Merge branch 'mbedtls-2.28-restricted' into mbedtls-2.28.5rc0-pr
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
diff --git a/.travis.yml b/.travis.yml
index 0ffe249..3b4132e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,93 +1,24 @@
-language: c
-compiler: gcc
-sudo: false
+# Declare python as our language. This way we get our chosen Python version,
+# and pip is available. Gcc and clang are available anyway.
+dist: jammy
+os: linux
+language: python
+python: 3.10
+
cache: ccache
-jobs:
- include:
- - name: basic checks and reference configurations
- addons:
- apt:
- packages:
- - gnutls-bin
- - doxygen
- - graphviz
- - gcc-arm-none-eabi
- - libnewlib-arm-none-eabi
- - gcc-arm-linux-gnueabi
- - libc6-dev-armel-cross
- language: python # Needed to get pip for Python 3
- python: 3.5 # version from Ubuntu 16.04
- install:
- - scripts/min_requirements.py
- script:
- - tests/scripts/all.sh -k 'check_*'
- - tests/scripts/all.sh -k test_default_out_of_box
- - tests/scripts/all.sh -k test_ref_configs
- - tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
+branches:
+ only:
+ coverity_scan
- - name: full configuration
- os: linux
- dist: focal
- addons:
- apt:
- packages:
- - clang-10
- - gnutls-bin
- env:
- # Platform tests have an allocation that returns null
- - ASAN_OPTIONS="allocator_may_return_null=1"
- - MSAN_OPTIONS="allocator_may_return_null=1"
- script:
- # Do a manual build+test sequence rather than using all.sh,
- # because there's no all.sh component that does what we want,
- # which is a build with Clang >= 10 and ASan, running all the SSL
- # testing.
- # - The clang executable in the default PATH is Clang 7 on
- # Travis's focal instances, but we want Clang >= 10.
- # - Running all the SSL testing requires a specific set of
- # OpenSSL and GnuTLS versions and we don't want to bother
- # with those on Travis.
- # So we explicitly select clang-10 as the compiler, and we
- # have ad hoc restrictions on SSL testing based on what is
- # passing at the time of writing. We will remove these limitations
- # gradually.
- - make CC=clang-10 CFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all -O2' LDFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all'
- - make test
- - programs/test/selftest
- - tests/scripts/test_psa_constant_names.py
- # Exclude a few test cases that are failing mysteriously.
- # https://github.com/Mbed-TLS/mbedtls/issues/6660
- - tests/ssl-opt.sh -e 'Fallback SCSV:\ .*list'
- # Modern OpenSSL does not support null or ancient ciphers.
- - tests/compat.sh -p OpenSSL -e 'NULL\|DES\|RC4'
- - tests/scripts/travis-log-failure.sh
- # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
- # Modern GnuTLS does not support DES.
- # One NULL cipher suite is strangely missing in pre-1.2 protocol
- # versions (it works with (D)TLS1.2, but don't bother).
- - tests/compat.sh -p GnuTLS -e 'CAMELLIA\|DES\|TLS-RSA-WITH-NULL-SHA256'
- - tests/scripts/travis-log-failure.sh
- - tests/context-info.sh
-
- - name: Windows
- os: windows
- script:
- - scripts/windows_msbuild.bat v141 # Visual Studio 2017
- - visualc/VS2010/x64/Release/selftest.exe --ci
-
-after_failure:
-- tests/scripts/travis-log-failure.sh
+install:
+ - $PYTHON scripts/min_requirements.py
env:
global:
- SEED=1
- - secure: "JECCru6HASpKZ0OLfHh8f/KXhKkdrCwjquZghd/qbA4ksxsWImjR7KEPERcaPndXEilzhDbKwuFvJiQX2duVgTGoq745YGhLZIjzo1i8tySkceCVd48P8WceYGz+F/bmY7r+m6fFNuxDSoGGSVeA4Lnjvmm8PFUP45YodDV9no4="
-
+ - secure: "GF/Fde5fkm15T/RNykrjrPV5Uh1KJ70cP308igL6Xkk3eJmqkkmWCe9JqRH12J3TeWw2fu9PYPHt6iFSg6jasgqysfUyg+W03knRT5QNn3h5eHgt36cQJiJr6t3whPrRaiM6U9omE0evm+c0cAwlkA3GGSMw8Z+na4EnKI6OFCo="
addons:
- apt:
- packages:
- - gnutls-bin
coverity_scan:
project:
name: "ARMmbed/mbedtls"
diff --git a/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt b/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt
new file mode 100644
index 0000000..6f091bb
--- /dev/null
+++ b/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
+ error code on failure. Before, they returned 1 to indicate failure in
+ some cases involving a missing entry or a full cache.
diff --git a/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt b/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
new file mode 100644
index 0000000..22e8adb
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
+ MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
diff --git a/include/mbedtls/aesni.h b/include/mbedtls/aesni.h
index 6741dea..0da40a0 100644
--- a/include/mbedtls/aesni.h
+++ b/include/mbedtls/aesni.h
@@ -36,16 +36,20 @@
#define MBEDTLS_AESNI_AES 0x02000000u
#define MBEDTLS_AESNI_CLMUL 0x00000002u
-/* Can we do AESNI with inline assembly?
- * (Only implemented with gas syntax, only for 64-bit.)
- */
-#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
- (defined(__amd64__) || defined(__x86_64__)) && \
- !defined(MBEDTLS_HAVE_X86_64)
+#if !defined(MBEDTLS_HAVE_X86_64) && \
+ (defined(__amd64__) || defined(__x86_64__) || \
+ defined(_M_X64) || defined(_M_AMD64)) && \
+ !defined(_M_ARM64EC)
#define MBEDTLS_HAVE_X86_64
#endif
-#if defined(MBEDTLS_AESNI_C)
+#if !defined(MBEDTLS_HAVE_X86) && \
+ (defined(__i386__) || defined(_M_IX86))
+#define MBEDTLS_HAVE_X86
+#endif
+
+#if defined(MBEDTLS_AESNI_C) && \
+ (defined(MBEDTLS_HAVE_X86_64) || defined(MBEDTLS_HAVE_X86))
/* Can we do AESNI with intrinsics?
* (Only implemented with certain compilers, only for certain targets.)
@@ -72,7 +76,11 @@
* favor the assembly-based implementation if it's available. We intend to
* revise this in a later release of Mbed TLS 3.x. In the long run, we will
* likely remove the assembly implementation. */
-#if defined(MBEDTLS_HAVE_X86_64)
+#if defined(MBEDTLS_HAVE_ASM) && \
+ defined(__GNUC__) && defined(MBEDTLS_HAVE_X86_64)
+/* Can we do AESNI with inline assembly?
+ * (Only implemented with gas syntax, only for 64-bit.)
+ */
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
#elif defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
@@ -168,6 +176,6 @@
#endif
#endif /* MBEDTLS_AESNI_HAVE_CODE */
-#endif /* MBEDTLS_AESNI_C */
+#endif /* MBEDTLS_AESNI_C && (MBEDTLS_HAVE_X86_64 || MBEDTLS_HAVE_X86) */
#endif /* MBEDTLS_AESNI_H */
diff --git a/include/mbedtls/padlock.h b/include/mbedtls/padlock.h
index 01069ea..076fd60 100644
--- a/include/mbedtls/padlock.h
+++ b/include/mbedtls/padlock.h
@@ -44,9 +44,12 @@
#endif
/* Some versions of ASan result in errors about not enough registers */
-#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_ASM) && \
+ defined(__GNUC__) && defined(__i386__) && \
!defined(MBEDTLS_HAVE_ASAN)
+#define MBEDTLS_VIA_PADLOCK_HAVE_CODE
+
#ifndef MBEDTLS_HAVE_X86
#define MBEDTLS_HAVE_X86
#endif
@@ -120,6 +123,7 @@
}
#endif
-#endif /* HAVE_X86 */
+#endif /* MBEDTLS_PADLOCK_C && MBEDTLS_HAVE_ASM &&
+ __GNUC__ && __i386__ && !MBEDTLS_HAVE_ASAN */
#endif /* padlock.h */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index cc9a270..3ec558b 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -193,6 +193,8 @@
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000
/** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
+/** Cache entry not found */
+#define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x5E00
/*
* Various constants
diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h
index e358c6c..b1ea801 100644
--- a/include/mbedtls/ssl_cache.h
+++ b/include/mbedtls/ssl_cache.h
@@ -99,6 +99,11 @@
*
* \param data SSL cache context
* \param session session to retrieve entry for
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is
+ * no cache entry with specified session ID found, or
+ * any other negative error code for other failures.
*/
int mbedtls_ssl_cache_get(void *data, mbedtls_ssl_session *session);
@@ -108,6 +113,9 @@
*
* \param data SSL cache context
* \param session session to store entry for
+ *
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_ssl_cache_set(void *data, const mbedtls_ssl_session *session);
diff --git a/library/aes.c b/library/aes.c
index d5a45fd..d2a3c89 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -50,7 +50,7 @@
#define AES_VALIDATE(cond) \
MBEDTLS_INTERNAL_VALIDATE(cond)
-#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
static int aes_padlock_ace = -1;
#endif
@@ -548,7 +548,7 @@
* Note that the offset is in units of elements of buf, i.e. 32-bit words,
* i.e. an offset of 1 means 4 bytes and so on.
*/
-#if (defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)) || \
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) || \
(defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
#define MAY_NEED_TO_ALIGN
#endif
@@ -560,7 +560,7 @@
#if defined(MAY_NEED_TO_ALIGN)
int align_16_bytes = 0;
-#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (aes_padlock_ace == -1) {
aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
}
@@ -1076,7 +1076,7 @@
}
#endif
-#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (aes_padlock_ace) {
return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
}
@@ -1115,7 +1115,7 @@
return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
}
-#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (aes_padlock_ace) {
if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
return 0;
@@ -1875,7 +1875,7 @@
#if defined(MBEDTLS_AES_ALT)
mbedtls_printf(" AES note: alternative implementation.\n");
#else /* MBEDTLS_AES_ALT */
-#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
mbedtls_printf(" AES note: using VIA Padlock.\n");
} else
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3ede933..2fcb2fb 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -240,6 +240,19 @@
}
#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
+{
+ switch (gid) {
+#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ case MBEDTLS_ECP_DP_CURVE25519: return 0;
+#endif
+#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
+ case MBEDTLS_ECP_DP_CURVE448: return 0;
+#endif
+ default: return 1;
+ }
+}
+
#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
/*
* Compute ECDSA signature of a hashed message (SEC1 4.1.3)
@@ -379,19 +392,6 @@
return ret;
}
-int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
-{
- switch (gid) {
-#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
- case MBEDTLS_ECP_DP_CURVE25519: return 0;
-#endif
-#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
- case MBEDTLS_ECP_DP_CURVE448: return 0;
-#endif
- default: return 1;
- }
-}
-
/*
* Compute ECDSA signature of a hashed message
*/
diff --git a/library/error.c b/library/error.c
index f4826c8..6aa4b92 100644
--- a/library/error.c
+++ b/library/error.c
@@ -518,6 +518,8 @@
return( "SSL - A cryptographic operation is in progress. Try again later" );
case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
return( "SSL - Invalid value in SSL config" );
+ case -(MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND):
+ return( "SSL - Cache entry not found" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
diff --git a/library/padlock.c b/library/padlock.c
index 303f82c7..c09d31f 100644
--- a/library/padlock.c
+++ b/library/padlock.c
@@ -37,7 +37,7 @@
#endif
/* *INDENT-ON* */
-#if defined(MBEDTLS_HAVE_X86)
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
/*
* PadLock detection routine
@@ -161,6 +161,6 @@
return 0;
}
-#endif /* MBEDTLS_HAVE_X86 */
+#endif /* MBEDTLS_VIA_PADLOCK_HAVE_CODE */
#endif /* MBEDTLS_PADLOCK_C */
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 0f0e610..6082074 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -26,6 +26,7 @@
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/platform.h"
+#include "mbedtls/error.h"
#include "mbedtls/ssl_cache.h"
#include "mbedtls/ssl_internal.h"
@@ -46,7 +47,7 @@
int mbedtls_ssl_cache_get(void *data, mbedtls_ssl_session *session)
{
- int ret = 1;
+ int ret = MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND;
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t t = mbedtls_time(NULL);
#endif
@@ -54,8 +55,8 @@
mbedtls_ssl_cache_entry *cur, *entry;
#if defined(MBEDTLS_THREADING_C)
- if (mbedtls_mutex_lock(&cache->mutex) != 0) {
- return 1;
+ if ((ret = mbedtls_mutex_lock(&cache->mutex)) != 0) {
+ return ret;
}
#endif
@@ -81,7 +82,6 @@
ret = mbedtls_ssl_session_copy(session, &entry->session);
if (ret != 0) {
- ret = 1;
goto exit;
}
@@ -97,16 +97,15 @@
if ((session->peer_cert = mbedtls_calloc(1,
sizeof(mbedtls_x509_crt))) == NULL) {
- ret = 1;
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
mbedtls_x509_crt_init(session->peer_cert);
- if (mbedtls_x509_crt_parse(session->peer_cert, entry->peer_cert.p,
- entry->peer_cert.len) != 0) {
+ if ((ret = mbedtls_x509_crt_parse(session->peer_cert, entry->peer_cert.p,
+ entry->peer_cert.len)) != 0) {
mbedtls_free(session->peer_cert);
session->peer_cert = NULL;
- ret = 1;
goto exit;
}
}
@@ -119,7 +118,7 @@
exit:
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&cache->mutex) != 0) {
- ret = 1;
+ ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
}
#endif
@@ -128,7 +127,7 @@
int mbedtls_ssl_cache_set(void *data, const mbedtls_ssl_session *session)
{
- int ret = 1;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t t = mbedtls_time(NULL), oldest = 0;
mbedtls_ssl_cache_entry *old = NULL;
@@ -179,7 +178,9 @@
*/
if (count >= cache->max_entries) {
if (old == NULL) {
- ret = 1;
+ /* This should only happen on an ill-configured cache
+ * with max_entries == 0. */
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto exit;
}
@@ -192,7 +193,7 @@
*/
if (count >= cache->max_entries) {
if (cache->chain == NULL) {
- ret = 1;
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto exit;
}
@@ -208,7 +209,7 @@
*/
cur = mbedtls_calloc(1, sizeof(mbedtls_ssl_cache_entry));
if (cur == NULL) {
- ret = 1;
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
@@ -242,7 +243,6 @@
* field anymore in the first place, and we're done after this call. */
ret = mbedtls_ssl_session_copy(&cur->session, session);
if (ret != 0) {
- ret = 1;
goto exit;
}
@@ -253,7 +253,7 @@
cur->peer_cert.p =
mbedtls_calloc(1, cur->session.peer_cert->raw.len);
if (cur->peer_cert.p == NULL) {
- ret = 1;
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
@@ -273,7 +273,7 @@
exit:
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&cache->mutex) != 0) {
- ret = 1;
+ ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
}
#endif
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index beac5d5..5c47cb4 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -294,7 +294,6 @@
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" connection was closed gracefully\n");
- ret = 0;
goto close_notify;
default:
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index 2128d02..38833cf 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -331,7 +331,6 @@
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
printf(" connection was closed gracefully\n");
- ret = 0;
goto close_notify;
default:
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index c01bf13..c3c5149 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3437,7 +3437,6 @@
switch (ret) {
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
mbedtls_printf(" connection was closed gracefully\n");
- ret = 0;
goto close_notify;
default:
diff --git a/tests/configs/user-config-for-test.h b/tests/configs/user-config-for-test.h
index fbec4f4..ed30be5 100644
--- a/tests/configs/user-config-for-test.h
+++ b/tests/configs/user-config-for-test.h
@@ -23,11 +23,31 @@
*/
#if defined(PSA_CRYPTO_DRIVER_TEST_ALL)
+/* PSA_CRYPTO_DRIVER_TEST_ALL activates test drivers while keeping the
+ * built-in implementations active. Normally setting MBEDTLS_PSA_ACCEL_xxx
+ * would disable MBEDTLS_PSA_BUILTIN_xxx unless fallback is activated, but
+ * here we arrange to have both active so that psa_crypto_*.c includes
+ * the built-in implementations and the driver code can call the built-in
+ * implementations.
+ *
+ * The point of this test mode is to verify that the
+ * driver entry points are called when they should be in a lightweight
+ * way, without requiring an actual driver. This is different from builds
+ * with libtestdriver1, where we make a copy of the library source code
+ * and use that as an external driver.
+ */
/* Enable the use of the test driver in the library, and build the generic
* part of the test driver. */
#define PSA_CRYPTO_DRIVER_TEST
+/* With MBEDTLS_PSA_CRYPTO_CONFIG, if we set up the acceleration, the
+ * built-in implementations won't be enabled. */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#error \
+ "PSA_CRYPTO_DRIVER_TEST_ALL sets up a nonstandard configuration that is incompatible with MBEDTLS_PSA_CRYPTO_CONFIG"
+#endif
+
/* Use the accelerator driver for all cryptographic mechanisms for which
* the test driver implemented. */
#define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES
diff --git a/tests/configs/config-wrapper-malloc-0-null.h b/tests/configs/user-config-malloc-0-null.h
similarity index 82%
rename from tests/configs/config-wrapper-malloc-0-null.h
rename to tests/configs/user-config-malloc-0-null.h
index 622ac57..366dfc4 100644
--- a/tests/configs/config-wrapper-malloc-0-null.h
+++ b/tests/configs/user-config-malloc-0-null.h
@@ -1,4 +1,4 @@
-/* config.h wrapper that forces calloc(0) to return NULL.
+/* config.h modifier that forces calloc(0) to return NULL.
* Used for testing.
*/
/*
@@ -18,11 +18,6 @@
* limitations under the License.
*/
-#ifndef MBEDTLS_CONFIG_H
-/* Don't #define MBEDTLS_CONFIG_H, let config.h do it. */
-
-#include "mbedtls/config.h"
-
#include <stdlib.h>
#ifndef MBEDTLS_PLATFORM_STD_CALLOC
@@ -37,5 +32,3 @@
#define MBEDTLS_PLATFORM_MEMORY
#define MBEDTLS_PLATFORM_STD_CALLOC custom_calloc
#endif
-
-#endif /* MBEDTLS_CONFIG_H */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 19c9cc5..afb4a9d 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2122,7 +2122,6 @@
}
component_test_psa_crypto_config_no_driver() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
@@ -2134,24 +2133,33 @@
make test
}
-component_test_psa_crypto_config_chachapoly_disabled() {
- # full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305
- msg "build: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305"
+component_test_aead_chachapoly_disabled() {
+ msg "build: full minus CHACHAPOLY"
scripts/config.py full
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_GCM
- scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_CHACHA20_POLY1305
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
- msg "test: full minus MBEDTLS_CHACHAPOLY_C without PSA_WANT_ALG_GCM and PSA_WANT_ALG_CHACHA20_POLY1305"
+ msg "test: full minus CHACHAPOLY"
+ make test
+}
+
+component_test_aead_only_ccm() {
+ msg "build: full minus CHACHAPOLY and GCM"
+ scripts/config.py full
+ scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ scripts/config.py unset MBEDTLS_GCM_C
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: full minus CHACHAPOLY and GCM"
make test
}
# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
component_build_psa_accel_alg_ecdh() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH
- # without MBEDTLS_ECDH_C
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2168,8 +2176,7 @@
# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
component_build_psa_accel_key_type_ecc_key_pair() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2182,8 +2189,7 @@
# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
component_build_psa_accel_key_type_ecc_public_key() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2196,8 +2202,7 @@
# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
component_build_psa_accel_alg_hmac() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2208,9 +2213,7 @@
# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
component_build_psa_accel_alg_hkdf() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HKDF
- # without MBEDTLS_HKDF_C
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2224,8 +2227,7 @@
# This should be renamed to test and updated once the accelerator MD2 code is in place and ready to test.
component_build_psa_accel_alg_md2() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD2 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD2 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD2 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2244,8 +2246,7 @@
# This should be renamed to test and updated once the accelerator MD4 code is in place and ready to test.
component_build_psa_accel_alg_md4() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD4 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD4 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD4 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2264,8 +2265,7 @@
# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test.
component_build_psa_accel_alg_md5() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_MD5 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD5 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2284,8 +2284,7 @@
# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test.
component_build_psa_accel_alg_ripemd160() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RIPEMD160 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RIPEMD160 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2304,8 +2303,7 @@
# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test.
component_build_psa_accel_alg_sha1() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_1 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_1 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2324,8 +2322,7 @@
# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test.
component_build_psa_accel_alg_sha224() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_224 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_224 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2343,8 +2340,7 @@
# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test.
component_build_psa_accel_alg_sha256() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_256 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_256 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2363,8 +2359,7 @@
# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test.
component_build_psa_accel_alg_sha384() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_384 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_384 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2382,8 +2377,7 @@
# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test.
component_build_psa_accel_alg_sha512() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_SHA_512 without other hashes
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_512 - other hashes"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2402,8 +2396,7 @@
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_accel_alg_rsa_pkcs1v15_crypt() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2418,8 +2411,7 @@
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_accel_alg_rsa_pkcs1v15_sign() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_SIGN and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2434,8 +2426,7 @@
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_accel_alg_rsa_oaep() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_OAEP and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2450,8 +2441,7 @@
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_accel_alg_rsa_pss() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PSS and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2466,8 +2456,7 @@
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_accel_key_type_rsa_key_pair() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR and PSA_WANT_ALG_RSA_PSS
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2480,8 +2469,7 @@
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_accel_key_type_rsa_public_key() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY and PSA_WANT_ALG_RSA_PSS
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS"
+ msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -2834,7 +2822,7 @@
component_test_malloc_0_null () {
msg "build: malloc(0) returns NULL (ASan+UBSan build)"
scripts/config.py full
- make CC=gcc CFLAGS="'-DMBEDTLS_CONFIG_FILE=\"$PWD/tests/configs/config-wrapper-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS"
+ make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS -O" LDFLAGS="$ASAN_CFLAGS"
msg "test: malloc(0) returns NULL (ASan+UBSan build)"
make test
@@ -2928,17 +2916,16 @@
}
component_test_psa_crypto_drivers () {
- msg "build: MBEDTLS_PSA_CRYPTO_DRIVERS w/ driver hooks"
+ msg "build: full + test drivers dispatching to builtins"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
- scripts/config.py set MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL"
loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
loc_cflags="${loc_cflags} -I../tests/include -O2"
make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
- msg "test: full + MBEDTLS_PSA_CRYPTO_DRIVERS"
+ msg "test: full + test drivers dispatching to builtins"
make test
}
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index e49f37e..0a35aa9 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1385,19 +1385,16 @@
ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec,
mbedtls_test_rnd_std_rand, NULL);
- if ((mode == 1 || mode == 2) && seen_success) {
- TEST_ASSERT(ret == 0);
- } else {
- TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
- if (ret == 0) {
- seen_success = 1;
- }
- }
-
- if (ret != 0) {
+ if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
+ /* It's ok if the output buffer is too small. We do insist
+ * on at least one mode succeeding; this is tracked by
+ * seen_success. */
continue;
}
+ TEST_EQUAL(ret, 0);
+ seen_success = 1;
+
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if (rec.cid_len != 0) {
/* DTLS 1.2 + CID hides the real content type and