Merge remote-tracking branch 'mbedtls/development' into tls13-cli-max-early-data-size
diff --git a/tests/include/test/drivers/config_test_driver.h b/tests/include/test/drivers/config_test_driver.h
index 4eb27f0..ec8bcb6 100644
--- a/tests/include/test/drivers/config_test_driver.h
+++ b/tests/include/test/drivers/config_test_driver.h
@@ -40,5 +40,7 @@
//#define MBEDTLS_MD_C
//#define MBEDTLS_PEM_PARSE_C
//#define MBEDTLS_BASE64_C
+//#define MBEDTLS_THREADING_C
+//#define MBEDTLS_THREADING_PTHREAD
#endif /* MBEDTLS_CONFIG_H */
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 71259d6..335386b 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -197,6 +197,13 @@
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
/*
+ * Random number generator aimed for TLS unitary tests. Its main purpose is to
+ * simplify the set-up of a random number generator for TLS
+ * unitary tests: no need to set up a good entropy source for example.
+ */
+int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len);
+
+/*
* This function can be passed to mbedtls to receive output logs from it. In
* this case, it will count the instances of a mbedtls_test_ssl_log_pattern
* in the received logged messages.
diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index 4581bc5..49f06e0 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -23,7 +23,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-s "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -41,7 +41,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -78,7 +78,7 @@
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-s "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -96,7 +96,7 @@
-s "found pre_shared_key extension" \
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -133,7 +133,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -151,7 +151,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -188,7 +188,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -206,7 +206,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -261,7 +261,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -280,7 +280,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -319,7 +319,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -338,7 +338,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -377,7 +377,7 @@
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-s "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -396,7 +396,7 @@
-s "found pre_shared_key extension" \
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -435,7 +435,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -454,7 +454,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -493,7 +493,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -512,7 +512,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -550,8 +550,9 @@
-s "found pre_shared_key extension" \
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
+ -s "No suitable PSK key exchange mode" \
-S "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -572,7 +573,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -592,7 +593,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -633,7 +634,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -653,7 +654,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -694,7 +695,7 @@
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -733,8 +734,9 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
+ -s "No suitable PSK key exchange mode" \
-S "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -754,7 +756,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -793,7 +795,7 @@
-S "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -921,7 +923,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-s "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -938,7 +940,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -973,7 +975,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -990,7 +992,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1025,7 +1027,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1042,7 +1044,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1078,7 +1080,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1096,7 +1098,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1133,7 +1135,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1151,7 +1153,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1188,7 +1190,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1206,7 +1208,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -1243,7 +1245,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1261,7 +1263,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -1299,7 +1301,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1318,7 +1320,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -1357,7 +1359,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-s "key exchange mode: psk_ephemeral" \
-S "key exchange mode: ephemeral"
@@ -1376,7 +1378,7 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -1413,8 +1415,9 @@
-s "found pre_shared_key extension" \
-s "Found PSK_EPHEMERAL KEX MODE" \
-S "Found PSK KEX MODE" \
+ -s "No suitable PSK key exchange mode" \
-S "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -1433,7 +1436,7 @@
-s "Found PSK_EPHEMERAL KEX MODE" \
-s "Found PSK KEX MODE" \
-s "Pre shared key found" \
- -S "No matched PSK or ticket" \
+ -S "No usable PSK or ticket" \
-S "key exchange mode: psk$" \
-S "key exchange mode: psk_ephemeral" \
-s "key exchange mode: ephemeral"
@@ -1580,7 +1583,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket"
+ -s "No usable PSK or ticket"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1665,7 +1668,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1711,7 +1714,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1769,7 +1772,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1827,7 +1830,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket"
+ -s "No usable PSK or ticket"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1870,7 +1873,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1916,7 +1919,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2047,7 +2050,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket"
+ -s "No usable PSK or ticket"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2106,7 +2109,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "key exchange mode: ephemeral"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2152,7 +2155,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2199,7 +2202,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "key exchange mode: ephemeral"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2288,7 +2291,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2348,7 +2351,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket"
+ -s "No usable PSK or ticket"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2392,7 +2395,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2438,7 +2441,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket"
+ -s "No usable PSK or ticket"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2485,7 +2488,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2532,7 +2535,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2595,7 +2598,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-c "Selected key exchange mode: ephemeral" \
-c "HTTP/1.0 200 OK"
@@ -2643,7 +2646,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "ClientHello message misses mandatory extensions."
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -2690,7 +2693,7 @@
-c "client hello, adding pre_shared_key extension, omitting PSK binder list" \
-c "client hello, adding psk_key_exchange_modes extension" \
-c "client hello, adding PSK binder list" \
- -s "No matched PSK or ticket" \
+ -s "No usable PSK or ticket" \
-s "key exchange mode: ephemeral"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index ad062dc..066fa3f 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -353,8 +353,8 @@
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
- -s "No suitable key exchange mode" \
- -s "No matched PSK or ticket"
+ -s "No suitable PSK key exchange mode" \
+ -s "No usable PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -365,7 +365,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
@@ -381,8 +381,8 @@
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
- -s "No suitable key exchange mode" \
- -s "No matched PSK or ticket"
+ -s "No suitable PSK key exchange mode" \
+ -s "No usable PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -393,7 +393,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
@@ -409,8 +409,8 @@
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
- -s "No suitable key exchange mode" \
- -s "No matched PSK or ticket"
+ -s "No suitable PSK key exchange mode" \
+ -s "No usable PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -425,8 +425,8 @@
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
- -s "No suitable key exchange mode" \
- -s "No matched PSK or ticket"
+ -s "No suitable PSK key exchange mode" \
+ -s "No usable PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -437,7 +437,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity" \
-s "key exchange mode: psk_ephemeral"
@@ -450,7 +450,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity" \
-s "key exchange mode: psk_ephemeral"
@@ -468,8 +468,8 @@
-s "key exchange mode: ephemeral" \
-S "key exchange mode: psk_ephemeral" \
-S "key exchange mode: psk$" \
- -s "No suitable key exchange mode" \
- -s "No matched PSK or ticket"
+ -s "No suitable PSK key exchange mode" \
+ -s "No usable PSK or ticket"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \
@@ -481,7 +481,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity"
requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \
@@ -494,7 +494,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity" \
-s "key exchange mode: psk_ephemeral"
@@ -508,7 +508,7 @@
"$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \
0 \
-c "Pre-configured PSK number = 1" \
- -S "No suitable key exchange mode" \
+ -S "No suitable PSK key exchange mode" \
-s "found matched identity" \
-s "key exchange mode: psk_ephemeral"
@@ -535,3 +535,18 @@
-s "$( tail -1 $EARLY_DATA_INPUT )" \
-s "200 early data bytes read" \
-s "106 early data bytes read"
+
+requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \
+ MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
+ MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test "TLS 1.3 m->m: Ephemeral over PSK kex with early data enabled" \
+ "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=1024" \
+ "$P_CLI debug_level=4 early_data=1 tls13_kex_modes=psk_or_ephemeral reco_mode=1 reconnect=1" \
+ 0 \
+ -s "key exchange mode: ephemeral" \
+ -S "key exchange mode: psk" \
+ -s "found matched identity" \
+ -s "EarlyData: rejected, not a session resumption" \
+ -C "EncryptedExtensions: early_data(42) extension exists."
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index c25f044..fcb465e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -212,10 +212,21 @@
# defined in this script whose name starts with "component_".
ALL_COMPONENTS=$(compgen -A function component_ | sed 's/component_//')
- # Delay determinig SUPPORTED_COMPONENTS until the command line options have a chance to override
+ # Delay determining SUPPORTED_COMPONENTS until the command line options have a chance to override
# the commands set by the environment
}
+setup_quiet_wrappers()
+{
+ # Pick up "quiet" wrappers for make and cmake, which don't output very much
+ # unless there is an error. This reduces logging overhead in the CI.
+ #
+ # Note that the cmake wrapper breaks unless we use an absolute path here.
+ if [[ -e ${PWD}/tests/scripts/quiet ]]; then
+ export PATH=${PWD}/tests/scripts/quiet:$PATH
+ fi
+}
+
# Test whether the component $1 is included in the command line patterns.
is_component_included()
{
@@ -889,6 +900,16 @@
# Dynamic secure element support is a deprecated feature and needs to be disabled here.
# This is done to have the same form of psa_key_attributes_s for libdriver and library.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
+
+ # If threading is enabled on the normal build, then we need to enable it in the drivers as well,
+ # otherwise we will end up running multithreaded tests without mutexes to protect them.
+ if scripts/config.py get MBEDTLS_THREADING_C; then
+ scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_THREADING_C
+ fi
+
+ if scripts/config.py get MBEDTLS_THREADING_PTHREAD; then
+ scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_THREADING_PTHREAD
+ fi
}
# When called with no parameter this function disables all builtin curves.
@@ -6353,6 +6374,7 @@
pre_initialize_variables
pre_parse_command_line "$@"
+setup_quiet_wrappers
pre_check_git
pre_restore_files
pre_back_up
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
index 65fbc9f..4483f55 100755
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@@ -173,6 +173,8 @@
b'sh': 'sh',
}
+ path_exemptions = re.compile(r'tests/scripts/quiet/.*')
+
def is_valid_shebang(self, first_line, filepath):
m = re.match(self._shebang_re, first_line)
if not m:
diff --git a/tests/scripts/quiet/cmake b/tests/scripts/quiet/cmake
new file mode 100755
index 0000000..930931d
--- /dev/null
+++ b/tests/scripts/quiet/cmake
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+# This swallows the output of the wrapped tool, unless there is an error.
+# This helps reduce excess logging in the CI.
+
+# If you are debugging a build / CI issue, you can get complete unsilenced logs
+# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
+
+# export VERBOSE_LOGS=1
+
+# don't silence invocations containing these arguments
+export NO_SILENCE=" --version "
+
+export TOOL="cmake"
+
+exec "$(dirname "$0")/quiet.sh" "$@"
diff --git a/tests/scripts/quiet/make b/tests/scripts/quiet/make
new file mode 100755
index 0000000..d022551
--- /dev/null
+++ b/tests/scripts/quiet/make
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+# This swallows the output of the wrapped tool, unless there is an error.
+# This helps reduce excess logging in the CI.
+
+# If you are debugging a build / CI issue, you can get complete unsilenced logs
+# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
+
+# export VERBOSE_LOGS=1
+
+# don't silence invocations containing these arguments
+export NO_SILENCE=" --version | test "
+
+export TOOL="make"
+
+exec "$(dirname "$0")/quiet.sh" "$@"
diff --git a/tests/scripts/quiet/quiet.sh b/tests/scripts/quiet/quiet.sh
new file mode 100755
index 0000000..30ee569
--- /dev/null
+++ b/tests/scripts/quiet/quiet.sh
@@ -0,0 +1,75 @@
+# -*-mode: sh; sh-shell: bash -*-
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+#
+# This swallows the output of the wrapped tool, unless there is an error.
+# This helps reduce excess logging in the CI.
+
+# If you are debugging a build / CI issue, you can get complete unsilenced logs
+# by un-commenting the following line (or setting VERBOSE_LOGS in your environment):
+#
+# VERBOSE_LOGS=1
+#
+# This script provides most of the functionality for the adjacent make and cmake
+# wrappers.
+#
+# It requires two variables to be set:
+#
+# TOOL - the name of the tool that is being wrapped (with no path), e.g. "make"
+#
+# NO_SILENCE - a regex that describes the commandline arguments for which output will not
+# be silenced, e.g. " --version | test ". In this example, "make lib test" will
+# not be silent, but "make lib" will be.
+
+# Locate original tool
+TOOL_WITH_PATH=$(dirname "$0")/$TOOL
+ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$TOOL_WITH_PATH" | head -n1)
+
+print_quoted_args() {
+ # similar to printf '%q' "$@"
+ # but produce more human-readable results for common/simple cases like "a b"
+ for a in "$@"; do
+ # Get bash to quote the string
+ printf -v q '%q' "$a"
+ simple_pattern="^([-[:alnum:]_+./:@]+=)?([^']*)$"
+ if [[ "$a" != "$q" && $a =~ $simple_pattern ]]; then
+ # a requires some quoting (a != q), but has no single quotes, so we can
+ # simplify the quoted form - e.g.:
+ # a b -> 'a b'
+ # CFLAGS=a b -> CFLAGS='a b'
+ q="${BASH_REMATCH[1]}'${BASH_REMATCH[2]}'"
+ fi
+ printf " %s" "$q"
+ done
+}
+
+if [[ ! " $* " =~ " --version " ]]; then
+ # Display the command being invoked - if it succeeds, this is all that will
+ # be displayed. Don't do this for invocations with --version, because
+ # this output is often parsed by scripts, so we don't want to modify it.
+ printf %s "${TOOL}" 1>&2
+ print_quoted_args "$@" 1>&2
+ echo 1>&2
+fi
+
+if [[ " $@ " =~ $NO_SILENCE || -n "${VERBOSE_LOGS}" ]]; then
+ # Run original command with no output supression
+ exec "${ORIGINAL_TOOL}" "$@"
+else
+ # Run original command and capture output & exit status
+ TMPFILE=$(mktemp "quiet-${TOOL}.XXXXXX")
+ "${ORIGINAL_TOOL}" "$@" > "${TMPFILE}" 2>&1
+ EXIT_STATUS=$?
+
+ if [[ $EXIT_STATUS -ne 0 ]]; then
+ # On error, display the full output
+ cat "${TMPFILE}"
+ fi
+
+ # Remove tmpfile
+ rm "${TMPFILE}"
+
+ # Propagate the exit status
+ exit $EXIT_STATUS
+fi
diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c
index 00dd3e2..4fca5d1 100644
--- a/tests/src/drivers/test_driver_signature.c
+++ b/tests/src/drivers/test_driver_signature.c
@@ -49,7 +49,7 @@
size_t signature_size,
size_t *signature_length)
{
- if (attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
PSA_ALG_IS_RSA_PSS(alg)) {
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
@@ -71,7 +71,7 @@
} else {
return PSA_ERROR_INVALID_ARGUMENT;
}
- } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+ } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
if (PSA_ALG_IS_ECDSA(alg)) {
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
(defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
@@ -116,7 +116,7 @@
const uint8_t *signature,
size_t signature_length)
{
- if (PSA_KEY_TYPE_IS_RSA(attributes->core.type)) {
+ if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
PSA_ALG_IS_RSA_PSS(alg)) {
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
@@ -138,7 +138,7 @@
} else {
return PSA_ERROR_INVALID_ARGUMENT;
}
- } else if (PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+ } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
if (PSA_ALG_IS_ECDSA(alg)) {
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
(defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index bf29b47..56e03f1 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -12,9 +12,7 @@
#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_SSL_TLS_C)
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-static int rng_seed = 0xBEEF;
-static int rng_get(void *p_rng, unsigned char *output, size_t output_len)
+int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
{
(void) p_rng;
for (size_t i = 0; i < output_len; i++) {
@@ -23,7 +21,6 @@
return 0;
}
-#endif
void mbedtls_test_ssl_log_analyzer(void *ctx, int level,
const char *file, int line,
@@ -46,6 +43,8 @@
mbedtls_test_handshake_test_options *opts)
{
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ static int rng_seed = 0xBEEF;
+
srand(rng_seed);
rng_seed += 0xD0;
#endif
@@ -686,9 +685,20 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opaque_alg != 0) {
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(cert->pkey, &key_slot,
- opaque_alg, opaque_usage,
- opaque_alg2), 0);
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ /* Use a fake key usage to get a successful initial guess for the PSA attributes. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(cert->pkey, PSA_KEY_USAGE_SIGN_HASH,
+ &key_attr), 0);
+ /* Then manually usage, alg and alg2 as requested by the test. */
+ psa_set_key_usage_flags(&key_attr, opaque_usage);
+ psa_set_key_algorithm(&key_attr, opaque_alg);
+ if (opaque_alg2 != PSA_ALG_NONE) {
+ psa_set_key_enrollment_algorithm(&key_attr, opaque_alg2);
+ }
+ TEST_EQUAL(mbedtls_pk_import_into_psa(cert->pkey, &key_attr, &key_slot), 0);
+ mbedtls_pk_free(cert->pkey);
+ mbedtls_pk_init(cert->pkey);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(cert->pkey, key_slot), 0);
}
#else
(void) opaque_alg;
@@ -745,7 +755,7 @@
mbedtls_ssl_init(&(ep->ssl));
mbedtls_ssl_config_init(&(ep->conf));
- mbedtls_ssl_conf_rng(&(ep->conf), rng_get, NULL);
+ mbedtls_ssl_conf_rng(&(ep->conf), mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_conf_get_user_data_p(&ep->conf) == NULL);
TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), 0);
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index eeefc95..70e7bad 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -2,6 +2,7 @@
#include "debug_internal.h"
#include "string.h"
#include "mbedtls/pk.h"
+#include <test/ssl_helpers.h>
struct buffer_data {
char buf[2000];
@@ -65,11 +66,12 @@
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
- mbedtls_ssl_config_defaults(&conf,
- MBEDTLS_SSL_IS_CLIENT,
- MBEDTLS_SSL_TRANSPORT_STREAM,
- MBEDTLS_SSL_PRESET_DEFAULT);
-
+ TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT),
+ 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -103,11 +105,12 @@
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
- mbedtls_ssl_config_defaults(&conf,
- MBEDTLS_SSL_IS_CLIENT,
- MBEDTLS_SSL_TRANSPORT_STREAM,
- MBEDTLS_SSL_PRESET_DEFAULT);
-
+ TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT),
+ 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -138,11 +141,12 @@
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
- mbedtls_ssl_config_defaults(&conf,
- MBEDTLS_SSL_IS_CLIENT,
- MBEDTLS_SSL_TRANSPORT_STREAM,
- MBEDTLS_SSL_PRESET_DEFAULT);
-
+ TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT),
+ 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -175,11 +179,12 @@
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
- mbedtls_ssl_config_defaults(&conf,
- MBEDTLS_SSL_IS_CLIENT,
- MBEDTLS_SSL_TRANSPORT_STREAM,
- MBEDTLS_SSL_PRESET_DEFAULT);
-
+ TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT),
+ 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -214,11 +219,12 @@
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
- mbedtls_ssl_config_defaults(&conf,
- MBEDTLS_SSL_IS_CLIENT,
- MBEDTLS_SSL_TRANSPORT_STREAM,
- MBEDTLS_SSL_PRESET_DEFAULT);
-
+ TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT),
+ 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
diff --git a/tests/suites/test_suite_ecdh.data b/tests/suites/test_suite_ecdh.data
index cc58432..8d06067 100644
--- a/tests/suites/test_suite_ecdh.data
+++ b/tests/suites/test_suite_ecdh.data
@@ -100,3 +100,19 @@
ECDH get_params with mismatched groups: their SECP256R1, our BP256R1
depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_BP256R1_ENABLED
ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"1234567812345678123456781234567812345678123456781234567812345678":MBEDTLS_ECP_DP_SECP256R1:"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+Context get ECP Group #1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_context_grp:MBEDTLS_ECP_DP_SECP256R1
+
+Context get ECP Group #2
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecdh_primitive_random:MBEDTLS_ECP_DP_SECP384R1
+
+Context get ECP Group #3
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecdh_primitive_random:MBEDTLS_ECP_DP_SECP521R1
+
+Context get ECP Group #4
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecdh_primitive_random:MBEDTLS_ECP_DP_CURVE448
diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function
index cc193da..300916f 100644
--- a/tests/suites/test_suite_ecdh.function
+++ b/tests/suites/test_suite_ecdh.function
@@ -464,3 +464,20 @@
mbedtls_ecp_keypair_free(&their_key);
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void ecdh_context_grp(int id)
+{
+ mbedtls_ecdh_context srv;
+
+ mbedtls_ecdh_init(&srv);
+ TEST_ASSERT(mbedtls_ecdh_setup(&srv, id) == 0);
+
+ /* Test the retrieved group id matches/*/
+ TEST_ASSERT((int) mbedtls_ecdh_get_grp_id(&srv) == id);
+
+exit:
+ mbedtls_ecdh_free(&srv);
+
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 1dd963a..fd63657 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -888,6 +888,109 @@
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
ecp_write_key:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ECP write key ext: secp256r1, nominal
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":32:0
+
+ECP write key ext: secp256r1, output longer by 1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":33:0
+
+ECP write key ext: secp256r1, output short by 1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, output_size=0
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, top byte = 0, output_size=32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":32:0
+
+ECP write key ext: secp256r1, top byte = 0, output_size=31
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, top byte = 0, output_size=30
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":30:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, mostly-0 key, output_size=32
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":32:0
+
+ECP write key ext: secp256r1, mostly-0 key, output_size=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"0000000000000000000000000000000000000000000000000000000000000001":1:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: secp256r1, private key not set
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP256R1:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+ECP write key ext: secp384r1, nominal
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":48:0
+
+ECP write key ext: secp384r1, output longer by 1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":49:0
+
+ECP write key ext: secp384r1, output short by 1
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_SECP384R1:"d27335ea71664af244dd14e9fd1260715dfd8a7965571c48d709ee7a7962a156d706a90cbcb5df2986f05feadb9376f1":47:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, nominal
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":32:0
+
+ECP write key ext: Curve25519, output longer by 1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":33:0
+
+ECP write key ext: Curve25519, output short by 1
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, output_size=0
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44":0:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, mostly-0 key, output_size=32
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":32:0
+
+ECP write key ext: Curve25519, mostly-0 key, output_size=31
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"0000000000000000000000000000000000000000000000000000000000000040":31:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve25519, private key not set
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE25519:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+ECP write key ext: Curve448, nominal
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":56:0
+
+ECP write key ext: Curve448, output longer by 1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":57:0
+
+ECP write key ext: Curve448, output short by 1
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"3c262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: Curve448, mostly-0 key, output_size=56
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":56:0
+
+ECP write key ext: Curve448, mostly-0 key, output_size=55
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_write_key_ext:MBEDTLS_ECP_DP_CURVE448:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080":55:MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+
+ECP write key ext: group not set
+ecp_write_key_ext:MBEDTLS_ECP_DP_NONE:"":32:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
ECP mod p192 small (more than 192 bits, less limbs than 2 * 192 bits)
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_NIST_OPTIM
ecp_fast_mod:MBEDTLS_ECP_DP_SECP192R1:"0100000000000103010000000000010201000000000001010100000000000100"
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 9cf0ce1..9b5c86f 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1204,29 +1204,46 @@
TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Y, 2), 0);
TEST_EQUAL(mbedtls_mpi_cmp_int(&key.Q.Z, 3), 0);
- if (canonical) {
+ if (canonical && in_key->len == (key.grp.nbits + 7) / 8) {
unsigned char buf[MBEDTLS_ECP_MAX_BYTES];
+ size_t length = 0xdeadbeef;
- ret = mbedtls_ecp_write_key(&key, buf, in_key->len);
- TEST_ASSERT(ret == 0);
+ TEST_EQUAL(mbedtls_ecp_write_key_ext(&key,
+ &length, buf, in_key->len), 0);
+ TEST_MEMORY_COMPARE(in_key->x, in_key->len,
+ buf, length);
+#if defined(MBEDTLS_TEST_DEPRECATED)
+ memset(buf, 0, sizeof(buf));
+ TEST_EQUAL(mbedtls_ecp_write_key(&key, buf, in_key->len), 0);
TEST_MEMORY_COMPARE(in_key->x, in_key->len,
buf, in_key->len);
+#endif /* MBEDTLS_TEST_DEPRECATED */
} else {
unsigned char export1[MBEDTLS_ECP_MAX_BYTES];
unsigned char export2[MBEDTLS_ECP_MAX_BYTES];
- ret = mbedtls_ecp_write_key(&key, export1, in_key->len);
- TEST_ASSERT(ret == 0);
+ size_t length1 = 0xdeadbeef;
+ TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, &length1,
+ export1, sizeof(export1)), 0);
+ TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key2, export1, length1),
+ expected);
+ size_t length2 = 0xdeadbeef;
+ TEST_EQUAL(mbedtls_ecp_write_key_ext(&key2, &length2,
+ export2, sizeof(export2)), 0);
+ TEST_MEMORY_COMPARE(export1, length1,
+ export2, length2);
- ret = mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len);
- TEST_ASSERT(ret == expected);
-
- ret = mbedtls_ecp_write_key(&key2, export2, in_key->len);
- TEST_ASSERT(ret == 0);
-
+#if defined(MBEDTLS_TEST_DEPRECATED)
+ memset(export1, 0, sizeof(export1));
+ memset(export2, 0, sizeof(export2));
+ TEST_EQUAL(mbedtls_ecp_write_key(&key, export1, in_key->len), 0);
+ TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key2, export1, in_key->len),
+ expected);
+ TEST_EQUAL(mbedtls_ecp_write_key(&key2, export2, in_key->len), 0);
TEST_MEMORY_COMPARE(export1, in_key->len,
export2, in_key->len);
+#endif /* MBEDTLS_TEST_DEPRECATED */
}
}
@@ -1236,7 +1253,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_DEPRECATED */
void ecp_write_key(int grp_id, data_t *in_key,
int exported_size, int expected_ret)
{
@@ -1296,6 +1313,42 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+void ecp_write_key_ext(int grp_id, data_t *in_key,
+ int exported_size, int expected_ret)
+{
+ mbedtls_ecp_keypair key;
+ mbedtls_ecp_keypair_init(&key);
+ unsigned char *exported = NULL;
+
+ if (in_key->len != 0) {
+ TEST_EQUAL(mbedtls_ecp_read_key(grp_id, &key, in_key->x, in_key->len), 0);
+ } else if (grp_id != MBEDTLS_ECP_DP_NONE) {
+ TEST_EQUAL(mbedtls_ecp_group_load(&key.grp, grp_id), 0);
+ }
+
+ TEST_CALLOC(exported, exported_size);
+ size_t olen = 0xdeadbeef;
+ TEST_EQUAL(mbedtls_ecp_write_key_ext(&key, &olen, exported, exported_size),
+ expected_ret);
+
+ if (expected_ret == 0) {
+ TEST_EQUAL(olen, (key.grp.nbits + 7) / 8);
+ TEST_LE_U(olen, MBEDTLS_ECP_MAX_BYTES);
+ TEST_MEMORY_COMPARE(in_key->x, in_key->len,
+ exported, olen);
+ } else {
+ /* Robustness check: even in the error case, insist that olen is less
+ * than the buffer size. */
+ TEST_LE_U(olen, exported_size);
+ }
+
+exit:
+ mbedtls_ecp_keypair_free(&key);
+ mbedtls_free(exported);
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_MONTGOMERY_ENABLED:MBEDTLS_ECP_LIGHT */
void genkey_mx_known_answer(int bits, data_t *seed, data_t *expected)
{
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 180cf76..3d75ad0 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -434,7 +434,7 @@
*/
mbedtls_svc_key_id_t pk_psa_genkey_ecc(void)
{
- mbedtls_svc_key_id_t key;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
const psa_key_type_t type =
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
@@ -456,7 +456,7 @@
*/
mbedtls_svc_key_id_t pk_psa_genkey_rsa(void)
{
- mbedtls_svc_key_id_t key;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
const psa_key_type_t type = PSA_KEY_TYPE_RSA_KEY_PAIR;
const size_t bits = 1024;
@@ -482,7 +482,7 @@
void pk_psa_utils(int key_is_rsa)
{
mbedtls_pk_context pk, pk2;
- mbedtls_svc_key_id_t key;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
const char * const name = "Opaque";
@@ -836,6 +836,7 @@
mbedtls_pk_context pub, prv, alt;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&pub);
@@ -873,9 +874,13 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) {
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&prv, &opaque_key_id,
- PSA_ALG_ANY_HASH,
- PSA_KEY_USAGE_EXPORT, 0), 0);
+ /* Turn the prv PK context into an opaque one.*/
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH,
+ &opaque_key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0);
+ mbedtls_pk_free(&prv);
+ mbedtls_pk_init(&prv);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand,
NULL), ret);
}
@@ -1395,7 +1400,8 @@
mbedtls_mpi N, P, Q, E;
mbedtls_rsa_context *rsa;
mbedtls_pk_context pk;
- mbedtls_svc_key_id_t key_id;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
size_t olen;
mbedtls_pk_init(&pk);
@@ -1422,10 +1428,11 @@
TEST_EQUAL(mbedtls_rsa_complete(rsa), 0);
/* Turn PK context into an opaque one. */
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id,
- PSA_ALG_RSA_PKCS1V15_CRYPT,
- PSA_KEY_USAGE_DECRYPT,
- PSA_ALG_NONE), 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_DECRYPT, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&pk);
+ mbedtls_pk_init(&pk);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
TEST_EQUAL(mbedtls_pk_get_bitlen(&pk), mod);
@@ -1635,10 +1642,9 @@
unsigned char pkey_legacy[200];
unsigned char pkey_psa[200];
unsigned char *pkey_legacy_start, *pkey_psa_start;
- psa_algorithm_t alg_psa;
size_t sig_len, klen_legacy, klen_psa;
int ret;
- mbedtls_svc_key_id_t key_id;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
/*
@@ -1660,7 +1666,6 @@
TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
mbedtls_test_rnd_std_rand, NULL,
curve_or_keybits, 3) == 0);
- alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@@ -1671,8 +1676,6 @@
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0);
TEST_ASSERT(pk_genkey(&pk, grpid) == 0);
-
- alg_psa = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
{
@@ -1699,9 +1702,11 @@
#endif /* MBEDTLS_PK_WRITE_C */
/* Turn PK context into an opaque one. */
- TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&pk, &key_id, alg_psa,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE) == 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &attributes), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &attributes, &key_id), 0);
+ mbedtls_pk_free(&pk);
+ mbedtls_pk_init(&pk);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type);
@@ -1821,13 +1826,13 @@
{
mbedtls_pk_context pk;
size_t sig_len, pkey_len;
- mbedtls_svc_key_id_t key_id;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
unsigned char pkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
unsigned char *pkey_start;
unsigned char hash[PSA_HASH_MAX_SIZE];
psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
- psa_algorithm_t psa_alg;
size_t hash_len = PSA_HASH_LENGTH(psa_md_alg);
void const *options = NULL;
mbedtls_pk_rsassa_pss_options rsassa_pss_options;
@@ -1844,6 +1849,10 @@
mbedtls_test_rnd_std_rand, NULL,
key_bits, 3), 0);
+ if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
+ mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE);
+ }
+
/* Export underlying public key for re-importing in a legacy context. */
ret = mbedtls_pk_write_pubkey_der(&pk, pkey, sizeof(pkey));
TEST_ASSERT(ret >= 0);
@@ -1852,18 +1861,12 @@
/* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */
pkey_start = pkey + sizeof(pkey) - pkey_len;
- if (key_pk_type == MBEDTLS_PK_RSA) {
- psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
- } else if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
- psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
- } else {
- TEST_ASSUME(!"PK key type not supported in this configuration");
- }
-
/* Turn PK context into an opaque one. */
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&pk, &key_id, psa_alg,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE), 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&pk, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&pk, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&pk);
+ mbedtls_pk_init(&pk);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, key_id), 0);
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index c760090..735c125 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -75,6 +75,7 @@
size_t buf_len, check_buf_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
USE_PSA_INIT();
@@ -117,10 +118,13 @@
/* Verify that pk_write works also for opaque private keys */
if (!is_public_key) {
memset(buf, 0, check_buf_len);
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&key, &opaque_id,
- PSA_ALG_NONE,
- PSA_KEY_USAGE_EXPORT,
- PSA_ALG_NONE), 0);
+ /* Turn the key PK context into an opaque one.
+ * Note: set some practical usage for the key to make get_psa_attributes() happy. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_MESSAGE, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &opaque_id), 0);
+ mbedtls_pk_free(&key);
+ mbedtls_pk_init(&key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0);
start_buf = buf;
buf_len = check_buf_len;
TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key,
@@ -172,6 +176,7 @@
size_t pub_key_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_init(&priv_key);
@@ -194,9 +199,12 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_platform_zeroize(derived_key_raw, derived_key_len);
- TEST_EQUAL(mbedtls_pk_wrap_as_opaque(&priv_key, &opaque_key_id,
- PSA_ALG_NONE, PSA_KEY_USAGE_EXPORT,
- PSA_ALG_NONE), 0);
+ /* Turn the priv_key PK context into an opaque one. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&priv_key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&priv_key, &key_attr, &opaque_key_id), 0);
+ mbedtls_pk_free(&priv_key);
+ mbedtls_pk_init(&priv_key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&priv_key, opaque_key_id), 0);
TEST_EQUAL(mbedtls_pk_write_pubkey_der(&priv_key, derived_key_raw,
derived_key_len), pub_key_len);
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function
index c4e4c7d..ea8cb6b 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.function
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.function
@@ -61,7 +61,7 @@
TEST_CALLOC(file_data, file_data_length);
psa_format_key_data_for_storage(key_data->x, key_data->len,
- &attributes.core,
+ &attributes,
file_data);
TEST_MEMORY_COMPARE(expected_file_data->x, expected_file_data->len,
@@ -90,7 +90,7 @@
status = psa_parse_key_data_from_storage(file_data->x, file_data->len,
&key_data, &key_data_length,
- &attributes.core);
+ &attributes);
TEST_EQUAL(status, expected_status);
if (status != PSA_SUCCESS) {
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
index 8e96984..e3681ba 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
@@ -952,7 +952,7 @@
psa_set_key_slot_number(&attributes, min_slot);
if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
- attributes.core.id = returned_id;
+ attributes.id = returned_id;
} else {
psa_set_key_id(&attributes, returned_id);
}
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
index 6f28f93..b6d3a34 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
@@ -359,19 +359,19 @@
if (mock_alloc_return_value == PSA_SUCCESS) {
TEST_ASSERT(mbedtls_svc_key_id_equal(
- mock_import_data.attributes.core.id, id));
+ mock_import_data.attributes.id, id));
} else {
TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
- mock_import_data.attributes.core.id) == 0);
+ mock_import_data.attributes.id) == 0);
TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
- mock_import_data.attributes.core.id) == 0);
+ mock_import_data.attributes.id) == 0);
}
- TEST_ASSERT(mock_import_data.attributes.core.lifetime ==
+ TEST_ASSERT(mock_import_data.attributes.lifetime ==
(mock_alloc_return_value == PSA_SUCCESS ? lifetime : 0));
- TEST_ASSERT(mock_import_data.attributes.core.policy.usage ==
+ TEST_ASSERT(mock_import_data.attributes.policy.usage ==
(mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_USAGE_EXPORT : 0));
- TEST_ASSERT(mock_import_data.attributes.core.type ==
+ TEST_ASSERT(mock_import_data.attributes.type ==
(mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_TYPE_RAW_DATA : 0));
if (expected_result == PSA_SUCCESS) {
@@ -474,19 +474,19 @@
if (mock_alloc_return_value == PSA_SUCCESS) {
TEST_ASSERT(mbedtls_svc_key_id_equal(
- mock_generate_data.attributes.core.id, id));
+ mock_generate_data.attributes.id, id));
} else {
TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
- mock_generate_data.attributes.core.id) == 0);
+ mock_generate_data.attributes.id) == 0);
TEST_ASSERT(MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
- mock_generate_data.attributes.core.id) == 0);
+ mock_generate_data.attributes.id) == 0);
}
- TEST_ASSERT(mock_generate_data.attributes.core.lifetime ==
+ TEST_ASSERT(mock_generate_data.attributes.lifetime ==
(mock_alloc_return_value == PSA_SUCCESS ? lifetime : 0));
- TEST_ASSERT(mock_generate_data.attributes.core.policy.usage ==
+ TEST_ASSERT(mock_generate_data.attributes.policy.usage ==
(mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_USAGE_EXPORT : 0));
- TEST_ASSERT(mock_generate_data.attributes.core.type ==
+ TEST_ASSERT(mock_generate_data.attributes.type ==
(mock_alloc_return_value == PSA_SUCCESS ? PSA_KEY_TYPE_RAW_DATA : 0));
if (expected_result == PSA_SUCCESS) {
diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function
index 8564d35..94f26f6 100644
--- a/tests/suites/test_suite_psa_crypto_slot_management.function
+++ b/tests/suites/test_suite_psa_crypto_slot_management.function
@@ -458,7 +458,7 @@
* PSA key attributes APIs thus accessing to the attributes
* directly.
*/
- attributes.core.id = id;
+ attributes.id = id;
} else {
psa_set_key_id(&attributes, id);
}
@@ -992,7 +992,7 @@
* Check that we can now access the persistent key again.
*/
PSA_ASSERT(psa_get_key_attributes(persistent_key, &attributes));
- TEST_ASSERT(mbedtls_svc_key_id_equal(attributes.core.id,
+ TEST_ASSERT(mbedtls_svc_key_id_equal(attributes.id,
persistent_key));
/*
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 03ba09b..e95aada 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3321,3 +3321,39 @@
TLS 1.3 cli, maximum early data size, 93
tls13_cli_max_early_data_size:93
+
+TLS 1.3 srv, max early data size, dflt, wsz=96
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:96
+
+TLS 1.3 srv, max early data size, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:128
+
+TLS 1.3 srv, max early data size, 3, wsz=2
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:2
+
+TLS 1.3 srv, max early data size, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:3
+
+TLS 1.3 srv, max early data size, 98, wsz=23
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:23
+
+TLS 1.3 srv, max early data size, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:49
+
+TLS 1.3 srv, max early data size, server rejects, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1:128
+
+TLS 1.3 srv, max early data size, server rejects, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3:3
+
+TLS 1.3 srv, max early data size, server rejects, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:98:49
+
+TLS 1.3 srv, max early data size, HRR, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1:128
+
+TLS 1.3 srv, max early data size, HRR, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3
+
+TLS 1.3 srv, max early data size, HRR, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8a62621..0c9ccf1 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -18,6 +18,47 @@
#define TEST_EARLY_DATA_SERVER_REJECTS 2
#define TEST_EARLY_DATA_HRR 3
+#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \
+ defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+/*
+ * Test function to write early data for negative tests where
+ * mbedtls_ssl_write_early_data() cannot be used.
+ */
+static int write_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+
+ TEST_ASSERT(ret > 0);
+ TEST_LE_U(len, (size_t) ret);
+
+ ret = mbedtls_ssl_flush_output(ssl);
+ TEST_EQUAL(ret, 0);
+ TEST_EQUAL(ssl->out_left, 0);
+
+ ssl->out_msglen = len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ if (len > 0) {
+ memcpy(ssl->out_msg, buf, len);
+ }
+
+ ret = mbedtls_ssl_write_record(ssl, 1);
+ TEST_EQUAL(ret, 0);
+
+ ret = len;
+
+exit:
+ return ret;
+}
+#endif
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -1131,6 +1172,8 @@
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT) == 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
+
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
/* Read previous record numbers */
@@ -2879,6 +2922,7 @@
mbedtls_ssl_conf_transport(&conf, transport);
mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version);
mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result);
TEST_EQUAL(mbedtls_ssl_conf_get_endpoint(
@@ -2920,6 +2964,8 @@
mbedtls_ssl_init(&ssl);
MD_OR_USE_PSA_INIT();
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
+
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL);
@@ -2951,6 +2997,7 @@
mbedtls_ssl_config conf;
mbedtls_ssl_config_init(&conf);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
@@ -3059,6 +3106,7 @@
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id,
@@ -3113,6 +3161,7 @@
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)
== 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@@ -3371,6 +3420,7 @@
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT), 0);
+ mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
@@ -4159,6 +4209,10 @@
break;
case TEST_EARLY_DATA_HRR:
+ /*
+ * Remove server support for the group negotiated in
+ * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest.
+ */
server_options.group_list = group_list + 1;
break;
@@ -4596,3 +4650,259 @@
PSA_DONE();
}
/* END_CASE */
+
+/*
+ * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
+ * a temporary workaround to not run the test in Windows-2013 where there is
+ * an issue with mbedtls_vsnprintf().
+ */
+/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg)
+{
+ int ret = -1;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_ssl_session saved_session;
+ mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
+ uint16_t group_list[3] = {
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+ };
+ char pattern[128];
+ unsigned char *buf_write = NULL;
+ uint32_t write_size = (uint32_t) write_size_arg;
+ unsigned char *buf_read = NULL;
+ uint32_t read_size;
+ uint32_t expanded_early_data_chunk_size = 0;
+ uint32_t written_early_data_size = 0;
+ uint32_t max_early_data_size;
+
+ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+ mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_init_handshake_options(&server_options);
+ mbedtls_ssl_session_init(&saved_session);
+ PSA_INIT();
+
+ TEST_CALLOC(buf_write, write_size);
+
+ /*
+ * Allocate a smaller buffer for early data reading to exercise the reading
+ * of data in one record in multiple calls.
+ */
+ read_size = (write_size / 2) + 1;
+ TEST_CALLOC(buf_read, read_size);
+
+ /*
+ * Run first handshake to get a ticket from the server.
+ */
+
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ client_options.group_list = group_list;
+ client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ server_options.group_list = group_list;
+ server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+ server_options.max_early_data_size = max_early_data_size_arg;
+
+ ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+ &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Prepare for handshake with the ticket.
+ */
+ server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+ server_options.srv_log_obj = &server_pattern;
+ server_pattern.pattern = pattern;
+
+ switch (scenario) {
+ case TEST_EARLY_DATA_ACCEPTED:
+ break;
+
+ case TEST_EARLY_DATA_SERVER_REJECTS:
+ server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+ ret = mbedtls_snprintf(pattern, sizeof(pattern),
+ "EarlyData: deprotect and discard app data records.");
+ TEST_ASSERT(ret < (int) sizeof(pattern));
+ mbedtls_debug_set_threshold(3);
+ break;
+
+ case TEST_EARLY_DATA_HRR:
+ /*
+ * Remove server support for the group negotiated in
+ * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest.
+ */
+ server_options.group_list = group_list + 1;
+ ret = mbedtls_snprintf(
+ pattern, sizeof(pattern),
+ "EarlyData: Ignore application message before 2nd ClientHello");
+ TEST_ASSERT(ret < (int) sizeof(pattern));
+ mbedtls_debug_set_threshold(3);
+ break;
+
+ default:
+ TEST_FAIL("Unknown scenario.");
+ }
+
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL);
+ TEST_EQUAL(ret, 0);
+
+ mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+ mbedtls_test_ticket_write,
+ mbedtls_test_ticket_parse,
+ NULL);
+
+ ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+ &(server_ep.socket), 1024);
+ TEST_EQUAL(ret, 0);
+
+ max_early_data_size = saved_session.max_early_data_size;
+
+ ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Start an handshake based on the ticket up to the point where early data
+ * can be sent from client side. Then send in a loop as much early data as
+ * possible without going over the maximum permitted size for the ticket.
+ * Finally, do a last writting to go past that maximum permitted size and
+ * check that we detect it.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(client_ep.ssl), &(server_ep.ssl),
+ MBEDTLS_SSL_SERVER_HELLO), 0);
+
+ TEST_ASSERT(client_ep.ssl.early_data_status !=
+ MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT);
+
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+
+ /*
+ * Write and if possible read as much as possible chunks of write_size
+ * bytes data without getting over the max_early_data_size limit.
+ */
+ do {
+ uint32_t read_early_data_size = 0;
+
+ /*
+ * The contents of the early data are not very important, write a
+ * pattern that varies byte-by-byte and is different for every chunk of
+ * early data.
+ */
+ if ((written_early_data_size + write_size) > max_early_data_size) {
+ break;
+ }
+
+ /*
+ * If the server rejected early data, base the determination of when
+ * to stop the loop on the expanded size (padding and encryption
+ * expansion) of early data on server side and the number of early data
+ * received so far by the server (multiple of the expanded size).
+ */
+ if ((expanded_early_data_chunk_size != 0) &&
+ ((server_ep.ssl.total_early_data_size +
+ expanded_early_data_chunk_size) > max_early_data_size)) {
+ break;
+ }
+
+ for (size_t i = 0; i < write_size; i++) {
+ buf_write[i] = (unsigned char) (written_early_data_size + i);
+ }
+
+ ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
+ TEST_EQUAL(ret, write_size);
+ written_early_data_size += write_size;
+
+ switch (scenario) {
+ case TEST_EARLY_DATA_ACCEPTED:
+ while (read_early_data_size < write_size) {
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+
+ ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
+ buf_read, read_size);
+ TEST_ASSERT(ret > 0);
+
+ TEST_MEMORY_COMPARE(buf_read, ret,
+ buf_write + read_early_data_size, ret);
+ read_early_data_size += ret;
+
+ TEST_EQUAL(server_ep.ssl.total_early_data_size,
+ written_early_data_size);
+ }
+ break;
+
+ case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+ case TEST_EARLY_DATA_HRR:
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ /*
+ * In this write loop we try to always stay below the
+ * max_early_data_size limit but if max_early_data_size is very
+ * small we may exceed the max_early_data_size limit on the
+ * first write. In TEST_EARLY_DATA_SERVER_REJECTS/
+ * TEST_EARLY_DATA_HRR scenario, this is for sure the case if
+ * max_early_data_size is smaller than the smallest possible
+ * inner content/protected record. Take into account this
+ * possibility here but only for max_early_data_size values
+ * that are close to write_size. Below, '1' is for the inner
+ * type byte and '16' is to take into account some AEAD
+ * expansion (tag, ...).
+ */
+ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
+ if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) {
+ TEST_LE_U(max_early_data_size,
+ write_size + 1 +
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+ } else {
+ TEST_LE_U(max_early_data_size,
+ write_size + 1 + 16 +
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+ }
+ goto exit;
+ }
+
+ TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ);
+
+ TEST_EQUAL(server_pattern.counter, 1);
+ server_pattern.counter = 0;
+ if (expanded_early_data_chunk_size == 0) {
+ expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size;
+ }
+ break;
+ }
+ TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size);
+ } while (1);
+
+ mbedtls_debug_set_threshold(3);
+ ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
+ TEST_EQUAL(ret, write_size);
+
+ ret = mbedtls_snprintf(pattern, sizeof(pattern),
+ "EarlyData: Too much early data received");
+ TEST_ASSERT(ret < (int) sizeof(pattern));
+
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ TEST_EQUAL(server_pattern.counter, 1);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ mbedtls_ssl_session_free(&saved_session);
+ mbedtls_free(buf_write);
+ mbedtls_free(buf_read);
+ mbedtls_debug_set_threshold(0);
+ PSA_DONE();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 2b0920d..754660c 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -3155,6 +3155,18 @@
depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
x509parse_crt_file:"data_files/parse_input/server5.crt":0
+X509 File parse & read the ca_istrue field (Not Set)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_get_ca_istrue:"data_files/parse_input/server1.crt":0
+
+X509 File parse & read the ca_istrue field (Set)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1
+mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1
+
+X509 File parse & read the ca_istrue field (Legacy Certificate)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256
+mbedtls_x509_get_ca_istrue:"data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+
X509 Get time (UTC no issues)
depends_on:MBEDTLS_X509_USE_C
x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 66477e0..f3ae0f4 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1083,6 +1083,21 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */
+void mbedtls_x509_get_ca_istrue(char *crt_file, int result)
+{
+ mbedtls_x509_crt crt;
+ mbedtls_x509_crt_init(&crt);
+ USE_PSA_INIT();
+
+ TEST_EQUAL(mbedtls_x509_crt_parse_file(&crt, crt_file), 0);
+ TEST_EQUAL(mbedtls_x509_crt_get_ca_istrue(&crt), result);
+exit:
+ mbedtls_x509_crt_free(&crt);
+ USE_PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
void x509parse_crt(data_t *buf, char *result_str, int result)
{
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 3d84c72..1db7e1c 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -284,7 +284,7 @@
{
mbedtls_pk_context key;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
- psa_algorithm_t md_alg_psa, alg_psa;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
@@ -297,24 +297,16 @@
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
- md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
- TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
-
mbedtls_pk_init(&key);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL) == 0);
- if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) {
- alg_psa = PSA_ALG_ECDSA(md_alg_psa);
- } else if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) {
- alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
- } else {
- TEST_ASSUME(!"PK key type not supported in this configuration");
- }
-
- TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&key, &key_id, alg_psa,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE) == 0);
+ /* Turn the PK context into an opaque one. */
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&key, PSA_KEY_USAGE_SIGN_HASH, &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&key);
+ mbedtls_pk_init(&key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
mbedtls_x509write_csr_set_md_alg(&req, md_type);
mbedtls_x509write_csr_set_key(&req, &key);
@@ -373,6 +365,7 @@
mbedtls_test_rnd_pseudo_info rnd_info;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif
mbedtls_pk_type_t issuer_key_type;
mbedtls_x509_san_list san_ip;
@@ -451,24 +444,14 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* For Opaque PK contexts, wrap key as an Opaque RSA context. */
+ /* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) {
- psa_algorithm_t alg_psa, md_alg_psa;
-
- md_alg_psa = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) md_type);
- TEST_ASSERT(md_alg_psa != MBEDTLS_MD_NONE);
-
- if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_ECKEY) {
- alg_psa = PSA_ALG_ECDSA(md_alg_psa);
- } else if (mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_RSA) {
- alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(md_alg_psa);
- } else {
- TEST_ASSUME(!"PK key type not supported in this configuration");
- }
-
- TEST_ASSERT(mbedtls_pk_wrap_as_opaque(&issuer_key, &key_id, alg_psa,
- PSA_KEY_USAGE_SIGN_HASH,
- PSA_ALG_NONE) == 0);
+ TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
+ &key_attr), 0);
+ TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
+ mbedtls_pk_free(&issuer_key);
+ mbedtls_pk_init(&issuer_key);
+ TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */