@ -121,7 +116,7 @@
mbedtls_pkcs7_type;
/**
- * Structure holding PKCS7 signer info
+ * Structure holding PKCS #7 signer info
*/
typedef struct mbedtls_pkcs7_signer_info {
int MBEDTLS_PRIVATE(version);
@@ -151,7 +146,7 @@
mbedtls_pkcs7_signed_data;
/**
- * Structure holding PKCS7 structure, only signed data for now
+ * Structure holding PKCS #7 structure, only signed data for now
*/
typedef struct mbedtls_pkcs7 {
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
@@ -160,21 +155,21 @@
mbedtls_pkcs7;
/**
- * \brief Initialize pkcs7 structure.
+ * \brief Initialize mbedtls_pkcs7 structure.
*
- * \param pkcs7 pkcs7 structure.
+ * \param pkcs7 mbedtls_pkcs7 structure.
*/
void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7);
/**
- * \brief Parse a single DER formatted pkcs7 detached signature.
+ * \brief Parse a single DER formatted PKCS #7 detached signature.
*
- * \param pkcs7 The pkcs7 structure to be filled by parser for the output.
- * \param buf The buffer holding only the DER encoded pkcs7.
+ * \param pkcs7 The mbedtls_pkcs7 structure to be filled by the parser.
+ * \param buf The buffer holding only the DER encoded PKCS #7 content.
* \param buflen The size in bytes of \p buf. The size must be exactly the
- * length of the DER encoded pkcs7.
+ * length of the DER encoded PKCS #7 content.
*
- * \note This function makes an internal copy of the PKCS7 buffer
+ * \note This function makes an internal copy of the PKCS #7 buffer
* \p buf. In particular, \p buf may be destroyed or reused
* after this call returns.
* \note Signatures with internal data are not supported.
@@ -186,7 +181,7 @@
const size_t buflen);
/**
- * \brief Verification of PKCS7 signature against a caller-supplied
+ * \brief Verification of PKCS #7 signature against a caller-supplied
* certificate.
*
* For each signer in the PKCS structure, this function computes
@@ -197,10 +192,10 @@
* matches.
*
* This function does not use the certificates held within the
- * PKCS7 structure itself, and does not check that the
+ * PKCS #7 structure itself, and does not check that the
* certificate is signed by a trusted certification authority.
*
- * \param pkcs7 PKCS7 structure containing signature.
+ * \param pkcs7 mbedtls_pkcs7 structure containing signature.
* \param cert Certificate containing key to verify signature.
* \param data Plain data on which signature has to be verified.
* \param datalen Length of the data.
@@ -216,7 +211,7 @@
size_t datalen);
/**
- * \brief Verification of PKCS7 signature against a caller-supplied
+ * \brief Verification of PKCS #7 signature against a caller-supplied
* certificate.
*
* For each signer in the PKCS structure, this function
@@ -226,10 +221,10 @@
* signature is good.
*
* This function does not use the certificates held within the
- * PKCS7 structure itself, and does not check that the
+ * PKCS #7 structure itself, and does not check that the
* certificate is signed by a trusted certification authority.
*
- * \param pkcs7 PKCS7 structure containing signature.
+ * \param pkcs7 PKCS #7 structure containing signature.
* \param cert Certificate containing key to verify signature.
* \param hash Hash of the plain data on which signature has to be verified.
* \param hashlen Length of the hash.
@@ -244,10 +239,10 @@
const unsigned char *hash, size_t hashlen);
/**
- * \brief Unallocate all PKCS7 data and zeroize the memory.
- * It doesn't free pkcs7 itself. It should be done by the caller.
+ * \brief Unallocate all PKCS #7 data and zeroize the memory.
+ * It doesn't free \p pkcs7 itself. This should be done by the caller.
*
- * \param pkcs7 PKCS7 structure to free.
+ * \param pkcs7 mbedtls_pkcs7 structure to free.
*/
void mbedtls_pkcs7_free(mbedtls_pkcs7 *pkcs7);
diff --git a/library/pkcs7.c b/library/pkcs7.c
index d4059d7..cf05afd 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -42,7 +42,7 @@
#endif
/**
- * Initializes the pkcs7 structure.
+ * Initializes the mbedtls_pkcs7 structure.
*/
void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7)
{
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 1cad588..18c19f9 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5599,8 +5599,10 @@
n = (len < ssl->in_msglen)
? len : ssl->in_msglen;
- memcpy(buf, ssl->in_offt, n);
- ssl->in_msglen -= n;
+ if (len != 0) {
+ memcpy(buf, ssl->in_offt, n);
+ ssl->in_msglen -= n;
+ }
/* Zeroising the plaintext buffer to erase unused application data
from the memory. */
@@ -5676,7 +5678,9 @@
*/
ssl->out_msglen = len;
ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
- memcpy(ssl->out_msg, buf, len);
+ if (len > 0) {
+ memcpy(ssl->out_msg, buf, len);
+ }
if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
index 2eba0c1..ab8260b 100644
--- a/tests/include/test/macros.h
+++ b/tests/include/test/macros.h
@@ -253,27 +253,4 @@
*/
#define MAX(x, y) ((x) > (y) ? (x) : (y))
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n, b, i) \
- { \
- (n) = ((uint32_t) (b)[(i)] << 24) \
- | ((uint32_t) (b)[(i) + 1] << 16) \
- | ((uint32_t) (b)[(i) + 2] << 8) \
- | ((uint32_t) (b)[(i) + 3]); \
- }
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n, b, i) \
- { \
- (b)[(i)] = (unsigned char) ((n) >> 24); \
- (b)[(i) + 1] = (unsigned char) ((n) >> 16); \
- (b)[(i) + 2] = (unsigned char) ((n) >> 8); \
- (b)[(i) + 3] = (unsigned char) ((n)); \
- }
-#endif
-
#endif /* TEST_MACROS_H */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 30185ad..b76ba57 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2312,7 +2312,8 @@
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH + USE_PSA"
make test
- # ssl-opt.sh later (probably doesn't pass right now)
+ msg "test: ssl-opt.sh"
+ tests/ssl-opt.sh
}
# Keep in sync with component_test_psa_crypto_config_accel_ecdh_use_psa.
@@ -2331,7 +2332,8 @@
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with reference ECDH + USE_PSA"
make test
- # ssl-opt.sh later when the accel component is ready
+ msg "test: ssl-opt.sh"
+ tests/ssl-opt.sh
}
component_test_psa_crypto_config_accel_rsa_signature () {
@@ -3697,6 +3699,11 @@
# ARM Compiler 6 - Target ARMv8.2-A - AArch64
armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto"
}
+support_build_armcc () {
+ armc5_cc="$ARMC5_BIN_DIR/armcc"
+ armc6_cc="$ARMC6_BIN_DIR/armclang"
+ (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
+}
component_test_tls13_only () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
@@ -3839,8 +3846,8 @@
make WINDOWS_BUILD=1 clean
}
support_build_mingw() {
- case $(i686-w64-mingw32-gcc -dumpversion) in
- [0-5]*) false;;
+ case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in
+ [0-5]*|"") false;;
*) true;;
esac
}
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 3fd24e9..49ff218 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -96,7 +96,7 @@
if component_ref in entry:
reference_test_passed = True
if(reference_test_passed and not driver_test_passed):
- print(key)
+ Results.log(key)
result = False
return result
@@ -131,7 +131,7 @@
"""Perform coverage analysis."""
del args # unused
outcomes = read_outcome_file(outcome_file)
- print("\n*** Analyze coverage ***\n")
+ Results.log("\n*** Analyze coverage ***\n")
results = analyze_outcomes(outcomes)
return results.error_count == 0
@@ -140,7 +140,7 @@
ignored_suites = ['test_suite_' + x for x in args['ignored_suites']]
outcomes = read_outcome_file(outcome_file)
- print("\n*** Analyze driver {} vs reference {} ***\n".format(
+ Results.log("\n*** Analyze driver {} vs reference {} ***\n".format(
args['component_driver'], args['component_ref']))
return analyze_driver_vs_reference(outcomes, args['component_ref'],
args['component_driver'], ignored_suites,
@@ -213,7 +213,7 @@
if options.list:
for task in TASKS:
- print(task)
+ Results.log(task)
sys.exit(0)
result = True
@@ -225,7 +225,7 @@
for task in tasks:
if task not in TASKS:
- print('Error: invalid task: {}'.format(task))
+ Results.log('Error: invalid task: {}'.format(task))
sys.exit(1)
for task in TASKS:
@@ -235,7 +235,7 @@
if result is False:
sys.exit(1)
- print("SUCCESS :-)")
+ Results.log("SUCCESS :-)")
except Exception: # pylint: disable=broad-except
# Print the backtrace and exit explicitly with our chosen status.
traceback.print_exc()
diff --git a/tests/src/random.c b/tests/src/random.c
index e74e689..5ca333a 100644
--- a/tests/src/random.c
+++ b/tests/src/random.c
@@ -36,6 +36,7 @@
#include <string.h>
#include <mbedtls/entropy.h>
+#include "../../library/alignment.h"
int mbedtls_test_rnd_std_rand(void *rng_state,
unsigned char *output,
@@ -137,7 +138,7 @@
+ info->v0) ^ (sum + k[(sum>>11) & 3]);
}
- PUT_UINT32_BE(info->v0, result, 0);
+ MBEDTLS_PUT_UINT32_BE(info->v0, result, 0);
memcpy(out, result, use_len);
len -= use_len;
out += 4;
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d73ef0f..e2b1e04 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -395,7 +395,8 @@
case "$1" in
*server5*|\
- *server7*)
+ *server7*|\
+ *dir-maxpath*)
if [ "$3" = "TLS13" ]; then
# In case of TLS13 the support for ECDSA is enough
requires_pk_alg "ECDSA"
@@ -1965,6 +1966,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
requires_hash_alg SHA_256
run_test "Opaque key for client authentication: ECDHE-RSA" \
"$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \
@@ -2244,6 +2246,7 @@
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: ECDHE-RSA" \
"$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \
@@ -2330,6 +2333,7 @@
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
run_test "Opaque keys for server authentication: RSA keys with different algs" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none \
@@ -2394,6 +2398,7 @@
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
run_test "Opaque key for client/server authentication: ECDHE-RSA" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
@@ -5622,7 +5627,6 @@
# are in place so that the semantics are consistent with the test description.
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: server max_int chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
key_file=data_files/dir-maxpath/09.key" \
@@ -5632,7 +5636,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: server max_int+1 chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -5642,8 +5645,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server max_int+1 chain, client optional" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -5654,8 +5655,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: server max_int+1 chain, client none" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -5666,7 +5665,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: client max_int+1 chain, server default" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5676,7 +5674,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: client max_int+1 chain, server optional" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5686,7 +5683,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: client max_int+1 chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5696,7 +5692,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
-requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: client max_int chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
@@ -5928,8 +5923,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server max_int chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
key_file=data_files/dir-maxpath/09.key" \
@@ -5941,8 +5934,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server max_int+1 chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -5954,8 +5945,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -5968,8 +5957,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
"$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5981,8 +5968,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client max_int+1 chain, server required" \
"$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -5994,8 +5979,6 @@
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
-requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client max_int chain, server required" \
"$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 89c223d..13fcaa6 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -23,13 +23,17 @@
pkcs7_parse:"data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
PKCS7 Signed Data Parse Fail with disabled alg #5.1
-depends_on:MBEDTLS_RSA_C:!MBEDTLS_SHA512_C
+depends_on:MBEDTLS_RSA_C:!MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA
pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG
PKCS7 Parse Fail with Inlined Content Info #5.2
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_parse:"data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+PKCS7 Signed Data Parse Fail with no RSA #5.3
+depends_on:MBEDTLS_SHA256_C:!MBEDTLS_RSA_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
+
PKCS7 Signed Data Parse Fail with corrupted signer info #6
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
@@ -71,7 +75,7 @@
pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_zerolendata.bin":0:0
PKCS7 Signed Data Verification Fail zero-len data
-depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
PKCS7 Signed Data Verification Pass SHA256 #9
@@ -91,19 +95,19 @@
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
PKCS7 Signed Data Verification Fail because of different certificate #12
-depends_on:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
PKCS7 Signed Data Verification Fail because of different data hash #13
-depends_on:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1
-depends_on:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_parse:"data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2
-depends_on:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
PKCS7 Signed Data Parse Fail Corrupt signerInfos[2] (6213931373035520)
@@ -123,7 +127,7 @@
pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0
PKCS7 Signed Data Verify with multiple(3) signers #16.1
-depends_on:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_SHA256_C:!MBEDTLS_MEMORY_BUFFER_ALLOC_C
pkcs7_verify:"data_files/pkcs7_data_3_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt data_files/pkcs7-rsa-sha256-3.crt":"data_files/pkcs7_data.bin":0:0
PKCS7 Signed Data Hash Verify with multiple signers #17
@@ -143,11 +147,11 @@
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID
PKCS7 Signed Data Verify Fail Expired Cert #19 no DATE_TIME 1
-depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE
+depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE:MBEDTLS_RSA_C
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
PKCS7 Signed Data Verify Fail Expired Cert #19 no TIME_DATE 2
-depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE
+depends_on:MBEDTLS_SHA256_C:!MBEDTLS_HAVE_TIME_DATE:MBEDTLS_RSA_C
pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
PKCS7 Parse Failure Invalid ASN1: Add null byte to start #20.0
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 91fe47b..cc032ac 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -7,10 +7,11 @@
#include "mbedtls/oid.h"
#include "sys/types.h"
#include "sys/stat.h"
+#include "mbedtls/rsa.h"
/* END_HEADER */
/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_RSA_C
+ * depends_on:MBEDTLS_PKCS7_C
* END_DEPENDENCIES
*/
/* BEGIN_SUITE_HELPERS */
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index f486021..9dfb7ed 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1165,6 +1165,12 @@
int buf_len, int *written,
const int expected_fragments)
{
+ /* Verify that calling mbedtls_ssl_write with a NULL buffer and zero length is
+ * a valid no-op for TLS connections. */
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ TEST_ASSERT(mbedtls_ssl_write(ssl, NULL, 0) == 0);
+ }
+
int ret = mbedtls_ssl_write(ssl, buf + *written, buf_len - *written);
if (ret > 0) {
*written += ret;
@@ -1203,6 +1209,12 @@
int buf_len, int *read,
int *fragments, const int expected_fragments)
{
+ /* Verify that calling mbedtls_ssl_write with a NULL buffer and zero length is
+ * a valid no-op for TLS connections. */
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ TEST_ASSERT(mbedtls_ssl_read(ssl, NULL, 0) == 0);
+ }
+
int ret = mbedtls_ssl_read(ssl, buf + *read, buf_len - *read);
if (ret > 0) {
(*fragments)++;