Merge pull request #3628 from gilles-peskine-arm/psa-conditional-inclusion-c-proposal
Pure C configuration of PSA crypto mechanisms
diff --git a/.travis.yml b/.travis.yml
index c67c0cd..76cb1c5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,10 +28,6 @@
script:
- tests/scripts/all.sh -k test_full_cmake_gcc_asan
- - name: check compilation guards
- script:
- - tests/scripts/all.sh -k 'test_depends_*' 'build_key_exchanges'
-
- name: macOS
os: osx
compiler: clang
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8833246..5af4c81 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -261,7 +261,7 @@
# to define the test executables.
#
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
- file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c)
+ file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
target_include_directories(mbedtls_test
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
diff --git a/ChangeLog b/ChangeLog
index 32853ce..594c3cf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,118 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.24.0 branch released 2020-09-01
+
+API changes
+ * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
+ group families to psa_ecc_family_t and psa_dh_family_t, in line with the
+ PSA Crypto API specification version 1.0.0.
+ Rename associated macros as well:
+ PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
+ PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
+ PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
+ PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
+
+Default behavior changes
+ * Stop storing persistent information about externally stored keys created
+ through PSA Crypto with a volatile lifetime. Reported in #3288 and
+ contributed by Steven Cooreman in #3382.
+
+Features
+ * The new function mbedtls_ecp_write_key() exports private ECC keys back to
+ a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
+ * Support building on e2k (Elbrus) architecture: correctly enable
+ -Wformat-signedness, and fix the code that causes signed-one-bit-field
+ and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
+ <akemi_homura@kurisa.ch>.
+
+Security
+ * Fix a vulnerability in the verification of X.509 certificates when
+ matching the expected common name (the cn argument of
+ mbedtls_x509_crt_verify()) with the actual certificate name: when the
+ subjecAltName extension is present, the expected name was compared to any
+ name in that extension regardless of its type. This means that an
+ attacker could for example impersonate a 4-bytes or 16-byte domain by
+ getting a certificate for the corresponding IPv4 or IPv6 (this would
+ require the attacker to control that IP address, though). Similar attacks
+ using other subjectAltName name types might be possible. Found and
+ reported by kFYatek in #3498.
+ * When checking X.509 CRLs, a certificate was only considered as revoked if
+ its revocationDate was in the past according to the local clock if
+ available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
+ certificates were never considered as revoked. On builds with
+ MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
+ example, an untrusted OS attacking a secure enclave) could prevent
+ revocation of certificates via CRLs. Fixed by no longer checking the
+ revocationDate field, in accordance with RFC 5280. Reported by
+ yuemonangong in #3340. Reported independently and fixed by
+ Raoul Strackx and Jethro Beekman in #3433.
+ * In (D)TLS record decryption, when using a CBC ciphersuites without the
+ Encrypt-then-Mac extension, use constant code flow memory access patterns
+ to extract and check the MAC. This is an improvement to the existing
+ countermeasure against Lucky 13 attacks. The previous countermeasure was
+ effective against network-based attackers, but less so against local
+ attackers. The new countermeasure defends against local attackers, even
+ if they have access to fine-grained measurements. In particular, this
+ fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
+ Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
+ (University of Florida) and Dave Tian (Purdue University).
+ * Fix side channel in RSA private key operations and static (finite-field)
+ Diffie-Hellman. An adversary with precise enough timing and memory access
+ information (typically an untrusted operating system attacking a secure
+ enclave) could bypass an existing counter-measure (base blinding) and
+ potentially fully recover the private key.
+ * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
+ Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
+ for pinpointing the problematic code.
+ * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
+ application data from memory. Reported in #689 by
+ Johan Uppman Bruce of Sectra.
+
+Bugfix
+ * Library files installed after a CMake build no longer have execute
+ permission.
+ * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
+ redefinition if the function is inlined.
+ Reported in #3451 and fix contributed in #3452 by okhowang.
+ * Fix the endianness of Curve25519 keys imported/exported through the PSA
+ APIs. psa_import_key and psa_export_key will now correctly expect/output
+ Montgomery keys in little-endian as defined by RFC7748. Contributed by
+ Steven Cooreman in #3425.
+ * Fix build errors when the only enabled elliptic curves are Montgomery
+ curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
+ also fixes missing declarations reported by Steven Cooreman in #1147.
+ * Fix self-test failure when the only enabled short Weierstrass elliptic
+ curve is secp192k1. Fixes #2017.
+ * PSA key import will now correctly import a Curve25519/Curve448 public key
+ instead of erroring out. Contributed by Steven Cooreman in #3492.
+ * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
+ lower bits. Fix contributed in #3540.
+ * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
+ conditions. Reported and fix suggested by Guido Vranken in #3486.
+ * Fix bug in redirection of unit test outputs on platforms where stdout is
+ defined as a macro. First reported in #2311 and fix contributed in #3528.
+
+Changes
+ * Only pass -Wformat-signedness to versions of GCC that support it. Reported
+ in #3478 and fix contributed in #3479 by okhowang.
+ * Reduce the stack consumption of mbedtls_x509write_csr_der() which
+ previously could lead to stack overflow on constrained devices.
+ Contributed by Doru Gucea and Simon Leet in #3464.
+ * Undefine the ASSERT macro before defining it locally, in case it is defined
+ in a platform header. Contributed by Abdelatif Guettouche in #3557.
+ * Update copyright notices to use Linux Foundation guidance. As a result,
+ the copyright of contributors other than Arm is now acknowledged, and the
+ years of publishing are no longer tracked in the source files. This also
+ eliminates the need for the lines declaring the files to be part of
+ MbedTLS. Fixes #3457.
+ * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
+ example applications which allows to provide a password for the key file
+ specified through the existing key_file argument. This allows the use of
+ these applications with password-protected key files. Analogously but for
+ ssl_server2 only, add the command line parameter key_pwd2 which allows to
+ set a password for the key file provided through the existing key_file2
+ argument.
+
= mbed TLS 2.23.0 branch released 2020-07-01
Default behavior changes
diff --git a/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt b/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt
new file mode 100644
index 0000000..fe43899
--- /dev/null
+++ b/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt
@@ -0,0 +1,4 @@
+Features
+ * Partial implementation of the new PSA Crypto accelerator APIs for
+ enabling key generation and asymmetric signing/verification through crypto
+ accelerators. Contributed by Steven Cooreman in #3501.
diff --git a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt b/ChangeLog.d/adjusting sliding_window_size_PR3592.txt
new file mode 100644
index 0000000..6089565
--- /dev/null
+++ b/ChangeLog.d/adjusting sliding_window_size_PR3592.txt
@@ -0,0 +1,3 @@
+Changes
+ * Reduce stack usage significantly during sliding window exponentiation.
+ Reported in #3591 and fix contributed in #3592 by Daniel Otte.
diff --git a/ChangeLog.d/bugfix_PR3294.txt b/ChangeLog.d/bugfix_PR3294.txt
new file mode 100644
index 0000000..a6ea75e
--- /dev/null
+++ b/ChangeLog.d/bugfix_PR3294.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
+ enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
+
diff --git a/ChangeLog.d/bugfix_PR3452.txt b/ChangeLog.d/bugfix_PR3452.txt
deleted file mode 100644
index acf593e..0000000
--- a/ChangeLog.d/bugfix_PR3452.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined.
- Reported in #3451 and fix contributed in #3452 by okhowang.
diff --git a/ChangeLog.d/build_with_only_montgomery_curves.txt b/ChangeLog.d/build_with_only_montgomery_curves.txt
deleted file mode 100644
index d4ec7c5..0000000
--- a/ChangeLog.d/build_with_only_montgomery_curves.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * Fix build errors when the only enabled elliptic curves are Montgomery
- curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
- also fixes missing declarations reported by Steven Cooreman in #1147.
- * Fix self-test failure when the only enabled short Weierstrass elliptic
- curve is secp192k1. Fixes #2017.
diff --git a/ChangeLog.d/cmake-install.txt b/ChangeLog.d/cmake-install.txt
deleted file mode 100644
index 1bcec4a..0000000
--- a/ChangeLog.d/cmake-install.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Library files installed after a CMake build no longer have execute
- permission.
diff --git a/ChangeLog.d/comment_typo_in_mbedtls_ssl_set_bio.txt b/ChangeLog.d/comment_typo_in_mbedtls_ssl_set_bio.txt
new file mode 100644
index 0000000..2f94c16
--- /dev/null
+++ b/ChangeLog.d/comment_typo_in_mbedtls_ssl_set_bio.txt
@@ -0,0 +1,2 @@
+Changes
+ * Fix comment typo in documentation of mbedtls_ssl_set_bio.
diff --git a/ChangeLog.d/copyright.txt b/ChangeLog.d/copyright.txt
deleted file mode 100644
index aefc6bc..0000000
--- a/ChangeLog.d/copyright.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Changes
- * Update copyright notices to use Linux Foundation guidance. As a result,
- the copyright of contributors other than Arm is now acknowledged, and the
- years of publishing are no longer tracked in the source files. This also
- eliminates the need for the lines declaring the files to be part of
- MbedTLS. Fixes #3457.
diff --git a/ChangeLog.d/crl-revocationDate.txt b/ChangeLog.d/crl-revocationDate.txt
deleted file mode 100644
index a8ad532..0000000
--- a/ChangeLog.d/crl-revocationDate.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Security
- * When checking X.509 CRLs, a certificate was only considered as revoked if
- its revocationDate was in the past according to the local clock if
- available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
- certificates were never considered as revoked. On builds with
- MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
- example, an untrusted OS attacking a secure enclave) could prevent
- revocation of certificates via CRLs. Fixed by no longer checking the
- revocationDate field, in accordance with RFC 5280. Reported by
- yuemonangong in #3340. Reported independently and fixed by
- Raoul Strackx and Jethro Beekman in #3433.
diff --git a/ChangeLog.d/do_not_persist_volatile_external_keys.txt b/ChangeLog.d/do_not_persist_volatile_external_keys.txt
deleted file mode 100644
index b27292c..0000000
--- a/ChangeLog.d/do_not_persist_volatile_external_keys.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Default behavior changes
- * Stop storing persistent information about externally stored keys created
- through PSA Crypto with a volatile lifetime. Reported in #3288 and
- contributed by Steven Cooreman in #3382.
diff --git a/ChangeLog.d/e2k-support.txt b/ChangeLog.d/e2k-support.txt
deleted file mode 100644
index 023b188..0000000
--- a/ChangeLog.d/e2k-support.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * Support building on e2k (Elbrus) architecture: correctly enable
- -Wformat-signedness, and fix the code that causes signed-one-bit-field
- and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
- <akemi_homura@kurisa.ch>.
diff --git a/ChangeLog.d/fix-typo.txt b/ChangeLog.d/fix-typo.txt
new file mode 100644
index 0000000..8e961d2
--- /dev/null
+++ b/ChangeLog.d/fix-typo.txt
@@ -0,0 +1,3 @@
+Changes
+ * Fixes a typo in the example code located in
+ program/pkey/ecdh_curve25519.c
diff --git a/ChangeLog.d/format-signedness.txt b/ChangeLog.d/format-signedness.txt
deleted file mode 100644
index ee1ee4b..0000000
--- a/ChangeLog.d/format-signedness.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Only pass -Wformat-signedness to versions of GCC that support it. Reported
- in #3478 and fix contributed in #3479 by okhowang.
diff --git a/ChangeLog.d/md_setup-leak.txt b/ChangeLog.d/md_setup-leak.txt
deleted file mode 100644
index 5111d8e..0000000
--- a/ChangeLog.d/md_setup-leak.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
- conditions. Reported and fix suggested by Guido Vranken in #3486.
diff --git a/ChangeLog.d/netbsd-rand-arc4random_buf.txt b/ChangeLog.d/netbsd-rand-arc4random_buf.txt
deleted file mode 100644
index 8539d1f..0000000
--- a/ChangeLog.d/netbsd-rand-arc4random_buf.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
- lower bits. Fix contributed in #3540.
diff --git a/ChangeLog.d/psa_curve25519_key_support.txt b/ChangeLog.d/psa_curve25519_key_support.txt
deleted file mode 100644
index 954ca0f..0000000
--- a/ChangeLog.d/psa_curve25519_key_support.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Features
- * The new function mbedtls_ecp_write_key() exports private ECC keys back to
- a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
-
-Bugfix
- * Fix the endianness of Curve25519 keys imported/exported through the PSA
- APIs. psa_import_key and psa_export_key will now correctly expect/output
- Montgomery keys in little-endian as defined by RFC7748. Contributed by
- Steven Cooreman in #3425.
diff --git a/ChangeLog.d/psa_curve25519_public_key_import.txt b/ChangeLog.d/psa_curve25519_public_key_import.txt
deleted file mode 100644
index 2ea11e2..0000000
--- a/ChangeLog.d/psa_curve25519_public_key_import.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * PSA key import will now correctly import a Curve25519/Curve448 public key
- instead of erroring out. Contributed by Steven Cooreman in #3492.
diff --git a/ChangeLog.d/psa_ecc_dh_macros.txt b/ChangeLog.d/psa_ecc_dh_macros.txt
deleted file mode 100644
index 033f3d8..0000000
--- a/ChangeLog.d/psa_ecc_dh_macros.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-API changes
- * In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to
- psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0.
- Rename associated macros as well:
- PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
- PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
- PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
- PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
-
diff --git a/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt b/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt
deleted file mode 100644
index ad1ad30..0000000
--- a/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Changes
- * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
- example applications which allows to provide a password for the key file
- specified through the existing key_file argument. This allows the use of
- these applications with password-protected key files. Analogously but for
- ssl_server2 only, add the command line parameter key_pwd2 which allows to
- set a password for the key file provided through the existing key_file2
- argument.
diff --git a/ChangeLog.d/stdout-macro.txt b/ChangeLog.d/stdout-macro.txt
deleted file mode 100644
index 9456240..0000000
--- a/ChangeLog.d/stdout-macro.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix bug in redirection of unit test outputs on platforms where stdout is
- defined as a macro. First reported in #2311 and fix contributed in #3528.
diff --git a/ChangeLog.d/undef_assert_before_defining_it.txt b/ChangeLog.d/undef_assert_before_defining_it.txt
deleted file mode 100644
index 74a2018..0000000
--- a/ChangeLog.d/undef_assert_before_defining_it.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Undefine the ASSERT macro before defining it locally, in case it is defined
- in a platform header. Contributed by Abdelatif Guettouche in #3557.
diff --git a/ChangeLog.d/x509-verify-non-dns-san.txt b/ChangeLog.d/x509-verify-non-dns-san.txt
deleted file mode 100644
index 0cd81b3..0000000
--- a/ChangeLog.d/x509-verify-non-dns-san.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Security
- * Fix a vulnerability in the verification of X.509 certificates when
- matching the expected common name (the cn argument of
- mbedtls_x509_crt_verify()) with the actual certificate name: when the
- subjecAltName extension is present, the expected name was compared to any
- name in that extension regardless of its type. This means that an
- attacker could for example impersonate a 4-bytes or 16-byte domain by
- getting a certificate for the corresponding IPv4 or IPv6 (this would
- require the attacker to control that IP address, though). Similar attacks
- using other subjectAltName name types might be possible. Found and
- reported by kFYatek in #3498.
diff --git a/ChangeLog.d/x509write_csr_heap_alloc.txt b/ChangeLog.d/x509write_csr_heap_alloc.txt
deleted file mode 100644
index abce20c..0000000
--- a/ChangeLog.d/x509write_csr_heap_alloc.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Reduce the stack consumption of mbedtls_x509write_csr_der() which
- previously could lead to stack overflow on constrained devices.
- Contributed by Doru Gucea and Simon Leet in #3464.
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 1bb6f37..c13b279 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -22,7 +22,7 @@
*/
/**
- * @mainpage mbed TLS v2.23.0 source code documentation
+ * @mainpage mbed TLS v2.24.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index e89021a..bf33dab 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.23.0"
+PROJECT_NAME = "mbed TLS v2.24.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 0d019b9..637360e 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -61,12 +61,12 @@
* Maximum window size used for modular exponentiation. Default: 6
* Minimum value: 1. Maximum value: 6.
*
- * Result is an array of ( 2 << MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
* for the sliding window calculation. (So 64 by default)
*
* Reduction in size, reduces speed.
*/
-#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
#if !defined(MBEDTLS_MPI_MAX_SIZE)
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 8560296..120c1d3 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -195,6 +195,16 @@
#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
#endif
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#define MBEDTLS_HAS_MEMSAN
+#endif
+#endif
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN)
+#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
+#endif
+#undef MBEDTLS_HAS_MEMSAN
+
#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6f457da..f1b834c 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1329,6 +1329,17 @@
*/
#define MBEDTLS_PKCS1_V21
+/** \def MBEDTLS_PSA_CRYPTO_DRIVERS
+ *
+ * Enable support for the experimental PSA crypto driver interface.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+//#define MBEDTLS_PSA_CRYPTO_DRIVERS
+
/**
* \def MBEDTLS_PSA_CRYPTO_SPM
*
@@ -1907,6 +1918,42 @@
//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * clang's MemorySanitizer. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires compiling with clang -fsanitize=memory. The test
+ * suites can then be run normally.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * valgrind's memcheck tool. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires valgrind headers for building, and is only useful for
+ * testing if the tests suites are run with valgrind's memcheck. This can be
+ * done for an individual test suite with 'valgrind ./test_suite_xxx', or when
+ * using CMake, this can be done for all test suites with 'make memcheck'.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+
+/**
* \def MBEDTLS_TEST_HOOKS
*
* Enable features for invasive testing such as introspection functions and
@@ -3414,7 +3461,7 @@
*/
/* MPI / BIGNUM options */
-//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
+//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
/* CTR_DRBG options */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f086bdf..a091261 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1559,7 +1559,7 @@
* \note For DTLS, you need to provide either a non-NULL
* f_recv_timeout callback, or a f_recv that doesn't block.
*
- * \note See the documentations of \c mbedtls_ssl_sent_t,
+ * \note See the documentations of \c mbedtls_ssl_send_t,
* \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
* the conventions those callbacks must follow.
*
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 1c43af8..b3d53d3 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -144,12 +144,26 @@
#define MBEDTLS_SSL_COMPRESSION_ADD 0
#endif
+/* This macro determines whether CBC is supported. */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
+ ( defined(MBEDTLS_AES_C) || \
+ defined(MBEDTLS_CAMELLIA_C) || \
+ defined(MBEDTLS_ARIA_C) || \
+ defined(MBEDTLS_DES_C) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
+#endif
+
+/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
+ * opposed to the very different CBC construct used in SSLv3) is supported. */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+ ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
+ defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
+#endif
+
#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
- ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || \
- defined(MBEDTLS_CAMELLIA_C) || \
- defined(MBEDTLS_ARIA_C) || \
- defined(MBEDTLS_DES_C) ) )
+ defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
#define MBEDTLS_SSL_SOME_MODES_USE_MAC
#endif
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index d62d312..665a283 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -37,7 +37,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
-#define MBEDTLS_VERSION_MINOR 23
+#define MBEDTLS_VERSION_MINOR 24
#define MBEDTLS_VERSION_PATCH 0
/**
@@ -45,9 +45,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02170000
-#define MBEDTLS_VERSION_STRING "2.23.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.23.0"
+#define MBEDTLS_VERSION_NUMBER 0x02180000
+#define MBEDTLS_VERSION_STRING "2.24.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.24.0"
#if defined(MBEDTLS_VERSION_C)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 1bdc59e..91ac8bc 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -61,6 +61,7 @@
platform_util.c
poly1305.c
psa_crypto.c
+ psa_crypto_driver_wrappers.c
psa_crypto_se.c
psa_crypto_slot_management.c
psa_crypto_storage.c
@@ -178,15 +179,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
- set_target_properties(mbedcrypto PROPERTIES VERSION 2.23.0 SOVERSION 5)
+ set_target_properties(mbedcrypto PROPERTIES VERSION 2.24.0 SOVERSION 5)
target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.23.0 SOVERSION 1)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.24.0 SOVERSION 1)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.23.0 SOVERSION 13)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.24.0 SOVERSION 13)
target_link_libraries(mbedtls ${libs} mbedx509)
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/Makefile b/library/Makefile
index b76a84b..c7d4a06 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -118,6 +118,7 @@
platform_util.o \
poly1305.o \
psa_crypto.o \
+ psa_crypto_driver_wrappers.o \
psa_crypto_se.o \
psa_crypto_slot_management.o \
psa_crypto_storage.o \
diff --git a/library/bignum.c b/library/bignum.c
index 9325632..fa97d19 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2101,7 +2101,7 @@
size_t i, j, nblimbs;
size_t bufsize, nbits;
mbedtls_mpi_uint ei, mm, state;
- mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
+ mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
int neg;
MPI_VALIDATE_RET( X != NULL );
diff --git a/library/dhm.c b/library/dhm.c
index f5ad50a..f796812 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -319,6 +319,32 @@
}
/*
+ * Pick a random R in the range [2, M) for blinding purposes
+ */
+static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+ int ret, count;
+
+ count = 0;
+ do
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( R, mbedtls_mpi_size( M ), f_rng, p_rng ) );
+
+ while( mbedtls_mpi_cmp_mpi( R, M ) >= 0 )
+ MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( R, 1 ) );
+
+ if( count++ > 10 )
+ return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+ }
+ while( mbedtls_mpi_cmp_int( R, 1 ) <= 0 );
+
+cleanup:
+ return( ret );
+}
+
+
+/*
* Use the blinding method and optimisation suggested in section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
@@ -327,7 +353,10 @@
static int dhm_update_blinding( mbedtls_dhm_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret, count;
+ int ret;
+ mbedtls_mpi R;
+
+ mbedtls_mpi_init( &R );
/*
* Don't use any blinding the first time a particular X is used,
@@ -362,24 +391,23 @@
*/
/* Vi = random( 2, P-1 ) */
- count = 0;
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( dhm_random_below( &ctx->Vi, &ctx->P, f_rng, p_rng ) );
- while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
+ /* Vf = Vi^-X mod P
+ * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
+ * then elevate to the Xth power. */
+ MBEDTLS_MPI_CHK( dhm_random_below( &R, &ctx->P, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vi, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
- if( count++ > 10 )
- return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
- }
- while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
-
- /* Vf = Vi^-X mod P */
- MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
cleanup:
+ mbedtls_mpi_free( &R );
+
return( ret );
}
diff --git a/library/md2.c b/library/md2.c
index 5ebf072..b4f7cc6 100644
--- a/library/md2.c
+++ b/library/md2.c
@@ -287,8 +287,7 @@
{ "message digest" },
{ "abcdefghijklmnopqrstuvwxyz" },
{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
- { "12345678901234567890123456789012345678901234567890123456789012"
- "345678901234567890" }
+ { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
};
static const size_t md2_test_strlen[7] =
diff --git a/library/md4.c b/library/md4.c
index ac95074..1cac0a4 100644
--- a/library/md4.c
+++ b/library/md4.c
@@ -408,8 +408,7 @@
{ "message digest" },
{ "abcdefghijklmnopqrstuvwxyz" },
{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
- { "12345678901234567890123456789012345678901234567890123456789012"
- "345678901234567890" }
+ { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
};
static const size_t md4_test_strlen[7] =
diff --git a/library/md5.c b/library/md5.c
index 8cea902..1e702b4 100644
--- a/library/md5.c
+++ b/library/md5.c
@@ -422,8 +422,7 @@
{ "message digest" },
{ "abcdefghijklmnopqrstuvwxyz" },
{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
- { "12345678901234567890123456789012345678901234567890123456789012"
- "345678901234567890" }
+ { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
};
static const size_t md5_test_buflen[7] =
diff --git a/library/pk.c b/library/pk.c
index 8ffbed2..9a3bcb0 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -591,6 +591,9 @@
psa_algorithm_t hash_alg )
{
#if !defined(MBEDTLS_ECP_C)
+ ((void) pk);
+ ((void) handle);
+ ((void) hash_alg);
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
#else
const mbedtls_ecp_keypair *ec;
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 6bf3169..903c53b 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -551,11 +551,12 @@
unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
unsigned char *p;
mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
- psa_algorithm_t psa_sig_md, psa_md;
+ psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
size_t curve_bits;
psa_ecc_family_t curve =
mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits );
const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8;
+ ((void) md_alg);
if( curve == 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -569,11 +570,6 @@
if( key_len <= 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
- psa_md = mbedtls_psa_translate_md( md_alg );
- if( psa_md == 0 )
- return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
- psa_sig_md = PSA_ALG_ECDSA( psa_md );
-
psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
psa_set_key_algorithm( &attributes, psa_sig_md );
@@ -910,6 +906,8 @@
type == MBEDTLS_PK_ECDSA );
}
+#if defined(MBEDTLS_ECDSA_C)
+
/*
* Simultaneously convert and move raw MPI from the beginning of a buffer
* to an ASN.1 MPI at the end of the buffer.
@@ -992,11 +990,24 @@
return( 0 );
}
+#endif /* MBEDTLS_ECDSA_C */
+
static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
+#if !defined(MBEDTLS_ECDSA_C)
+ ((void) ctx);
+ ((void) md_alg);
+ ((void) hash);
+ ((void) hash_len);
+ ((void) sig);
+ ((void) sig_len);
+ ((void) f_rng);
+ ((void) p_rng);
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+#else /* !MBEDTLS_ECDSA_C */
const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
@@ -1027,6 +1038,7 @@
/* transcode it to ASN.1 sequence */
return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) );
+#endif /* !MBEDTLS_ECDSA_C */
}
const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index bffddc9..77e6304 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -27,6 +27,7 @@
#include "psa_crypto_core.h"
#include "psa_crypto_invasive.h"
+#include "psa_crypto_driver_wrappers.h"
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
#include "psa_crypto_se.h"
#endif
@@ -124,7 +125,7 @@
if( global_data.initialized == 0 ) \
return( PSA_ERROR_BAD_STATE );
-static psa_status_t mbedtls_to_psa_error( int ret )
+psa_status_t mbedtls_to_psa_error( int ret )
{
/* If there's both a high-level code and low-level code, dispatch on
* the high-level code. */
@@ -3637,10 +3638,6 @@
{
psa_key_slot_t *slot;
psa_status_t status;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
- const psa_drv_se_t *drv;
- psa_drv_se_context_t *drv_context;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
*signature_length = signature_size;
/* Immediately reject a zero-length signature buffer. This guarantees
@@ -3659,24 +3656,19 @@
goto exit;
}
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
- if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
- {
- if( drv->asymmetric == NULL ||
- drv->asymmetric->p_sign == NULL )
- {
- status = PSA_ERROR_NOT_SUPPORTED;
- goto exit;
- }
- status = drv->asymmetric->p_sign( drv_context,
- slot->data.se.slot_number,
- alg,
- hash, hash_length,
- signature, signature_size,
- signature_length );
- }
- else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+ /* Try any of the available accelerators first */
+ status = psa_driver_wrapper_sign_hash( slot,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED ||
+ psa_key_lifetime_is_external( slot->attr.lifetime ) )
+ goto exit;
+
+ /* If the operation was not supported by any accelerator, try fallback. */
#if defined(MBEDTLS_RSA_C)
if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
@@ -3763,29 +3755,22 @@
{
psa_key_slot_t *slot;
psa_status_t status;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
- const psa_drv_se_t *drv;
- psa_drv_se_context_t *drv_context;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_VERIFY_HASH, alg );
if( status != PSA_SUCCESS )
return( status );
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
- if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
- {
- if( drv->asymmetric == NULL ||
- drv->asymmetric->p_verify == NULL )
- return( PSA_ERROR_NOT_SUPPORTED );
- return( drv->asymmetric->p_verify( drv_context,
- slot->data.se.slot_number,
- alg,
- hash, hash_length,
- signature, signature_length ) );
- }
- else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+ /* Try any of the available accelerators first */
+ status = psa_driver_wrapper_verify_hash( slot,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED ||
+ psa_key_lifetime_is_external( slot->attr.lifetime ) )
+ return status;
+
#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
@@ -6004,29 +5989,15 @@
if( status != PSA_SUCCESS )
goto exit;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
- if( driver != NULL )
- {
- const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
- size_t pubkey_length = 0; /* We don't support this feature yet */
- if( drv->key_management == NULL ||
- drv->key_management->p_generate == NULL )
- {
- status = PSA_ERROR_NOT_SUPPORTED;
- goto exit;
- }
- status = drv->key_management->p_generate(
- psa_get_se_driver_context( driver ),
- slot->data.se.slot_number, attributes,
- NULL, 0, &pubkey_length );
- }
- else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
- {
- status = psa_generate_key_internal(
- slot, attributes->core.bits,
- attributes->domain_parameters, attributes->domain_parameters_size );
- }
+ status = psa_driver_wrapper_generate_key( attributes,
+ slot );
+ if( status != PSA_ERROR_NOT_SUPPORTED ||
+ psa_key_lifetime_is_external( attributes->core.lifetime ) )
+ goto exit;
+
+ status = psa_generate_key_internal(
+ slot, attributes->core.bits,
+ attributes->domain_parameters, attributes->domain_parameters_size );
exit:
if( status == PSA_SUCCESS )
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 9a61bab..6ee17fc 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -161,4 +161,16 @@
const uint8_t *data,
size_t data_length );
+
+/** Convert an mbed TLS error code to a PSA error code
+ *
+ * \note This function is provided solely for the convenience of
+ * Mbed TLS and may be removed at any time without notice.
+ *
+ * \param ret An mbed TLS-thrown error code
+ *
+ * \return The corresponding PSA error code
+ */
+psa_status_t mbedtls_to_psa_error( int ret );
+
#endif /* PSA_CRYPTO_CORE_H */
diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c
new file mode 100644
index 0000000..cc51e24
--- /dev/null
+++ b/library/psa_crypto_driver_wrappers.c
@@ -0,0 +1,373 @@
+/*
+ * Functions to delegate cryptographic operations to an available
+ * and appropriate accelerator.
+ * Warning: This file will be auto-generated in the future.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_driver_wrappers.h"
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+
+/* Include test driver definition when running tests */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#endif
+#include "test/drivers/test_driver.h"
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+/* Repeat above block for each JSON-declared driver during autogeneration */
+
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+
+/* Support the 'old' SE interface when asked to */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* PSA_CRYPTO_DRIVER_PRESENT is defined when either a new-style or old-style
+ * SE driver is present, to avoid unused argument errors at compile time. */
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#include "psa_crypto_se.h"
+#endif
+
+/* Start delegation functions */
+psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length )
+{
+#if defined(PSA_CRYPTO_DRIVER_PRESENT)
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
+ {
+ if( drv->asymmetric == NULL ||
+ drv->asymmetric->p_sign == NULL )
+ {
+ /* Key is defined in SE, but we have no way to exercise it */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ return( drv->asymmetric->p_sign( drv_context,
+ slot->data.se.slot_number,
+ alg,
+ hash, hash_length,
+ signature, signature_size,
+ signature_length ) );
+ }
+#endif /* PSA_CRYPTO_SE_C */
+
+ /* Then try accelerator API */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+ psa_key_attributes_t attributes = {
+ .core = slot->attr
+ };
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = test_transparent_signature_sign_hash( &attributes,
+ slot->data.key.data,
+ slot->data.key.bytes,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+ /* Fell through, meaning no accelerator supports this operation */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+ return( test_opaque_signature_sign_hash( &attributes,
+ slot->data.key.data,
+ slot->data.key.bytes,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ return( status );
+ }
+#else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+ (void)slot;
+ (void)alg;
+ (void)hash;
+ (void)hash_length;
+ (void)signature;
+ (void)signature_size;
+ (void)signature_length;
+
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+ size_t signature_length )
+{
+#if defined(PSA_CRYPTO_DRIVER_PRESENT)
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
+ {
+ if( drv->asymmetric == NULL ||
+ drv->asymmetric->p_verify == NULL )
+ {
+ /* Key is defined in SE, but we have no way to exercise it */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ return( drv->asymmetric->p_verify( drv_context,
+ slot->data.se.slot_number,
+ alg,
+ hash, hash_length,
+ signature, signature_length ) );
+ }
+#endif /* PSA_CRYPTO_SE_C */
+
+ /* Then try accelerator API */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+ psa_key_attributes_t attributes = {
+ .core = slot->attr
+ };
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = test_transparent_signature_verify_hash( &attributes,
+ slot->data.key.data,
+ slot->data.key.bytes,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+ /* Fell through, meaning no accelerator supports this operation */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+ return( test_opaque_signature_verify_hash( &attributes,
+ slot->data.key.data,
+ slot->data.key.bytes,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ return( status );
+ }
+#else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+ (void)slot;
+ (void)alg;
+ (void)hash;
+ (void)hash_length;
+ (void)signature;
+ (void)signature_length;
+
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+/** Calculate the size to allocate for buffering a key with given attributes.
+ *
+ * This function provides a way to get the expected size for storing a key with
+ * the given attributes. This will be the size of the export representation for
+ * cleartext keys, and a driver-defined size for keys stored by opaque drivers.
+ *
+ * \param[in] attributes The key attribute structure of the key to store.
+ * \param[out] expected_size On success, a byte size large enough to contain
+ * the declared key.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ */
+static psa_status_t get_expected_key_size( const psa_key_attributes_t *attributes,
+ size_t *expected_size )
+{
+ size_t buffer_size = 0;
+ if( PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ) == PSA_KEY_LOCATION_LOCAL_STORAGE )
+ {
+ buffer_size = PSA_KEY_EXPORT_MAX_SIZE( attributes->core.type,
+ attributes->core.bits );
+
+ if( buffer_size == 0 )
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ *expected_size = buffer_size;
+ return( PSA_SUCCESS );
+ }
+ else
+ {
+ /* TBD: opaque driver support: need to calculate size through a
+ * driver-defined size function, since the size of an opaque (wrapped)
+ * key will be different for each implementation. */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+}
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+
+psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes,
+ psa_key_slot_t *slot )
+{
+#if defined(PSA_CRYPTO_DRIVER_PRESENT)
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
+ {
+ size_t pubkey_length = 0; /* We don't support this feature yet */
+ if( drv->key_management == NULL ||
+ drv->key_management->p_generate == NULL )
+ {
+ /* Key is defined as being in SE, but we have no way to generate it */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ return( drv->key_management->p_generate(
+ drv_context,
+ slot->data.se.slot_number, attributes,
+ NULL, 0, &pubkey_length ) );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ /* Then try accelerator API */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
+ size_t export_size = 0;
+
+ status = get_expected_key_size( attributes, &export_size );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ slot->data.key.data = mbedtls_calloc(1, export_size);
+ if( slot->data.key.data == NULL )
+ return( PSA_ERROR_INSUFFICIENT_MEMORY );
+ slot->data.key.bytes = export_size;
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+ /* Transparent drivers are limited to generating asymmetric keys */
+ if( ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
+ {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ break;
+ }
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = test_transparent_generate_key( attributes,
+ slot->data.key.data,
+ slot->data.key.bytes,
+ &slot->data.key.bytes );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+ /* Fell through, meaning no accelerator supports this operation */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ break;
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
+ status = test_opaque_generate_key( attributes,
+ slot->data.key.data,
+ slot->data.key.bytes,
+ &slot->data.key.bytes );
+ break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ break;
+ }
+
+ if( status != PSA_SUCCESS )
+ {
+ /* free allocated buffer */
+ mbedtls_free( slot->data.key.data );
+ slot->data.key.data = NULL;
+ slot->data.key.bytes = 0;
+ }
+
+ return( status );
+#else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#else /* PSA_CRYPTO_DRIVER_PRESENT */
+ (void) attributes;
+ (void) slot;
+
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_DRIVER_PRESENT */
+}
+
+/* End of automatically generated file. */
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
new file mode 100644
index 0000000..4299379
--- /dev/null
+++ b/library/psa_crypto_driver_wrappers.h
@@ -0,0 +1,48 @@
+/*
+ * Function signatures for functionality that can be provided by
+ * cryptographic accelerators.
+ * Warning: This file will be auto-generated in the future.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_WRAPPERS_H
+#define PSA_CRYPTO_DRIVER_WRAPPERS_H
+
+#include "psa/crypto.h"
+#include "psa/crypto_driver_common.h"
+
+psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length );
+
+psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+ size_t signature_length );
+
+psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes,
+ psa_key_slot_t *slot );
+
+#endif /* PSA_CRYPTO_DRIVER_WRAPPERS_H */
+
+/* End of automatically generated file. */
diff --git a/library/ripemd160.c b/library/ripemd160.c
index 830f61b..603b6ba 100644
--- a/library/ripemd160.c
+++ b/library/ripemd160.c
@@ -478,8 +478,7 @@
{ "abcdefghijklmnopqrstuvwxyz" },
{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
- { "12345678901234567890123456789012345678901234567890123456789012"
- "345678901234567890" },
+ { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" },
};
static const size_t ripemd160_test_strlen[TESTS] =
diff --git a/library/rsa.c b/library/rsa.c
index accc5b2..84d87de 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -776,6 +776,9 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, count = 0;
+ mbedtls_mpi R;
+
+ mbedtls_mpi_init( &R );
if( ctx->Vf.p != NULL )
{
@@ -791,18 +794,41 @@
/* Unblinding value: Vf = random number, invertible mod N */
do {
if( count++ > 10 )
- return( MBEDTLS_ERR_RSA_RNG_FAILED );
+ {
+ ret = MBEDTLS_ERR_RSA_RNG_FAILED;
+ goto cleanup;
+ }
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
- } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
- /* Blinding value: Vi = Vf^(-e) mod N */
- MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+ /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+
+ /* At this point, Vi is invertible mod N if and only if both Vf and R
+ * are invertible mod N. If one of them isn't, we don't need to know
+ * which one, we just loop and choose new values for both of them.
+ * (Each iteration succeeds with overwhelming probability.) */
+ ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
+ if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+ continue;
+ if( ret != 0 )
+ goto cleanup;
+
+ /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+ } while( 0 );
+
+ /* Blinding value: Vi = Vf^(-e) mod N
+ * (Vi already contains Vf^-1 at this point) */
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
cleanup:
+ mbedtls_mpi_free( &R );
+
return( ret );
}
diff --git a/library/sha512.c b/library/sha512.c
index 80219d4..e881198 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -516,8 +516,7 @@
static const unsigned char sha512_test_buf[3][113] =
{
{ "abc" },
- { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
- "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
+ { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
{ "" }
};
diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h
new file mode 100644
index 0000000..babbc27
--- /dev/null
+++ b/library/ssl_invasive.h
@@ -0,0 +1,100 @@
+/**
+ * \file ssl_invasive.h
+ *
+ * \brief SSL module: interfaces for invasive testing only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They SHOULD NOT be made available in library integrations except when
+ * building the library for testing.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_INVASIVE_H
+#define MBEDTLS_SSL_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_TEST_HOOKS) && \
+ defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/** \brief Compute the HMAC of variable-length data with constant flow.
+ *
+ * This function computes the HMAC of the concatenation of \p add_data and \p
+ * data, and does with a code flow and memory access pattern that does not
+ * depend on \p data_len_secret, but only on \p min_data_len and \p
+ * max_data_len. In particular, this function always reads exactly \p
+ * max_data_len bytes from \p data.
+ *
+ * \param ctx The HMAC context. It must have keys configured
+ * with mbedtls_md_hmac_starts() and use one of the
+ * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
+ * It is reset using mbedtls_md_hmac_reset() after
+ * the computation is complete to prepare for the
+ * next computation.
+ * \param add_data The additional data prepended to \p data. This
+ * must point to a readable buffer of \p add_data_len
+ * bytes.
+ * \param add_data_len The length of \p add_data in bytes.
+ * \param data The data appended to \p add_data. This must point
+ * to a readable buffer of \p max_data_len bytes.
+ * \param data_len_secret The length of the data to process in \p data.
+ * This must be no less than \p min_data_len and no
+ * greater than \p max_data_len.
+ * \param min_data_len The minimal length of \p data in bytes.
+ * \param max_data_len The maximal length of \p data in bytes.
+ * \param output The HMAC will be written here. This must point to
+ * a writable buffer of sufficient size to hold the
+ * HMAC value.
+ *
+ * \retval 0
+ * Success.
+ * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
+ * The hardware accelerator failed.
+ */
+int mbedtls_ssl_cf_hmac(
+ mbedtls_md_context_t *ctx,
+ const unsigned char *add_data, size_t add_data_len,
+ const unsigned char *data, size_t data_len_secret,
+ size_t min_data_len, size_t max_data_len,
+ unsigned char *output );
+
+/** \brief Copy data from a secret position with constant flow.
+ *
+ * This function copies \p len bytes from \p src_base + \p offset_secret to \p
+ * dst, with a code flow and memory access pattern that does not depend on \p
+ * offset_secret, but only on \p offset_min, \p offset_max and \p len.
+ *
+ * \param dst The destination buffer. This must point to a writable
+ * buffer of at least \p len bytes.
+ * \param src_base The base of the source buffer. This must point to a
+ * readable buffer of at least \p offset_max + \p len
+ * bytes.
+ * \param offset_secret The offset in the source buffer from which to copy.
+ * This must be no less than \p offset_min and no greater
+ * than \p offset_max.
+ * \param offset_min The minimal value of \p offset_secret.
+ * \param offset_max The maximal value of \p offset_secret.
+ * \param len The number of bytes to copy.
+ */
+void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
+ const unsigned char *src_base,
+ size_t offset_secret,
+ size_t offset_min, size_t offset_max,
+ size_t len );
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
+#endif /* MBEDTLS_SSL_INVASIVE_H */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 650bdc3..2ea3580 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -45,6 +45,8 @@
#include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
+#include "ssl_invasive.h"
+
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -310,27 +312,6 @@
int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
-/* The function below is only used in the Lucky 13 counter-measure in
- * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
-#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
- ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_2) )
-/* This function makes sure every byte in the memory region is accessed
- * (in ascending addresses order) */
-static void ssl_read_memory( unsigned char *p, size_t len )
-{
- unsigned char acc = 0;
- volatile unsigned char force;
-
- for( ; len != 0; p++, len-- )
- acc ^= *p;
-
- force = acc;
- (void) force;
-}
-#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
-
/*
* Encryption/decryption functions
*/
@@ -607,10 +588,7 @@
/* The PRNG is used for dynamic IV generation that's used
* for CBC transformations in TLS 1.1 and TLS 1.2. */
-#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || \
- defined(MBEDTLS_ARIA_C) || \
- defined(MBEDTLS_CAMELLIA_C) ) && \
+#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
((void) f_rng);
((void) p_rng);
@@ -908,8 +886,7 @@
}
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
-#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
if( mode == MBEDTLS_MODE_CBC )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -1048,8 +1025,7 @@
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
}
else
-#endif /* MBEDTLS_CIPHER_MODE_CBC &&
- ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -1067,6 +1043,156 @@
return( 0 );
}
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/*
+ * Constant-flow conditional memcpy:
+ * - if c1 == c2, equivalent to memcpy(dst, src, len),
+ * - otherwise, a no-op,
+ * but with execution flow independent of the values of c1 and c2.
+ *
+ * Use only bit operations to avoid branches that could be used by some
+ * compilers on some platforms to translate comparison operators.
+ */
+static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
+ const unsigned char *src,
+ size_t len,
+ size_t c1, size_t c2 )
+{
+ /* diff = 0 if c1 == c2, non-zero otherwise */
+ const size_t diff = c1 ^ c2;
+
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ /* diff_msb's most significant bit is equal to c1 != c2 */
+ const size_t diff_msb = ( diff | -diff );
+
+ /* diff1 = c1 != c2 */
+ const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
+
+ /* mask = c1 != c2 ? 0xff : 0x00 */
+ const unsigned char mask = (unsigned char) -diff1;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ /* dst[i] = c1 != c2 ? dst[i] : src[i] */
+ for( size_t i = 0; i < len; i++ )
+ dst[i] = ( dst[i] & mask ) | ( src[i] & ~mask );
+}
+
+/*
+ * Compute HMAC of variable-length data with constant flow.
+ *
+ * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
+ * (Otherwise, computation of block_size needs to be adapted.)
+ */
+MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
+ mbedtls_md_context_t *ctx,
+ const unsigned char *add_data, size_t add_data_len,
+ const unsigned char *data, size_t data_len_secret,
+ size_t min_data_len, size_t max_data_len,
+ unsigned char *output )
+{
+ /*
+ * This function breaks the HMAC abstraction and uses the md_clone()
+ * extension to the MD API in order to get constant-flow behaviour.
+ *
+ * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
+ * concatenation, and okey/ikey are the XOR of the key with some fixed bit
+ * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
+ *
+ * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
+ * minlen, then cloning the context, and for each byte up to maxlen
+ * finishing up the hash computation, keeping only the correct result.
+ *
+ * Then we only need to compute HASH(okey + inner_hash) and we're done.
+ */
+ const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
+ /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
+ * all of which have the same block size except SHA-384. */
+ const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
+ const unsigned char * const ikey = ctx->hmac_ctx;
+ const unsigned char * const okey = ikey + block_size;
+ const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
+
+ unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
+ mbedtls_md_context_t aux;
+ size_t offset;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_md_init( &aux );
+
+#define MD_CHK( func_call ) \
+ do { \
+ ret = (func_call); \
+ if( ret != 0 ) \
+ goto cleanup; \
+ } while( 0 )
+
+ MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
+
+ /* After hmac_start() of hmac_reset(), ikey has already been hashed,
+ * so we can start directly with the message */
+ MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
+ MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
+
+ /* For each possible length, compute the hash up to that point */
+ for( offset = min_data_len; offset <= max_data_len; offset++ )
+ {
+ MD_CHK( mbedtls_md_clone( &aux, ctx ) );
+ MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
+ /* Keep only the correct inner_hash in the output buffer */
+ mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
+ offset, data_len_secret );
+
+ if( offset < max_data_len )
+ MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
+ }
+
+ /* Now compute HASH(okey + inner_hash) */
+ MD_CHK( mbedtls_md_starts( ctx ) );
+ MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
+ MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
+ MD_CHK( mbedtls_md_finish( ctx, output ) );
+
+ /* Done, get ready for next time */
+ MD_CHK( mbedtls_md_hmac_reset( ctx ) );
+
+#undef MD_CHK
+
+cleanup:
+ mbedtls_md_free( &aux );
+ return( ret );
+}
+
+/*
+ * Constant-flow memcpy from variable position in buffer.
+ * - functionally equivalent to memcpy(dst, src + offset_secret, len)
+ * - but with execution flow independent from the value of offset_secret.
+ */
+MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset(
+ unsigned char *dst,
+ const unsigned char *src_base,
+ size_t offset_secret,
+ size_t offset_min, size_t offset_max,
+ size_t len )
+{
+ size_t offset;
+
+ for( offset = offset_min; offset <= offset_max; offset++ )
+ {
+ mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len,
+ offset, offset_secret );
+ }
+}
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec )
@@ -1237,8 +1363,7 @@
}
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
-#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
if( mode == MBEDTLS_MODE_CBC )
{
size_t minlen = 0;
@@ -1491,8 +1616,7 @@
rec->data_len -= padlen;
}
else
-#endif /* MBEDTLS_CIPHER_MODE_CBC &&
- ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -1511,6 +1635,7 @@
if( auth_done == 0 )
{
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+ unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
/* If the initial value of padlen was such that
* data_len < maclen + padlen + 1, then padlen
@@ -1537,6 +1662,7 @@
data, rec->data_len,
rec->ctr, rec->type,
mac_expect );
+ memcpy( mac_peer, data + rec->data_len, transform->maclen );
}
else
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
@@ -1545,40 +1671,8 @@
if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
{
/*
- * Process MAC and always update for padlen afterwards to make
- * total time independent of padlen.
- *
- * Known timing attacks:
- * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
- *
- * To compensate for different timings for the MAC calculation
- * depending on how much padding was removed (which is determined
- * by padlen), process extra_run more blocks through the hash
- * function.
- *
- * The formula in the paper is
- * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
- * where L1 is the size of the header plus the decrypted message
- * plus CBC padding and L2 is the size of the header plus the
- * decrypted message. This is for an underlying hash function
- * with 64-byte blocks.
- * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
- * correctly. We round down instead of up, so -56 is the correct
- * value for our calculations instead of -55.
- *
- * Repeat the formula rather than defining a block_size variable.
- * This avoids requiring division by a variable at runtime
- * (which would be marginally less efficient and would require
- * linking an extra division function in some builds).
- */
- size_t j, extra_run = 0;
- /* This size is enough to server either as input to
- * md_process() or as output to md_finish() */
- unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
-
- /*
* The next two sizes are the minimum and maximum values of
- * in_msglen over all padlen values.
+ * data_len over all padlen values.
*
* They're independent of padlen, since we previously did
* data_len -= padlen.
@@ -1589,64 +1683,20 @@
const size_t max_len = rec->data_len + padlen;
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
- memset( tmp, 0, sizeof( tmp ) );
-
- switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
+ ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec,
+ add_data, add_data_len,
+ data, rec->data_len, min_len, max_len,
+ mac_expect );
+ if( ret != 0 )
{
-#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
- defined(MBEDTLS_SHA256_C)
- case MBEDTLS_MD_MD5:
- case MBEDTLS_MD_SHA1:
- case MBEDTLS_MD_SHA256:
- /* 8 bytes of message size, 64-byte compression blocks */
- extra_run =
- ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
- ( add_data_len + rec->data_len + 8 ) / 64;
- break;
-#endif
-#if defined(MBEDTLS_SHA512_C)
- case MBEDTLS_MD_SHA384:
- /* 16 bytes of message size, 128-byte compression blocks */
- extra_run =
- ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
- ( add_data_len + rec->data_len + 16 ) / 128;
- break;
-#endif
- default:
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
+ return( ret );
}
- extra_run &= correct * 0xFF;
-
- mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
- add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
- rec->data_len );
- /* Make sure we access everything even when padlen > 0. This
- * makes the synchronisation requirements for just-in-time
- * Prime+Probe attacks much tighter and hopefully impractical. */
- ssl_read_memory( data + rec->data_len, padlen );
- mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
-
- /* Dummy calls to compression function.
- * Call mbedtls_md_process at least once due to cache attacks
- * that observe whether md_process() was called of not.
- * Respect the usual start-(process|update)-finish sequence for
- * the sake of hardware accelerators that might require it. */
- mbedtls_md_starts( &transform->md_ctx_dec );
- for( j = 0; j < extra_run + 1; j++ )
- mbedtls_md_process( &transform->md_ctx_dec, tmp );
- mbedtls_md_finish( &transform->md_ctx_dec, tmp );
-
- mbedtls_md_hmac_reset( &transform->md_ctx_dec );
-
- /* Make sure we access all the memory that could contain the MAC,
- * before we check it in the next code block. This makes the
- * synchronisation requirements for just-in-time Prime+Probe
- * attacks much tighter and hopefully impractical. */
- ssl_read_memory( data + min_len,
- max_len - min_len + transform->maclen );
+ mbedtls_ssl_cf_memcpy_offset( mac_peer, data,
+ rec->data_len,
+ min_len, max_len,
+ transform->maclen );
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@@ -1658,10 +1708,10 @@
#if defined(MBEDTLS_SSL_DEBUG_ALL)
MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
- MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
#endif
- if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
+ if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
transform->maclen ) != 0 )
{
#if defined(MBEDTLS_SSL_DEBUG_ALL)
@@ -5579,6 +5629,10 @@
memcpy( buf, ssl->in_offt, n );
ssl->in_msglen -= n;
+ /* Zeroising the plaintext buffer to erase unused application data
+ from the memory. */
+ mbedtls_platform_zeroize( ssl->in_offt, n );
+
if( ssl->in_msglen == 0 )
{
/* all bytes consumed */
diff --git a/library/version_features.c b/library/version_features.c
index 73faee7..051fb19 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -435,6 +435,9 @@
#if defined(MBEDTLS_PKCS1_V21)
"MBEDTLS_PKCS1_V21",
#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+ "MBEDTLS_PSA_CRYPTO_DRIVERS",
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
"MBEDTLS_PSA_CRYPTO_SPM",
#endif /* MBEDTLS_PSA_CRYPTO_SPM */
@@ -555,6 +558,12 @@
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
"MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH",
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+ "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+ "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
#if defined(MBEDTLS_TEST_HOOKS)
"MBEDTLS_TEST_HOOKS",
#endif /* MBEDTLS_TEST_HOOKS */
diff --git a/library/x509.c b/library/x509.c
index 1579c1a..2a7be32 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -154,7 +154,7 @@
return( MBEDTLS_ERR_X509_INVALID_ALG +
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
- p = (unsigned char *) alg->p;
+ p = alg->p;
end = p + alg->len;
if( p >= end )
diff --git a/library/x509_crl.c b/library/x509_crl.c
index fa5c0ff..edeb39b 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -253,13 +253,13 @@
size_t len2;
const unsigned char *end2;
+ cur_entry->raw.tag = **p;
if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
{
return( ret );
}
- cur_entry->raw.tag = **p;
cur_entry->raw.p = *p;
cur_entry->raw.len = len2;
end2 = *p + len2;
diff --git a/programs/Makefile b/programs/Makefile
index f9c2608..dfe0555 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -8,7 +8,7 @@
LDFLAGS ?=
MBEDTLS_TEST_PATH:=../tests/src
-MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c))
+MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c ${MBEDTLS_TEST_PATH}/drivers/*.c))
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../tests/include -I../include -D_FILE_OFFSET_BITS=64
LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -D_FILE_OFFSET_BITS=64
diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile
index 8196f39..fa17918 100644
--- a/programs/fuzz/Makefile
+++ b/programs/fuzz/Makefile
@@ -1,5 +1,5 @@
MBEDTLS_TEST_PATH:=../../tests/src
-MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c))
+MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c ${MBEDTLS_TEST_PATH}/drivers/*.c))
LOCAL_CFLAGS = -I../../tests/include -I../../include -D_FILE_OFFSET_BITS=64
LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \
diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c
index a76266f..67f1363 100644
--- a/programs/pkey/ecdh_curve25519.c
+++ b/programs/pkey/ecdh_curve25519.c
@@ -86,7 +86,7 @@
mbedtls_printf( " ok\n" );
/*
- * Client: inialize context and generate keypair
+ * Client: initialize context and generate keypair
*/
mbedtls_printf( " . Setting up client context..." );
fflush( stdout );
diff --git a/programs/test/query_config.c b/programs/test/query_config.c
index e20a65e..f64eb88 100644
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@@ -1216,6 +1216,14 @@
}
#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+ if( strcmp( "MBEDTLS_PSA_CRYPTO_DRIVERS", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_DRIVERS );
+ return( 0 );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
if( strcmp( "MBEDTLS_PSA_CRYPTO_SPM", config ) == 0 )
{
@@ -1536,6 +1544,22 @@
}
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+ if( strcmp( "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN );
+ return( 0 );
+ }
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
+
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+ if( strcmp( "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND );
+ return( 0 );
+ }
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+
#if defined(MBEDTLS_TEST_HOOKS)
if( strcmp( "MBEDTLS_TEST_HOOKS", config ) == 0 )
{
diff --git a/scripts/config.py b/scripts/config.py
index 00b61b3..703e6e9 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -192,6 +192,8 @@
'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
'MBEDTLS_SHA512_NO_SHA384', # removes a feature
'MBEDTLS_SSL_HW_RECORD_ACCEL', # build dependency (hook functions)
+ 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
+ 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature
'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS
'MBEDTLS_ZLIB_SUPPORT', # build dependency (libz)
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 3d4baca..6c2b5e4 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -39,6 +39,7 @@
my $source_dir = 'library';
my $test_source_dir = 'tests/src';
my $test_header_dir = 'tests/include/test';
+my $test_drivers_header_dir = 'tests/include/test/drivers';
my @thirdparty_header_dirs = qw(
3rdparty/everest/include/everest
@@ -116,6 +117,7 @@
&& -d $source_dir
&& -d $test_source_dir
&& -d $test_header_dir
+ && -d $test_drivers_header_dir
&& -d $programs_dir;
}
@@ -262,6 +264,7 @@
$mbedtls_header_dir,
$psa_header_dir,
$test_header_dir,
+ $test_drivers_header_dir,
$source_dir,
@thirdparty_header_dirs,
);
diff --git a/tests/.gitignore b/tests/.gitignore
index d49611c..d9f4b51 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -11,4 +11,5 @@
include/test/instrument_record_status.h
src/*.o
+src/drivers/*.o
src/libmbed*
diff --git a/tests/Makefile b/tests/Makefile
index ffa4812..511db9d 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -80,7 +80,7 @@
$(MBEDLIBS):
$(MAKE) -C ../library
-MBEDTLS_TEST_OBJS=$(patsubst %.c,%.o,$(wildcard src/*.c))
+MBEDTLS_TEST_OBJS=$(patsubst %.c,%.o,$(wildcard src/*.c src/drivers/*.c))
mbedtls_test: $(MBEDTLS_TEST_OBJS)
@@ -89,6 +89,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<
+src/drivers/%.o : src/drivers/%.c
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<
+
C_FILES := $(addsuffix .c,$(APPS))
# Wildcard target for test code generation:
@@ -130,12 +134,13 @@
clean:
ifndef WINDOWS
rm -rf $(BINARIES) *.c *.datax TESTS
- rm -f src/*.o src/libmbed*
+ rm -f src/*.o src/drivers/*.o src/libmbed*
else
if exist *.c del /Q /F *.c
if exist *.exe del /Q /F *.exe
if exist *.datax del /Q /F *.datax
if exist src/*.o del /Q /F src/*.o
+ if exist src/drivers/*.o del /Q /F src/drivers/*.o
if exist src/libmbed* del /Q /F src/libmed*
ifneq ($(wildcard TESTS/.*),)
rmdir /Q /S TESTS
diff --git a/tests/include/test/constant_flow.h b/tests/include/test/constant_flow.h
new file mode 100644
index 0000000..af64011
--- /dev/null
+++ b/tests/include/test/constant_flow.h
@@ -0,0 +1,81 @@
+/**
+ * \file constant_flow.h
+ *
+ * \brief This file contains tools to ensure tested code has constant flow.
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef TEST_CONSTANT_FLOW_H
+#define TEST_CONSTANT_FLOW_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/*
+ * This file defines the two macros
+ *
+ * #define TEST_CF_SECRET(ptr, size)
+ * #define TEST_CF_PUBLIC(ptr, size)
+ *
+ * that can be used in tests to mark a memory area as secret (no branch or
+ * memory access should depend on it) or public (default, only needs to be
+ * marked explicitly when it was derived from secret data).
+ *
+ * Arguments:
+ * - ptr: a pointer to the memory area to be marked
+ * - size: the size in bytes of the memory area
+ *
+ * Implementation:
+ * The basic idea is that of ctgrind <https://github.com/agl/ctgrind>: we can
+ * re-use tools that were designed for checking use of uninitialized memory.
+ * This file contains two implementations: one based on MemorySanitizer, the
+ * other on valgrind's memcheck. If none of them is enabled, dummy macros that
+ * do nothing are defined for convenience.
+ */
+
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+#include <sanitizer/msan_interface.h>
+
+/* Use macros to avoid messing up with origin tracking */
+#define TEST_CF_SECRET __msan_allocated_memory
+// void __msan_allocated_memory(const volatile void* data, size_t size);
+#define TEST_CF_PUBLIC __msan_unpoison
+// void __msan_unpoison(const volatile void *a, size_t size);
+
+#elif defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+#include <valgrind/memcheck.h>
+
+#define TEST_CF_SECRET VALGRIND_MAKE_MEM_UNDEFINED
+// VALGRIND_MAKE_MEM_UNDEFINED(_qzz_addr, _qzz_len)
+#define TEST_CF_PUBLIC VALGRIND_MAKE_MEM_DEFINED
+// VALGRIND_MAKE_MEM_DEFINED(_qzz_addr, _qzz_len)
+
+#else /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN ||
+ MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+
+#define TEST_CF_SECRET(ptr, size)
+#define TEST_CF_PUBLIC(ptr, size)
+
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN ||
+ MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+
+#endif /* TEST_CONSTANT_FLOW_H */
diff --git a/tests/include/test/drivers/keygen.h b/tests/include/test/drivers/keygen.h
new file mode 100644
index 0000000..b72c65c
--- /dev/null
+++ b/tests/include/test/drivers/keygen.h
@@ -0,0 +1,61 @@
+/*
+ * Test driver for generating keys.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_TEST_DRIVERS_KEYGEN_H
+#define PSA_CRYPTO_TEST_DRIVERS_KEYGEN_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#include <psa/crypto_driver_common.h>
+
+typedef struct {
+ /* If non-null, on success, copy this to the output. */
+ void *forced_output;
+ size_t forced_output_length;
+ /* If not PSA_SUCCESS, return this error code instead of processing the
+ * function call. */
+ psa_status_t forced_status;
+ /* Count the amount of times one of the keygen driver functions is called. */
+ unsigned long hits;
+} test_driver_keygen_hooks_t;
+
+#define TEST_DRIVER_KEYGEN_INIT { NULL, 0, PSA_ERROR_NOT_SUPPORTED, 0 }
+static inline test_driver_keygen_hooks_t test_driver_keygen_hooks_init( void )
+{
+ const test_driver_keygen_hooks_t v = TEST_DRIVER_KEYGEN_INIT;
+ return( v );
+}
+
+extern test_driver_keygen_hooks_t test_driver_keygen_hooks;
+
+psa_status_t test_transparent_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key, size_t key_size, size_t *key_length );
+
+psa_status_t test_opaque_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key, size_t key_size, size_t *key_length );
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_TEST_DRIVERS_KEYGEN_H */
diff --git a/tests/include/test/drivers/signature.h b/tests/include/test/drivers/signature.h
new file mode 100644
index 0000000..e41892e
--- /dev/null
+++ b/tests/include/test/drivers/signature.h
@@ -0,0 +1,82 @@
+/*
+ * Test driver for signature functions.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_TEST_DRIVERS_SIGNATURE_H
+#define PSA_CRYPTO_TEST_DRIVERS_SIGNATURE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#include <psa/crypto_driver_common.h>
+
+typedef struct {
+ /* If non-null, on success, copy this to the output. */
+ void *forced_output;
+ size_t forced_output_length;
+ /* If not PSA_SUCCESS, return this error code instead of processing the
+ * function call. */
+ psa_status_t forced_status;
+ /* Count the amount of times one of the keygen driver functions is called. */
+ unsigned long hits;
+} test_driver_signature_hooks_t;
+
+#define TEST_DRIVER_SIGNATURE_INIT { NULL, 0, PSA_ERROR_NOT_SUPPORTED, 0 }
+static inline test_driver_signature_hooks_t test_driver_signature_hooks_init( void )
+{
+ const test_driver_signature_hooks_t v = TEST_DRIVER_SIGNATURE_INIT;
+ return( v );
+}
+
+extern test_driver_signature_hooks_t test_driver_signature_sign_hooks;
+extern test_driver_signature_hooks_t test_driver_signature_verify_hooks;
+
+psa_status_t test_transparent_signature_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length );
+
+psa_status_t test_opaque_signature_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length );
+
+psa_status_t test_transparent_signature_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length );
+
+psa_status_t test_opaque_signature_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length );
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_TEST_DRIVERS_SIGNATURE_H */
diff --git a/tests/include/test/drivers/test_driver.h b/tests/include/test/drivers/test_driver.h
new file mode 100644
index 0000000..75135e0
--- /dev/null
+++ b/tests/include/test/drivers/test_driver.h
@@ -0,0 +1,28 @@
+/*
+ * Umbrella include for all of the test driver functionality
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_TEST_DRIVER_H
+#define PSA_CRYPTO_TEST_DRIVER_H
+
+#define PSA_CRYPTO_TEST_DRIVER_LIFETIME 0x7fffff
+
+#include "test/drivers/signature.h"
+#include "test/drivers/keygen.h"
+
+#endif /* PSA_CRYPTO_TEST_DRIVER_H */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 533fa2c..578d03e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1091,6 +1091,46 @@
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
+component_test_memsan_constant_flow () {
+ # This tests both (1) accesses to undefined memory, and (2) branches or
+ # memory access depending on secret values. To distinguish between those:
+ # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
+ # - or alternatively, change the build type to MemSanDbg, which enables
+ # origin tracking and nicer stack traces (which are useful for debugging
+ # anyway), and check if the origin was TEST_CF_SECRET() or something else.
+ msg "build: cmake MSan (clang), full config with constant flow testing"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+ scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
+ CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
+ make
+
+ msg "test: main suites (Msan + constant flow)"
+ make test
+}
+
+component_test_valgrind_constant_flow () {
+ # This tests both (1) everything that valgrind's memcheck usually checks
+ # (heap buffer overflows, use of uninitialized memory, use-after-free,
+ # etc.) and (2) branches or memory access depending on secret values,
+ # which will be reported as uninitialized memory. To distinguish between
+ # secret and actually uninitialized:
+ # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
+ # - or alternatively, build with debug info and manually run the offending
+ # test suite with valgrind --track-origins=yes, then check if the origin
+ # was TEST_CF_SECRET() or something else.
+ msg "build: cmake release GCC, full config with constant flow testing"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ cmake -D CMAKE_BUILD_TYPE:String=Release .
+ make
+
+ # this only shows a summary of the results (how many of each type)
+ # details are left in Testing/<date>/DynamicAnalysis.xml
+ msg "test: main suites (valgrind + constant flow)"
+ make memcheck
+}
+
component_test_default_no_deprecated () {
# Test that removing the deprecated features from the default
# configuration leaves something consistent.
@@ -1177,16 +1217,34 @@
record_status tests/scripts/curves.pl
}
+component_test_depends_curves_psa () {
+ msg "test/build: curves.pl with MBEDTLS_USE_PSA_CRYPTO defined (gcc)"
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ record_status tests/scripts/curves.pl
+}
+
component_test_depends_hashes () {
msg "test/build: depends-hashes.pl (gcc)" # ~ 2 min
record_status tests/scripts/depends-hashes.pl
}
+component_test_depends_hashes_psa () {
+ msg "test/build: depends-hashes.pl with MBEDTLS_USE_PSA_CRYPTO defined (gcc)"
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ record_status tests/scripts/depends-hashes.pl
+}
+
component_test_depends_pkalgs () {
msg "test/build: depends-pkalgs.pl (gcc)" # ~ 2 min
record_status tests/scripts/depends-pkalgs.pl
}
+component_test_depends_pkalgs_psa () {
+ msg "test/build: depends-pkalgs.pl with MBEDTLS_USE_PSA_CRYPTO defined (gcc)"
+ scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ record_status tests/scripts/depends-pkalgs.pl
+}
+
component_build_key_exchanges () {
msg "test/build: key-exchanges (gcc)" # ~ 1 min
record_status tests/scripts/key-exchanges.pl
@@ -1616,6 +1674,16 @@
make test
}
+component_test_psa_crypto_drivers () {
+ msg "build: MBEDTLS_PSA_CRYPTO_DRIVERS w/ driver hooks"
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: MBEDTLS_PSA_CRYPTO_DRIVERS, signature"
+ make test
+}
+
component_test_make_shared () {
msg "build/test: make shared" # ~ 40s
make SHARED=1 all check
@@ -1787,7 +1855,7 @@
component_build_arm_none_eabi_gcc () {
msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1" # ~ 10s
scripts/config.py baremetal
- make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-Werror -Wall -Wextra -O1' lib
+ make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib
msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1"
${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
@@ -1801,7 +1869,7 @@
# See https://github.com/ARMmbed/mbedtls/pull/2169 and comments.
# It would be better to build with arm-linux-gnueabi-gcc but
# we don't have that on our CI at this time.
- make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
+ make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1"
${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
@@ -1810,7 +1878,7 @@
component_build_arm_none_eabi_gcc_m0plus () {
msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus" # ~ 10s
scripts/config.py baremetal
- make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib
+ make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib
msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os"
${ARM_NONE_EABI_GCC_PREFIX}size library/*.o
@@ -1820,7 +1888,7 @@
msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
scripts/config.py baremetal
scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
- make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-Werror -Wall -Wextra' lib
+ make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib
echo "Checking that software 64-bit division is not required"
if_build_succeeded not grep __aeabi_uldiv library/*.o
}
@@ -1829,7 +1897,7 @@
msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s
scripts/config.py baremetal
scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
- make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-Werror -O1 -march=armv6-m -mthumb' lib
+ make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib
echo "Checking that software 64-bit multiplication is not required"
if_build_succeeded not grep __aeabi_lmul library/*.o
}
diff --git a/tests/scripts/check-names.sh b/tests/scripts/check-names.sh
index 3e6c0f8..6c9195b 100755
--- a/tests/scripts/check-names.sh
+++ b/tests/scripts/check-names.sh
@@ -96,6 +96,7 @@
printf "Likely typos: "
sort -u actual-macros enum-consts > _caps
HEADERS=$( ls include/mbedtls/*.h include/psa/*.h | egrep -v 'compat-1\.3\.h' )
+HEADERS="$HEADERS library/*.h"
HEADERS="$HEADERS 3rdparty/everest/include/everest/everest.h 3rdparty/everest/include/everest/x25519.h"
LIBRARY="$( ls library/*.c )"
LIBRARY="$LIBRARY 3rdparty/everest/library/everest.c 3rdparty/everest/library/x25519.c"
diff --git a/tests/scripts/list-macros.sh b/tests/scripts/list-macros.sh
index 2be39d2..15d2590 100755
--- a/tests/scripts/list-macros.sh
+++ b/tests/scripts/list-macros.sh
@@ -23,6 +23,7 @@
fi
HEADERS=$( ls include/mbedtls/*.h include/psa/*.h | egrep -v 'compat-1\.3\.h' )
+HEADERS="$HEADERS library/*.h"
HEADERS="$HEADERS 3rdparty/everest/include/everest/everest.h 3rdparty/everest/include/everest/x25519.h"
sed -n -e 's/.*#define \([a-zA-Z0-9_]*\).*/\1/p' $HEADERS \
diff --git a/tests/src/drivers/keygen.c b/tests/src/drivers/keygen.c
new file mode 100644
index 0000000..f15a4bc
--- /dev/null
+++ b/tests/src/drivers/keygen.c
@@ -0,0 +1,125 @@
+/*
+ * Test driver for generating keys.
+ * Currently only supports generating ECC keys.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST)
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/error.h"
+
+#include "test/drivers/keygen.h"
+
+#include "test/random.h"
+
+#include <string.h>
+
+test_driver_keygen_hooks_t test_driver_keygen_hooks = TEST_DRIVER_KEYGEN_INIT;
+
+psa_status_t test_transparent_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key, size_t key_size, size_t *key_length )
+{
+ ++test_driver_keygen_hooks.hits;
+
+ if( test_driver_keygen_hooks.forced_status != PSA_SUCCESS )
+ return( test_driver_keygen_hooks.forced_status );
+
+ if( test_driver_keygen_hooks.forced_output != NULL )
+ {
+ if( test_driver_keygen_hooks.forced_output_length > key_size )
+ return( PSA_ERROR_BUFFER_TOO_SMALL );
+ memcpy( key, test_driver_keygen_hooks.forced_output,
+ test_driver_keygen_hooks.forced_output_length );
+ *key_length = test_driver_keygen_hooks.forced_output_length;
+ return( PSA_SUCCESS );
+ }
+
+ /* Copied from psa_crypto.c */
+#if defined(MBEDTLS_ECP_C)
+ if ( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) )
+ && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) )
+ {
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( psa_get_key_type( attributes ) );
+ mbedtls_ecp_group_id grp_id =
+ mbedtls_ecc_group_of_psa( curve, PSA_BITS_TO_BYTES( psa_get_key_bits( attributes ) ) );
+ const mbedtls_ecp_curve_info *curve_info =
+ mbedtls_ecp_curve_info_from_grp_id( grp_id );
+ mbedtls_ecp_keypair ecp;
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ memset( &rnd_info, 0x5A, sizeof( mbedtls_test_rnd_pseudo_info ) );
+
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if( attributes->domain_parameters_size != 0 )
+ return( PSA_ERROR_NOT_SUPPORTED );
+ if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL )
+ return( PSA_ERROR_NOT_SUPPORTED );
+ if( curve_info->bit_size != psa_get_key_bits( attributes ) )
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ mbedtls_ecp_keypair_init( &ecp );
+ ret = mbedtls_ecp_gen_key( grp_id, &ecp,
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info );
+ if( ret != 0 )
+ {
+ mbedtls_ecp_keypair_free( &ecp );
+ return( mbedtls_to_psa_error( ret ) );
+ }
+
+ /* Make sure to use export representation */
+ size_t bytes = PSA_BITS_TO_BYTES( psa_get_key_bits( attributes ) );
+ if( key_size < bytes )
+ {
+ mbedtls_ecp_keypair_free( &ecp );
+ return( PSA_ERROR_BUFFER_TOO_SMALL );
+ }
+ psa_status_t status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary( &ecp.d, key, bytes ) );
+
+ if( status == PSA_SUCCESS )
+ {
+ *key_length = bytes;
+ }
+
+ mbedtls_ecp_keypair_free( &ecp );
+ return( status );
+ }
+ else
+#endif /* MBEDTLS_ECP_C */
+ return( PSA_ERROR_NOT_SUPPORTED );
+}
+
+psa_status_t test_opaque_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key, size_t key_size, size_t *key_length )
+{
+ (void) attributes;
+ (void) key;
+ (void) key_size;
+ (void) key_length;
+ return( PSA_ERROR_NOT_SUPPORTED );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */
diff --git a/tests/src/drivers/signature.c b/tests/src/drivers/signature.c
new file mode 100644
index 0000000..028d24a
--- /dev/null
+++ b/tests/src/drivers/signature.c
@@ -0,0 +1,289 @@
+/*
+ * Test driver for signature functions.
+ * Currently supports signing and verifying precalculated hashes, using
+ * only deterministic ECDSA on curves secp256r1, secp384r1 and secp521r1.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST)
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "mbedtls/ecp.h"
+
+#include "test/drivers/signature.h"
+
+#include "mbedtls/md.h"
+#include "mbedtls/ecdsa.h"
+
+#include "test/random.h"
+
+#include <string.h>
+
+test_driver_signature_hooks_t test_driver_signature_sign_hooks = TEST_DRIVER_SIGNATURE_INIT;
+test_driver_signature_hooks_t test_driver_signature_verify_hooks = TEST_DRIVER_SIGNATURE_INIT;
+
+psa_status_t test_transparent_signature_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length )
+{
+ ++test_driver_signature_sign_hooks.hits;
+
+ if( test_driver_signature_sign_hooks.forced_status != PSA_SUCCESS )
+ return( test_driver_signature_sign_hooks.forced_status );
+
+ if( test_driver_signature_sign_hooks.forced_output != NULL )
+ {
+ if( test_driver_signature_sign_hooks.forced_output_length > signature_size )
+ return( PSA_ERROR_BUFFER_TOO_SMALL );
+ memcpy( signature, test_driver_signature_sign_hooks.forced_output,
+ test_driver_signature_sign_hooks.forced_output_length );
+ *signature_length = test_driver_signature_sign_hooks.forced_output_length;
+ return( PSA_SUCCESS );
+ }
+
+ psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
+ defined(MBEDTLS_SHA256_C)
+ if( alg != PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ) )
+ return( PSA_ERROR_NOT_SUPPORTED );
+ mbedtls_ecp_group_id grp_id;
+ switch( psa_get_key_type( attributes ) )
+ {
+ case PSA_ECC_CURVE_SECP_R1:
+ switch( psa_get_key_bits( attributes ) )
+ {
+ case 256:
+ grp_id = MBEDTLS_ECP_DP_SECP256R1;
+ break;
+ case 384:
+ grp_id = MBEDTLS_ECP_DP_SECP384R1;
+ break;
+ case 521:
+ grp_id = MBEDTLS_ECP_DP_SECP521R1;
+ break;
+ default:
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ break;
+ default:
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+
+ /* Beyond this point, the driver is actually doing the work of
+ * calculating the signature. */
+
+ status = PSA_ERROR_GENERIC_ERROR;
+ int ret = 0;
+ mbedtls_mpi r, s;
+ mbedtls_mpi_init( &r );
+ mbedtls_mpi_init( &s );
+ mbedtls_ecp_keypair ecp;
+ mbedtls_ecp_keypair_init( &ecp );
+ size_t curve_bytes = PSA_BITS_TO_BYTES( ecp.grp.pbits );
+
+ MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ecp.grp, grp_id ) );
+ MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ecp.grp, &ecp.Q,
+ key, key_length ) );
+
+ /* Code adapted from psa_ecdsa_sign() in psa_crypto.c. */
+ mbedtls_md_type_t md_alg = MBEDTLS_MD_SHA256;
+ if( signature_size < 2 * curve_bytes )
+ {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto cleanup;
+ }
+ MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det( &ecp.grp, &r, &s, &ecp.d,
+ hash, hash_length, md_alg ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &r,
+ signature,
+ curve_bytes ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &s,
+ signature + curve_bytes,
+ curve_bytes ) );
+cleanup:
+ status = mbedtls_to_psa_error( ret );
+ mbedtls_mpi_free( &r );
+ mbedtls_mpi_free( &s );
+ mbedtls_ecp_keypair_free( &ecp );
+ if( status == PSA_SUCCESS )
+ *signature_length = 2 * curve_bytes;
+#else /* defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
+ defined(MBEDTLS_SHA256_C) */
+ (void) attributes;
+ (void) key;
+ (void) key_length;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+#endif /* defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
+ defined(MBEDTLS_SHA256_C) */
+
+ return( status );
+}
+
+psa_status_t test_opaque_signature_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length )
+{
+ (void) attributes;
+ (void) key;
+ (void) key_length;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_size;
+ (void) signature_length;
+ return( PSA_ERROR_NOT_SUPPORTED );
+}
+
+psa_status_t test_transparent_signature_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
+{
+ ++test_driver_signature_verify_hooks.hits;
+
+ if( test_driver_signature_verify_hooks.forced_status != PSA_SUCCESS )
+ return( test_driver_signature_verify_hooks.forced_status );
+
+ psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
+ defined(MBEDTLS_SHA256_C)
+ if( alg != PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ) )
+ return( PSA_ERROR_NOT_SUPPORTED );
+ mbedtls_ecp_group_id grp_id;
+ switch( psa_get_key_type( attributes ) )
+ {
+ case PSA_ECC_CURVE_SECP_R1:
+ switch( psa_get_key_bits( attributes ) )
+ {
+ case 256:
+ grp_id = MBEDTLS_ECP_DP_SECP256R1;
+ break;
+ case 384:
+ grp_id = MBEDTLS_ECP_DP_SECP384R1;
+ break;
+ case 521:
+ grp_id = MBEDTLS_ECP_DP_SECP521R1;
+ break;
+ default:
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ break;
+ default:
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+
+ /* Beyond this point, the driver is actually doing the work of
+ * calculating the signature. */
+
+ status = PSA_ERROR_GENERIC_ERROR;
+ int ret = 0;
+ mbedtls_mpi r, s;
+ mbedtls_mpi_init( &r );
+ mbedtls_mpi_init( &s );
+ mbedtls_ecp_keypair ecp;
+ mbedtls_ecp_keypair_init( &ecp );
+ mbedtls_test_rnd_pseudo_info rnd_info;
+ memset( &rnd_info, 0x5A, sizeof( mbedtls_test_rnd_pseudo_info ) );
+ size_t curve_bytes = PSA_BITS_TO_BYTES( ecp.grp.pbits );
+
+ MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ecp.grp, grp_id ) );
+
+ /* Code adapted from psa_ecdsa_verify() in psa_crypto.c. */
+ if( signature_length < 2 * curve_bytes )
+ {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r,
+ signature,
+ curve_bytes ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &s,
+ signature + curve_bytes,
+ curve_bytes ) );
+
+ if( PSA_KEY_TYPE_IS_PUBLIC_KEY( psa_get_key_type( attributes ) ) )
+ MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ecp.grp, &ecp.Q,
+ key, key_length ) );
+ else
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ecp.d, key, key_length ) );
+ MBEDTLS_MPI_CHK(
+ mbedtls_ecp_mul( &ecp.grp, &ecp.Q, &ecp.d, &ecp.grp.G,
+ &mbedtls_test_rnd_pseudo_rand,
+ &rnd_info ) );
+ }
+
+ MBEDTLS_MPI_CHK( mbedtls_ecdsa_verify( &ecp.grp, hash, hash_length,
+ &ecp.Q, &r, &s ) );
+cleanup:
+ status = mbedtls_to_psa_error( ret );
+ mbedtls_mpi_free( &r );
+ mbedtls_mpi_free( &s );
+ mbedtls_ecp_keypair_free( &ecp );
+#else /* defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
+ defined(MBEDTLS_SHA256_C) */
+ (void) attributes;
+ (void) key;
+ (void) key_length;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+#endif /* defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
+ defined(MBEDTLS_SHA256_C) */
+
+ return( status );
+}
+
+psa_status_t test_opaque_signature_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key, size_t key_length,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
+{
+ (void) attributes;
+ (void) key;
+ (void) key_length;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_length;
+ return( PSA_ERROR_NOT_SUPPORTED );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 7425a35..ec43d13 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -407,6 +407,12 @@
void test_fail( const char *test, int line_no, const char* filename )
{
+ if( test_info.result == TEST_RESULT_FAILED )
+ {
+ /* We've already recorded the test as having failed. Don't
+ * overwrite any previous information about the failure. */
+ return;
+ }
test_info.result = TEST_RESULT_FAILED;
test_info.test = test;
test_info.line_no = line_no;
diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function
index e54aaff..2b2daf6 100644
--- a/tests/suites/test_suite_mpi.function
+++ b/tests/suites/test_suite_mpi.function
@@ -596,7 +596,7 @@
int size_Y, char * input_Y,
int input_ret, int input_err )
{
- unsigned ret;
+ unsigned ret = -1;
unsigned input_uret = input_ret;
mbedtls_mpi X, Y;
mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y );
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 43b4914..c6041b2 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -775,8 +775,8 @@
TEST_ASSERT( mbedtls_ecp_point_read_binary( &eckey->grp, &eckey->Q,
key->x, key->len ) == 0 );
- // MBEDTLS_MD_SHA1 is a dummy - it is ignored, but has to be other than MBEDTLS_MD_NONE.
- TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA1,
+ // MBEDTLS_MD_NONE is used since it will be ignored.
+ TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_NONE,
hash->x, hash->len, sig->x, sig->len ) == ret );
exit:
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data
new file mode 100644
index 0000000..74e6172
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data
@@ -0,0 +1,41 @@
+sign_hash through transparent driver: calculate in driver
+ecdsa_sign:PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0:PSA_SUCCESS
+
+sign_hash through transparent driver: fallback
+ecdsa_sign:PSA_ERROR_NOT_SUPPORTED:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0:PSA_SUCCESS
+
+sign_hash through transparent driver: error
+ecdsa_sign:PSA_ERROR_GENERIC_ERROR:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0:PSA_ERROR_GENERIC_ERROR
+
+sign_hash through transparent driver: fake
+ecdsa_sign:PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"000102030405060708090A0B0C0D0E0F":1:PSA_SUCCESS
+
+verify_hash using private key through transparent driver: calculate in driver
+ecdsa_verify:PSA_SUCCESS:0:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_SUCCESS
+
+verify_hash using private key through transparent driver: fallback
+ecdsa_verify:PSA_ERROR_NOT_SUPPORTED:0:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_SUCCESS
+
+verify_hash using private key through transparent driver: error
+ecdsa_verify:PSA_ERROR_GENERIC_ERROR:0:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_GENERIC_ERROR
+
+verify_hash using public key through transparent driver: calculate in driver
+ecdsa_verify:PSA_SUCCESS:1:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_SUCCESS
+
+verify_hash using public key through transparent driver: fallback
+ecdsa_verify:PSA_ERROR_NOT_SUPPORTED:1:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_SUCCESS
+
+verify_hash using public key through transparent driver: error
+ecdsa_verify:PSA_ERROR_GENERIC_ERROR:1:"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_GENERIC_ERROR
+
+generate_key through transparent driver: fake
+generate_key:PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_SUCCESS
+
+generate_key through transparent driver: in-driver
+generate_key:PSA_SUCCESS:"":PSA_SUCCESS
+
+generate_key through transparent driver: fallback
+generate_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS
+
+generate_key through transparent driver: error
+generate_key:PSA_ERROR_GENERIC_ERROR:"":PSA_ERROR_GENERIC_ERROR
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
new file mode 100644
index 0000000..9177982
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -0,0 +1,185 @@
+/* BEGIN_HEADER */
+#include "test/psa_crypto_helpers.h"
+
+#include "test/drivers/test_driver.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_DRIVERS:PSA_CRYPTO_DRIVER_TEST
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
+void ecdsa_sign( int force_status_arg,
+ data_t *key_input,
+ data_t *data_input,
+ data_t *expected_output,
+ int fake_output,
+ int expected_status_arg )
+{
+ psa_status_t force_status = force_status_arg;
+ psa_status_t expected_status = expected_status_arg;
+ psa_key_handle_t handle = 0;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg = PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 );
+ uint8_t signature[64];
+ size_t signature_length = 0xdeadbeef;
+ psa_status_t actual_status;
+ test_driver_signature_sign_hooks = test_driver_signature_hooks_init();
+
+ PSA_ASSERT( psa_crypto_init( ) );
+ psa_set_key_type( &attributes,
+ PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP_R1 ) );
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_import_key( &attributes,
+ key_input->x, key_input->len,
+ &handle );
+
+ test_driver_signature_sign_hooks.forced_status = force_status;
+ if( fake_output == 1 )
+ {
+ test_driver_signature_sign_hooks.forced_output = expected_output->x;
+ test_driver_signature_sign_hooks.forced_output_length = expected_output->len;
+ }
+
+ actual_status = psa_sign_hash( handle, alg,
+ data_input->x, data_input->len,
+ signature, sizeof( signature ),
+ &signature_length );
+ TEST_EQUAL( actual_status, expected_status );
+ if( expected_status == PSA_SUCCESS )
+ {
+ ASSERT_COMPARE( signature, signature_length,
+ expected_output->x, expected_output->len );
+ }
+ TEST_EQUAL( test_driver_signature_sign_hooks.hits, 1 );
+
+exit:
+ psa_reset_key_attributes( &attributes );
+ psa_destroy_key( handle );
+ PSA_DONE( );
+ test_driver_signature_sign_hooks = test_driver_signature_hooks_init();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
+void ecdsa_verify( int force_status_arg,
+ int register_public_key,
+ data_t *key_input,
+ data_t *data_input,
+ data_t *signature_input,
+ int expected_status_arg )
+{
+ psa_status_t force_status = force_status_arg;
+ psa_status_t expected_status = expected_status_arg;
+ psa_key_handle_t handle = 0;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg = PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 );
+ psa_status_t actual_status;
+ test_driver_signature_verify_hooks = test_driver_signature_hooks_init();
+
+ PSA_ASSERT( psa_crypto_init( ) );
+ if( register_public_key )
+ {
+ psa_set_key_type( &attributes,
+ PSA_KEY_TYPE_ECC_PUBLIC_KEY( PSA_ECC_CURVE_SECP_R1 ) );
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_import_key( &attributes,
+ key_input->x, key_input->len,
+ &handle );
+ }
+ else
+ {
+ psa_set_key_type( &attributes,
+ PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP_R1 ) );
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_import_key( &attributes,
+ key_input->x, key_input->len,
+ &handle );
+ }
+
+ test_driver_signature_verify_hooks.forced_status = force_status;
+
+ actual_status = psa_verify_hash( handle, alg,
+ data_input->x, data_input->len,
+ signature_input->x, signature_input->len );
+ TEST_EQUAL( actual_status, expected_status );
+ TEST_EQUAL( test_driver_signature_verify_hooks.hits, 1 );
+
+exit:
+ psa_reset_key_attributes( &attributes );
+ psa_destroy_key( handle );
+ PSA_DONE( );
+ test_driver_signature_verify_hooks = test_driver_signature_hooks_init();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+void generate_key( int force_status_arg,
+ data_t *fake_output,
+ int expected_status_arg )
+{
+ psa_status_t force_status = force_status_arg;
+ psa_status_t expected_status = expected_status_arg;
+ psa_key_handle_t handle = 0;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg = PSA_ALG_ECDSA( PSA_ALG_SHA_256 );
+ const uint8_t *expected_output = NULL;
+ size_t expected_output_length = 0;
+ psa_status_t actual_status;
+ uint8_t actual_output[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(256)] = {0};
+ size_t actual_output_length;
+ test_driver_keygen_hooks = test_driver_keygen_hooks_init();
+
+ psa_set_key_type( &attributes,
+ PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP_R1 ) );
+ psa_set_key_bits( &attributes, 256 );
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT );
+ psa_set_key_algorithm( &attributes, alg );
+
+ if( fake_output->len > 0 )
+ {
+ expected_output = test_driver_keygen_hooks.forced_output = fake_output->x;
+ expected_output_length = test_driver_keygen_hooks.forced_output_length =
+ fake_output->len;
+ }
+
+ test_driver_keygen_hooks.hits = 0;
+ test_driver_keygen_hooks.forced_status = force_status;
+
+ PSA_ASSERT( psa_crypto_init( ) );
+
+ actual_status = psa_generate_key( &attributes, &handle );
+ TEST_EQUAL( test_driver_keygen_hooks.hits, 1 );
+ TEST_EQUAL( actual_status, expected_status );
+
+ if( actual_status == PSA_SUCCESS )
+ {
+ psa_export_key( handle, actual_output, sizeof(actual_output), &actual_output_length );
+
+ if( fake_output->len > 0 )
+ {
+ ASSERT_COMPARE( actual_output, actual_output_length,
+ expected_output, expected_output_length );
+ }
+ else
+ {
+ size_t zeroes = 0;
+ for( size_t i = 0; i < sizeof(actual_output); i++ )
+ {
+ if( actual_output[i] == 0)
+ zeroes++;
+ }
+ TEST_ASSERT( zeroes != sizeof(actual_output) );
+ }
+ }
+exit:
+ psa_reset_key_attributes( &attributes );
+ psa_destroy_key( handle );
+ PSA_DONE( );
+ test_driver_keygen_hooks = test_driver_keygen_hooks_init();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index d3158fd..1b79191 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -9374,6 +9374,1031 @@
depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_MD5_C:MBEDTLS_SSL_ENCRYPT_THEN_MAC
ssl_crypt_record_small:MBEDTLS_CIPHER_NULL:MBEDTLS_MD_MD5:1:1:MBEDTLS_SSL_MINOR_VERSION_0:0:0
+Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-1
+
+Decrypt CBC !EtM, AES MD5 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:-2
+
+Decrypt CBC !EtM, AES MD5 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:-1
+
+Decrypt CBC !EtM, AES MD5 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:-2
+
+Decrypt CBC !EtM, AES MD5 !trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:0
+
+Decrypt CBC !EtM, AES MD5 !trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:240
+
+Decrypt CBC !EtM, AES MD5 trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:0
+
+Decrypt CBC !EtM, AES MD5 trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:240
+
+Decrypt CBC !EtM, AES MD5 !trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:1
+
+Decrypt CBC !EtM, AES MD5 !trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:241
+
+Decrypt CBC !EtM, AES MD5 trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:1
+
+Decrypt CBC !EtM, AES MD5 trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:241
+
+Decrypt CBC !EtM, AES MD5 !trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:15
+
+Decrypt CBC !EtM, AES MD5 !trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:0:255
+
+Decrypt CBC !EtM, AES MD5 trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:15
+
+Decrypt CBC !EtM, AES MD5 trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_MD5:1:255
+
+Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-1
+
+Decrypt CBC !EtM, AES SHA1 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:-2
+
+Decrypt CBC !EtM, AES SHA1 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:-1
+
+Decrypt CBC !EtM, AES SHA1 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:-2
+
+Decrypt CBC !EtM, AES SHA1 !trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:0
+
+Decrypt CBC !EtM, AES SHA1 !trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:240
+
+Decrypt CBC !EtM, AES SHA1 trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:0
+
+Decrypt CBC !EtM, AES SHA1 trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:240
+
+Decrypt CBC !EtM, AES SHA1 !trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:1
+
+Decrypt CBC !EtM, AES SHA1 !trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:241
+
+Decrypt CBC !EtM, AES SHA1 trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:1
+
+Decrypt CBC !EtM, AES SHA1 trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:241
+
+Decrypt CBC !EtM, AES SHA1 !trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:15
+
+Decrypt CBC !EtM, AES SHA1 !trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:0:255
+
+Decrypt CBC !EtM, AES SHA1 trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:15
+
+Decrypt CBC !EtM, AES SHA1 trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA1:1:255
+
+Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-1
+
+Decrypt CBC !EtM, AES SHA256 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:-2
+
+Decrypt CBC !EtM, AES SHA256 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:-1
+
+Decrypt CBC !EtM, AES SHA256 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:-2
+
+Decrypt CBC !EtM, AES SHA256 !trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:0
+
+Decrypt CBC !EtM, AES SHA256 !trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:240
+
+Decrypt CBC !EtM, AES SHA256 trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:0
+
+Decrypt CBC !EtM, AES SHA256 trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:240
+
+Decrypt CBC !EtM, AES SHA256 !trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:1
+
+Decrypt CBC !EtM, AES SHA256 !trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:241
+
+Decrypt CBC !EtM, AES SHA256 trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:1
+
+Decrypt CBC !EtM, AES SHA256 trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:241
+
+Decrypt CBC !EtM, AES SHA256 !trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:15
+
+Decrypt CBC !EtM, AES SHA256 !trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:0:255
+
+Decrypt CBC !EtM, AES SHA256 trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:15
+
+Decrypt CBC !EtM, AES SHA256 trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA256:1:255
+
+Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-1
+
+Decrypt CBC !EtM, AES SHA384 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:-2
+
+Decrypt CBC !EtM, AES SHA384 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:-1
+
+Decrypt CBC !EtM, AES SHA384 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:-2
+
+Decrypt CBC !EtM, AES SHA384 !trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0
+
+Decrypt CBC !EtM, AES SHA384 !trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:240
+
+Decrypt CBC !EtM, AES SHA384 trunc, padlen=0
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:0
+
+Decrypt CBC !EtM, AES SHA384 trunc, padlen=240
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:240
+
+Decrypt CBC !EtM, AES SHA384 !trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:1
+
+Decrypt CBC !EtM, AES SHA384 !trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:241
+
+Decrypt CBC !EtM, AES SHA384 trunc, padlen=1
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:1
+
+Decrypt CBC !EtM, AES SHA384 trunc, padlen=241
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:241
+
+Decrypt CBC !EtM, AES SHA384 !trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:15
+
+Decrypt CBC !EtM, AES SHA384 !trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:255
+
+Decrypt CBC !EtM, AES SHA384 trunc, padlen=15
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:15
+
+Decrypt CBC !EtM, AES SHA384 trunc, padlen=255
+depends_on:MBEDTLS_AES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:1:255
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-1
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:-2
+
+Decrypt CBC !EtM, ARIA MD5 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:-1
+
+Decrypt CBC !EtM, ARIA MD5 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:-2
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:0
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:240
+
+Decrypt CBC !EtM, ARIA MD5 trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:0
+
+Decrypt CBC !EtM, ARIA MD5 trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:240
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:1
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:241
+
+Decrypt CBC !EtM, ARIA MD5 trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:1
+
+Decrypt CBC !EtM, ARIA MD5 trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:241
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:15
+
+Decrypt CBC !EtM, ARIA MD5 !trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:0:255
+
+Decrypt CBC !EtM, ARIA MD5 trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:15
+
+Decrypt CBC !EtM, ARIA MD5 trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_MD5:1:255
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-1
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:-2
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:-1
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:-2
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:0
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:240
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:0
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:240
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:1
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:241
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:1
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:241
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:15
+
+Decrypt CBC !EtM, ARIA SHA1 !trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:0:255
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:15
+
+Decrypt CBC !EtM, ARIA SHA1 trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA1:1:255
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-1
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:-2
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:-1
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:-2
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:0
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:240
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:0
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:240
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:1
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:241
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:1
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:241
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:15
+
+Decrypt CBC !EtM, ARIA SHA256 !trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:0:255
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:15
+
+Decrypt CBC !EtM, ARIA SHA256 trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA256:1:255
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-1
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:-2
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:-1
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:-2
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:0
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:240
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=0
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:0
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=240
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:240
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:1
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:241
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=1
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:1
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=241
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:241
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:15
+
+Decrypt CBC !EtM, ARIA SHA384 !trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:0:255
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=15
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:15
+
+Decrypt CBC !EtM, ARIA SHA384 trunc, padlen=255
+depends_on:MBEDTLS_ARIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_ARIA_128_CBC:MBEDTLS_MD_SHA384:1:255
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-1
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:-2
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:-1
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:-2
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:0
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:240
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:0
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:240
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:1
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:241
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:1
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:241
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:15
+
+Decrypt CBC !EtM, CAMELLIA MD5 !trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:0:255
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:15
+
+Decrypt CBC !EtM, CAMELLIA MD5 trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_MD5:1:255
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-1
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:-2
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:-1
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:-2
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:0
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:240
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:0
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:240
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:1
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:241
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:1
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:241
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:15
+
+Decrypt CBC !EtM, CAMELLIA SHA1 !trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:0:255
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:15
+
+Decrypt CBC !EtM, CAMELLIA SHA1 trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA1:1:255
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-1
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:-2
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:-1
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:-2
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:0
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:240
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:0
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:240
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:1
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:241
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:1
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:241
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:15
+
+Decrypt CBC !EtM, CAMELLIA SHA256 !trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:0:255
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:15
+
+Decrypt CBC !EtM, CAMELLIA SHA256 trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA256:1:255
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-1
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:-2
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:-1
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:-2
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:0
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:240
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=0
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:0
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=240
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:240
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:1
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:241
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=1
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:1
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=241
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:241
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:15
+
+Decrypt CBC !EtM, CAMELLIA SHA384 !trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:0:255
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=15
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:15
+
+Decrypt CBC !EtM, CAMELLIA SHA384 trunc, padlen=255
+depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_CAMELLIA_128_CBC:MBEDTLS_MD_SHA384:1:255
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:-1
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:-2
+
+Decrypt CBC !EtM, 3DES MD5 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:-1
+
+Decrypt CBC !EtM, 3DES MD5 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:-2
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:0
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:248
+
+Decrypt CBC !EtM, 3DES MD5 trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:0
+
+Decrypt CBC !EtM, 3DES MD5 trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:248
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:1
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:249
+
+Decrypt CBC !EtM, 3DES MD5 trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:1
+
+Decrypt CBC !EtM, 3DES MD5 trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:249
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:7
+
+Decrypt CBC !EtM, 3DES MD5 !trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:0:255
+
+Decrypt CBC !EtM, 3DES MD5 trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:7
+
+Decrypt CBC !EtM, 3DES MD5 trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_MD5_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_MD5:1:255
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:-1
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:-2
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:-1
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:-2
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:0
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:248
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:0
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:248
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:1
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:249
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:1
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:249
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:7
+
+Decrypt CBC !EtM, 3DES SHA1 !trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:0:255
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:7
+
+Decrypt CBC !EtM, 3DES SHA1 trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA1_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA1:1:255
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:-1
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:-2
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:-1
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:-2
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:0
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:248
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:0
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:248
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:1
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:249
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:1
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:249
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:7
+
+Decrypt CBC !EtM, 3DES SHA256 !trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:0:255
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:7
+
+Decrypt CBC !EtM, 3DES SHA256 trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA256_C
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA256:1:255
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:-1
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:-2
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, empty plaintext, minpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:-1
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, empty plaintext, maxpad
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:-2
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:0
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:248
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=0
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:0
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=248
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:248
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:1
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:249
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=1
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:1
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=249
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:249
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:7
+
+Decrypt CBC !EtM, 3DES SHA384 !trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:0:255
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=7
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:7
+
+Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=255
+depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:255
+
+
SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
@@ -9504,3 +10529,31 @@
Session serialization, load buffer size: large ticket, cert
depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO
ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt"
+
+Constant-flow HMAC: MD5
+depends_on:MBEDTLS_MD5_C
+ssl_cf_hmac:MBEDTLS_MD_MD5
+
+Constant-flow HMAC: SHA1
+depends_on:MBEDTLS_SHA1_C
+ssl_cf_hmac:MBEDTLS_MD_SHA1
+
+Constant-flow HMAC: SHA256
+depends_on:MBEDTLS_SHA256_C
+ssl_cf_hmac:MBEDTLS_MD_SHA256
+
+Constant-flow HMAC: SHA384
+depends_on:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384
+ssl_cf_hmac:MBEDTLS_MD_SHA384
+
+# these are the numbers we'd get with an empty plaintext and truncated HMAC
+Constant-flow memcpy from offset: small
+ssl_cf_memcpy_offset:0:5:10
+
+# we could get this with 255-bytes plaintext and untruncated SHA-256
+Constant-flow memcpy from offset: medium
+ssl_cf_memcpy_offset:0:255:32
+
+# we could get this with 255-bytes plaintext and untruncated SHA-384
+Constant-flow memcpy from offset: large
+ssl_cf_memcpy_offset:100:339:48
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 5cf6e8b..7c4f865 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -7,6 +7,10 @@
#include <mbedtls/timing.h>
#include <mbedtls/debug.h>
+#include <ssl_invasive.h>
+
+#include <test/constant_flow.h>
+
typedef struct log_pattern
{
const char *pattern;
@@ -3452,6 +3456,219 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */
+void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
+ int length_selector )
+{
+ /*
+ * Test record decryption for CBC without EtM, focused on the verification
+ * of padding and MAC.
+ *
+ * Actually depends on TLS >= 1.0 (SSL 3.0 computes the MAC differently),
+ * and either AES, ARIA, Camellia or DES, but since the test framework
+ * doesn't support alternation in dependency statements, just depend on
+ * TLS 1.2 and AES.
+ *
+ * The length_selector argument is interpreted as follows:
+ * - if it's -1, the plaintext length is 0 and minimal padding is applied
+ * - if it's -2, the plaintext length is 0 and maximal padding is applied
+ * - otherwise it must be in [0, 255] and is padding_length from RFC 5246:
+ * it's the length of the rest of the padding, that is, excluding the
+ * byte that encodes the length. The minimal non-zero plaintext length
+ * that gives this padding_length is automatically selected.
+ */
+ mbedtls_ssl_context ssl; /* ONLY for debugging */
+ mbedtls_ssl_transform t0, t1;
+ mbedtls_record rec, rec_save;
+ unsigned char *buf = NULL, *buf_save = NULL;
+ size_t buflen, olen = 0;
+ size_t plaintext_len, block_size, i;
+ unsigned char padlen; /* excluding the padding_length byte */
+ unsigned char add_data[13];
+ unsigned char mac[MBEDTLS_MD_MAX_SIZE];
+ int exp_ret;
+ const unsigned char pad_max_len = 255; /* Per the standard */
+
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_transform_init( &t0 );
+ mbedtls_ssl_transform_init( &t1 );
+
+ /* Set up transforms with dummy keys */
+ TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id,
+ 0, trunc_hmac,
+ MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 , 0 ) == 0 );
+
+ /* Determine padding/plaintext length */
+ TEST_ASSERT( length_selector >= -2 && length_selector <= 255 );
+ block_size = t0.ivlen;
+ if( length_selector < 0 )
+ {
+ plaintext_len = 0;
+
+ /* Minimal padding
+ * The +1 is for the padding_length byte, not counted in padlen. */
+ padlen = block_size - ( t0.maclen + 1 ) % block_size;
+
+ /* Maximal padding? */
+ if( length_selector == -2 )
+ padlen += block_size * ( ( pad_max_len - padlen ) / block_size );
+ }
+ else
+ {
+ padlen = length_selector;
+
+ /* Minimal non-zero plaintext_length giving desired padding.
+ * The +1 is for the padding_length byte, not counted in padlen. */
+ plaintext_len = block_size - ( padlen + t0.maclen + 1 ) % block_size;
+ }
+
+ /* Prepare a buffer for record data */
+ buflen = block_size
+ + plaintext_len
+ + t0.maclen
+ + padlen + 1;
+ ASSERT_ALLOC( buf, buflen );
+ ASSERT_ALLOC( buf_save, buflen );
+
+ /* Prepare a dummy record header */
+ memset( rec.ctr, 0, sizeof( rec.ctr ) );
+ rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ rec.ver[0] = MBEDTLS_SSL_MAJOR_VERSION_3;
+ rec.ver[1] = MBEDTLS_SSL_MINOR_VERSION_3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ rec.cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ /* Prepare dummy record content */
+ rec.buf = buf;
+ rec.buf_len = buflen;
+ rec.data_offset = block_size;
+ rec.data_len = plaintext_len;
+ memset( rec.buf + rec.data_offset, 42, rec.data_len );
+
+ /* Serialized version of record header for MAC purposes */
+ memcpy( add_data, rec.ctr, 8 );
+ add_data[8] = rec.type;
+ add_data[9] = rec.ver[0];
+ add_data[10] = rec.ver[1];
+ add_data[11] = ( rec.data_len >> 8 ) & 0xff;
+ add_data[12] = ( rec.data_len >> 0 ) & 0xff;
+
+ /* Set dummy IV */
+ memset( t0.iv_enc, 0x55, t0.ivlen );
+ memcpy( rec.buf, t0.iv_enc, t0.ivlen );
+
+ /*
+ * Prepare a pre-encryption record (with MAC and padding), and save it.
+ */
+
+ /* MAC with additional data */
+ TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc,
+ rec.buf + rec.data_offset,
+ rec.data_len ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_finish( &t0.md_ctx_enc, mac ) );
+
+ memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen );
+ rec.data_len += t0.maclen;
+
+ /* Pad */
+ memset( rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1 );
+ rec.data_len += padlen + 1;
+
+ /* Save correct pre-encryption record */
+ rec_save = rec;
+ rec_save.buf = buf_save;
+ memcpy( buf_save, buf, buflen );
+
+ /*
+ * Encrypt and decrypt the correct record, expecting success
+ */
+ TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc,
+ t0.iv_enc, t0.ivlen,
+ rec.buf + rec.data_offset, rec.data_len,
+ rec.buf + rec.data_offset, &olen ) );
+ rec.data_offset -= t0.ivlen;
+ rec.data_len += t0.ivlen;
+
+ TEST_EQUAL( 0, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
+
+ /*
+ * Modify each byte of the pre-encryption record before encrypting and
+ * decrypting it, expecting failure every time.
+ */
+ for( i = block_size; i < buflen; i++ )
+ {
+ test_set_step( i );
+
+ /* Restore correct pre-encryption record */
+ rec = rec_save;
+ rec.buf = buf;
+ memcpy( buf, buf_save, buflen );
+
+ /* Corrupt one byte of the data (could be plaintext, MAC or padding) */
+ rec.buf[i] ^= 0x01;
+
+ /* Encrypt */
+ TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc,
+ t0.iv_enc, t0.ivlen,
+ rec.buf + rec.data_offset, rec.data_len,
+ rec.buf + rec.data_offset, &olen ) );
+ rec.data_offset -= t0.ivlen;
+ rec.data_len += t0.ivlen;
+
+ /* Decrypt and expect failure */
+ TEST_EQUAL( MBEDTLS_ERR_SSL_INVALID_MAC,
+ mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
+ }
+
+ /*
+ * Use larger values of the padding bytes - with small buffers, this tests
+ * the case where the announced padlen would be larger than the buffer
+ * (and before that, than the buffer minus the size of the MAC), to make
+ * sure our padding checking code does not perform any out-of-bounds reads
+ * in this case. (With larger buffers, ie when the plaintext is long or
+ * maximal length padding is used, this is less relevant but still doesn't
+ * hurt to test.)
+ *
+ * (Start the loop with correct padding, just to double-check that record
+ * saving did work, and that we're overwriting the correct bytes.)
+ */
+ for( i = padlen; i <= pad_max_len; i++ )
+ {
+ test_set_step( i );
+
+ /* Restore correct pre-encryption record */
+ rec = rec_save;
+ rec.buf = buf;
+ memcpy( buf, buf_save, buflen );
+
+ /* Set padding bytes to new value */
+ memset( buf + buflen - padlen - 1, i, padlen + 1 );
+
+ /* Encrypt */
+ TEST_EQUAL( 0, mbedtls_cipher_crypt( &t0.cipher_ctx_enc,
+ t0.iv_enc, t0.ivlen,
+ rec.buf + rec.data_offset, rec.data_len,
+ rec.buf + rec.data_offset, &olen ) );
+ rec.data_offset -= t0.ivlen;
+ rec.data_len += t0.ivlen;
+
+ /* Decrypt and expect failure except the first time */
+ exp_ret = ( i == padlen ) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC;
+ TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
+ }
+
+exit:
+ mbedtls_ssl_free( &ssl );
+ mbedtls_ssl_transform_free( &t0 );
+ mbedtls_ssl_transform_free( &t1 );
+ mbedtls_free( buf );
+ mbedtls_free( buf_save );
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void ssl_tls_prf( int type, data_t * secret, data_t * random,
char *label, data_t *result_hex_str, int exp_ret )
@@ -4050,3 +4267,130 @@
goto exit;
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
+void ssl_cf_hmac( int hash )
+{
+ /*
+ * Test the function mbedtls_ssl_cf_hmac() against a reference
+ * implementation.
+ */
+ mbedtls_md_context_t ctx, ref_ctx;
+ const mbedtls_md_info_t *md_info;
+ size_t out_len, block_size;
+ size_t min_in_len, in_len, max_in_len, i;
+ /* TLS additional data is 13 bytes (hence the "lucky 13" name) */
+ unsigned char add_data[13];
+ unsigned char ref_out[MBEDTLS_MD_MAX_SIZE];
+ unsigned char *data = NULL;
+ unsigned char *out = NULL;
+ unsigned char rec_num = 0;
+
+ mbedtls_md_init( &ctx );
+ mbedtls_md_init( &ref_ctx );
+
+ md_info = mbedtls_md_info_from_type( hash );
+ TEST_ASSERT( md_info != NULL );
+ out_len = mbedtls_md_get_size( md_info );
+ TEST_ASSERT( out_len != 0 );
+ block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
+
+ /* Use allocated out buffer to catch overwrites */
+ ASSERT_ALLOC( out, out_len );
+
+ /* Set up contexts with the given hash and a dummy key */
+ TEST_EQUAL( 0, mbedtls_md_setup( &ctx, md_info, 1 ) );
+ TEST_EQUAL( 0, mbedtls_md_setup( &ref_ctx, md_info, 1 ) );
+ memset( ref_out, 42, sizeof( ref_out ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ctx, ref_out, out_len ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ref_ctx, ref_out, out_len ) );
+ memset( ref_out, 0, sizeof( ref_out ) );
+
+ /*
+ * Test all possible lengths up to a point. The difference between
+ * max_in_len and min_in_len is at most 255, and make sure they both vary
+ * by at least one block size.
+ */
+ for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ )
+ {
+ test_set_step( max_in_len * 10000 );
+
+ /* Use allocated in buffer to catch overreads */
+ ASSERT_ALLOC( data, max_in_len );
+
+ min_in_len = max_in_len > 255 ? max_in_len - 255 : 0;
+ for( in_len = min_in_len; in_len <= max_in_len; in_len++ )
+ {
+ test_set_step( max_in_len * 10000 + in_len );
+
+ /* Set up dummy data and add_data */
+ rec_num++;
+ memset( add_data, rec_num, sizeof( add_data ) );
+ for( i = 0; i < in_len; i++ )
+ data[i] = ( i & 0xff ) ^ rec_num;
+
+ /* Get the function's result */
+ TEST_CF_SECRET( &in_len, sizeof( in_len ) );
+ TEST_EQUAL( 0, mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ),
+ data, in_len,
+ min_in_len, max_in_len,
+ out ) );
+ TEST_CF_PUBLIC( &in_len, sizeof( in_len ) );
+ TEST_CF_PUBLIC( out, out_len );
+
+ /* Compute the reference result */
+ TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, add_data,
+ sizeof( add_data ) ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, data, in_len ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_finish( &ref_ctx, ref_out ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_reset( &ref_ctx ) );
+
+ /* Compare */
+ ASSERT_COMPARE( out, out_len, ref_out, out_len );
+ }
+
+ mbedtls_free( data );
+ data = NULL;
+ }
+
+exit:
+ mbedtls_md_free( &ref_ctx );
+ mbedtls_md_free( &ctx );
+
+ mbedtls_free( data );
+ mbedtls_free( out );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
+void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len )
+{
+ unsigned char *dst = NULL;
+ unsigned char *src = NULL;
+ size_t src_len = offset_max + len;
+ size_t secret;
+
+ ASSERT_ALLOC( dst, len );
+ ASSERT_ALLOC( src, src_len );
+
+ /* Fill src in a way that we can detect if we copied the right bytes */
+ mbedtls_test_rnd_std_rand( NULL, src, src_len );
+
+ for( secret = offset_min; secret <= (size_t) offset_max; secret++ )
+ {
+ test_set_step( (int) secret );
+
+ TEST_CF_SECRET( &secret, sizeof( secret ) );
+ mbedtls_ssl_cf_memcpy_offset( dst, src, secret,
+ offset_min, offset_max, len );
+ TEST_CF_PUBLIC( &secret, sizeof( secret ) );
+ TEST_CF_PUBLIC( dst, len );
+
+ ASSERT_COMPARE( dst, len, src + secret, len );
+ }
+
+exit:
+ mbedtls_free( dst );
+ mbedtls_free( src );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 846ebb7..bb26246 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.23.0"
+check_compiletime_version:"2.24.0"
Check runtime library version
-check_runtime_version:"2.23.0"
+check_runtime_version:"2.24.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 275afb7..bfdbab2 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -2120,10 +2120,60 @@
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e05000302000100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+# 305c
+# 3047 tbsCertList TBSCertList
+# 020100 version INTEGER OPTIONAL
+# 300d signatureAlgorithm AlgorithmIdentifi
+# 06092a864886f70d01010e
+# 0500
+# 300f issuer Name
+# 310d300b0603550403130441424344
+# 170c303930313031303030303030 thisUpdate Time
+# 3014 revokedCertificates
+# 3012 entry 1
+# 8202abcd userCertificate CertificateSerialNum
+# 170c303831323331323335393539 revocationDate Time
+# 300d signatureAlgorithm AlgorithmIdentifi
+# 06092a864886f70d01010e
+# 0500
+# 03020001 signatureValue BIT STRING
+# The subsequent TBSCertList negative tests remove or modify some elements.
X509 CRL ASN1 (TBSCertList, sig present)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using \: RSA with SHA-224\n":0
+X509 CRL ASN1 (TBSCertList, signatureValue missing)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRL ASN1 (TBSCertList, signatureAlgorithm missing)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"30493047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRL ASN1 (TBSCertList, single empty entry at end)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"30373035020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c30393031303130303030303030023000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRL ASN1 (TBSCertList, good entry then empty entry at end)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"304b3049020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301630128202abcd170c3038313233313233353935393000":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRL ASN1 (TBSCertList, missing time in entry)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"304e3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRL ASN1 (TBSCertList, missing time in entry at end)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"303b3039020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300630048202abcd":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRL ASN1 (TBSCertList, invalid tag for time in entry)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd190c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRL ASN1 (TBSCertList, invalid tag for serial)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128402abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
X509 CRL ASN1 (TBSCertList, no entries)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crl:"30463031020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nsigned using \: RSA with SHA-224\n":0
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index be9e0ae..31d6000 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -5,11 +5,25 @@
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
#include "mbedtls/rsa.h"
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+/* These are the same depends as the test function x509_crs_check_opaque(),
+ * the only function using PSA here. Using a weaker condition would result in
+ * warnings about the static functions defined in psa_crypto_helpers.h being
+ * unused. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_PEM_WRITE_C) && \
+ defined(MBEDTLS_X509_CSR_WRITE_C)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
-#endif
-
+#include "test/psa_crypto_helpers.h"
+#define PSA_INIT( ) PSA_ASSERT( psa_crypto_init( ) )
+#else
+/* Define empty macros so that we can use them in the preamble and teardown
+ * of every test function that uses PSA conditionally based on
+ * MBEDTLS_USE_PSA_CRYPTO. */
+#define PSA_INIT( ) ( (void) 0 )
+#define PSA_DONE( ) ( (void) 0 )
+#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
#if defined(MBEDTLS_RSA_C)
int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen,
@@ -147,7 +161,7 @@
int cert_type )
{
mbedtls_pk_context key;
- psa_key_handle_t slot;
+ psa_key_handle_t slot = 0;
psa_algorithm_t md_alg_psa;
mbedtls_x509write_csr req;
unsigned char buf[4096];
@@ -156,7 +170,7 @@
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
mbedtls_test_rnd_pseudo_info rnd_info;
- psa_crypto_init();
+ PSA_INIT( );
memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) );
md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type );
@@ -184,9 +198,12 @@
buf[pem_len] = '\0';
TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 );
+
exit:
mbedtls_x509write_csr_free( &req );
mbedtls_pk_free( &key );
+ psa_destroy_key( slot );
+ PSA_DONE( );
}
/* END_CASE */
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 4422b7a..9d79298 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -232,19 +232,25 @@
<ClInclude Include="..\..\include\psa\crypto_struct.h" />
<ClInclude Include="..\..\include\psa\crypto_types.h" />
<ClInclude Include="..\..\include\psa\crypto_values.h" />
+ <ClInclude Include="..\..\tests\include\test\constant_flow.h" />
<ClInclude Include="..\..\tests\include\test\helpers.h" />
<ClInclude Include="..\..\tests\include\test\macros.h" />
<ClInclude Include="..\..\tests\include\test\psa_crypto_helpers.h" />
<ClInclude Include="..\..\tests\include\test\psa_helpers.h" />
<ClInclude Include="..\..\tests\include\test\random.h" />
+ <ClInclude Include="..\..\tests\include\test\drivers\keygen.h" />
+ <ClInclude Include="..\..\tests\include\test\drivers\signature.h" />
+ <ClInclude Include="..\..\tests\include\test\drivers\test_driver.h" />
<ClInclude Include="..\..\library\common.h" />
<ClInclude Include="..\..\library\psa_crypto_core.h" />
+ <ClInclude Include="..\..\library\psa_crypto_driver_wrappers.h" />
<ClInclude Include="..\..\library\psa_crypto_invasive.h" />
<ClInclude Include="..\..\library\psa_crypto_its.h" />
<ClInclude Include="..\..\library\psa_crypto_se.h" />
<ClInclude Include="..\..\library\psa_crypto_service_integration.h" />
<ClInclude Include="..\..\library\psa_crypto_slot_management.h" />
<ClInclude Include="..\..\library\psa_crypto_storage.h" />
+ <ClInclude Include="..\..\library\ssl_invasive.h" />
<ClInclude Include="..\..\3rdparty\everest\include\everest\everest.h" />
<ClInclude Include="..\..\3rdparty\everest\include\everest\Hacl_Curve25519.h" />
<ClInclude Include="..\..\3rdparty\everest\include\everest\kremlib.h" />
@@ -305,6 +311,7 @@
<ClCompile Include="..\..\library\platform_util.c" />
<ClCompile Include="..\..\library\poly1305.c" />
<ClCompile Include="..\..\library\psa_crypto.c" />
+ <ClCompile Include="..\..\library\psa_crypto_driver_wrappers.c" />
<ClCompile Include="..\..\library\psa_crypto_se.c" />
<ClCompile Include="..\..\library\psa_crypto_slot_management.c" />
<ClCompile Include="..\..\library\psa_crypto_storage.c" />