Merge pull request #6982 from aditya-deshpande-arm/check-files-characters
check_files.py: Allow specific Box Drawing characters to be used
diff --git a/.travis.yml b/.travis.yml
index eaf817a..54df776 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -53,7 +53,7 @@
- tests/scripts/test_psa_constant_names.py
- tests/ssl-opt.sh
# Modern OpenSSL does not support fixed ECDH or null ciphers.
- - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-'
+ - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_'
- tests/scripts/travis-log-failure.sh
# GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
- tests/compat.sh -p GnuTLS -e 'CAMELLIA'
diff --git a/.uncrustify.cfg b/.uncrustify.cfg
index 7ce0905..92b8ce9 100644
--- a/.uncrustify.cfg
+++ b/.uncrustify.cfg
@@ -19,8 +19,6 @@
# limitations under the License.
-# Line length options
-
# Wrap lines at 100 characters
code_width = 100
diff --git a/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt b/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt
new file mode 100644
index 0000000..0a90721
--- /dev/null
+++ b/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
+ Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
+ Aaron Ucko under Valgrind.
diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
new file mode 100644
index 0000000..1764c2f
--- /dev/null
+++ b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
@@ -0,0 +1,19 @@
+Bugfix
+ * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
+ whose binary representation is longer than 20 bytes. This was already
+ forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
+ enforced also at code level.
+
+New deprecations
+ * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
+ mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
+ direct dependency of X509 on BIGNUM_C.
+
+Changes
+ * programs/x509/cert_write:
+ - now it accepts the serial number in 2 different formats: decimal and
+ hex. They cannot be used simultaneously
+ - "serial" is used for the decimal format and it's limted in size to
+ unsigned long long int
+ - "serial_hex" is used for the hex format; max length here is
+ MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 661f8aa..7c3a625 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -197,7 +197,7 @@
#define MBEDTLS_X509_CRT_VERSION_2 1
#define MBEDTLS_X509_CRT_VERSION_3 2
-#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
+#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
#if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
@@ -277,7 +277,8 @@
*/
typedef struct mbedtls_x509write_cert {
int MBEDTLS_PRIVATE(version);
- mbedtls_mpi MBEDTLS_PRIVATE(serial);
+ unsigned char MBEDTLS_PRIVATE(serial)[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN];
+ size_t MBEDTLS_PRIVATE(serial_len);
mbedtls_pk_context *MBEDTLS_PRIVATE(subject_key);
mbedtls_pk_context *MBEDTLS_PRIVATE(issuer_key);
mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject);
@@ -986,15 +987,43 @@
*/
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version);
+#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
/**
* \brief Set the serial number for a Certificate.
*
+ * \deprecated This function is deprecated and will be removed in a
+ * future version of the library. Please use
+ * mbedtls_x509write_crt_set_serial_raw() instead.
+ *
+ * \note Even though the MBEDTLS_BIGNUM_C guard looks redundant since
+ * X509 depends on PK and PK depends on BIGNUM, this emphasizes
+ * a direct dependency between X509 and BIGNUM which is going
+ * to be deprecated in the future.
+ *
* \param ctx CRT context to use
* \param serial serial number to set
*
* \return 0 if successful
*/
-int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial);
+int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial(
+ mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial);
+#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
+
+/**
+ * \brief Set the serial number for a Certificate.
+ *
+ * \param ctx CRT context to use
+ * \param serial A raw array of bytes containing the serial number in big
+ * endian format
+ * \param serial_len Length of valid bytes (expressed in bytes) in \p serial
+ * input buffer
+ *
+ * \return 0 if successful, or
+ * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer
+ * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN)
+ */
+int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
+ unsigned char *serial, size_t serial_len);
/**
* \brief Set the validity period for a Certificate
diff --git a/library/bignum.c b/library/bignum.c
index 9bc1c2d..41b3a26 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1009,7 +1009,7 @@
/* Set the high limbs of X to match A. Don't touch the lower limbs
* because X might be aliased to B, and we must not overwrite the
* significant digits of B. */
- if (A->n > n) {
+ if (A->n > n && A != X) {
memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
}
if (X->n > A->n) {
diff --git a/library/bignum_core.h b/library/bignum_core.h
index 44d5c5a..4fb8f65 100644
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@@ -222,7 +222,7 @@
* most significant zero bytes in the input).
*
* \param[out] X The address of the MPI.
- * May only be #NULL if \X_limbs is 0 and \p input_length
+ * May only be #NULL if \p X_limbs is 0 and \p input_length
* is 0.
* \param X_limbs The number of limbs of \p X.
* \param[in] input The input buffer to import from.
diff --git a/library/bignum_mod.h b/library/bignum_mod.h
index d8c8b7d..d4c1d5d 100644
--- a/library/bignum_mod.h
+++ b/library/bignum_mod.h
@@ -444,7 +444,7 @@
* limbs as the modulus \p N. (\p r is an input parameter, but
* its value will be modified during execution and restored
* before the function returns.)
- * \param[in] N The address of the modulus associated with \r.
+ * \param[in] N The address of the modulus associated with \p r.
* \param[out] buf The output buffer to export to.
* \param buflen The length in bytes of \p buf.
* \param ext_rep The endianness in which the number should be written into
diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
index 826dd07..bf0cb25 100644
--- a/library/bignum_mod_raw.c
+++ b/library/bignum_mod_raw.c
@@ -33,6 +33,8 @@
#include "bignum_mod.h"
#include "constant_time_internal.h"
+#include "bignum_mod_raw_invasive.h"
+
void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
const mbedtls_mpi_mod_modulus *N,
@@ -118,6 +120,19 @@
(void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
}
+#if defined(MBEDTLS_TEST_HOOKS)
+
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+
+ (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
+}
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
const mbedtls_mpi_uint *B,
diff --git a/library/bignum_mod_raw_invasive.h b/library/bignum_mod_raw_invasive.h
new file mode 100644
index 0000000..ead8394
--- /dev/null
+++ b/library/bignum_mod_raw_invasive.h
@@ -0,0 +1,46 @@
+/**
+ * \file bignum_mod_raw_invasive.h
+ *
+ * \brief Function declarations for invasive functions of Low-level
+ * modular bignum.
+ */
+/**
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
+#define MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/bignum.h"
+#include "bignum_mod.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+/** Convert the result of a quasi-reduction to its canonical representative.
+ *
+ * \param[in,out] X The address of the MPI to be converted. Must have the
+ * same number of limbs as \p N. The input value must
+ * be in range 0 <= X < 2N.
+ * \param[in] N The address of the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N);
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H */
diff --git a/library/ccm.c b/library/ccm.c
index 0b02d77..36c999e 100644
--- a/library/ccm.c
+++ b/library/ccm.c
@@ -659,7 +659,7 @@
mbedtls_ccm_init(&ctx);
if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
- 8 * sizeof key_test_data) != 0) {
+ 8 * sizeof(key_test_data)) != 0) {
if (verbose != 0) {
mbedtls_printf(" CCM: setup failed");
}
diff --git a/library/constant_time.c b/library/constant_time.c
index 7f4d509..b3bf874 100644
--- a/library/constant_time.c
+++ b/library/constant_time.c
@@ -72,9 +72,9 @@
*/
uint32_t r;
#if defined(__arm__) || defined(__thumb__) || defined(__thumb2__)
- asm ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
+ asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
#elif defined(__aarch64__)
- asm ("ldr %w0, [%1]" : "=r" (r) : "r" (p) :);
+ asm volatile ("ldr %w0, [%1]" : "=r" (r) : "r" (p) :);
#endif
return r;
}
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 727283f..7987c3f 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4507,7 +4507,7 @@
defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
/*
* Create an MPI from embedded constants
- * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
+ * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint))
*/
static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
{
@@ -5370,7 +5370,7 @@
if (M.n > p_limbs + adjust) {
M.n = p_limbs + adjust;
}
- memset(Mp, 0, sizeof Mp);
+ memset(Mp, 0, sizeof(Mp));
memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
if (shift != 0) {
MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
@@ -5396,7 +5396,7 @@
if (M.n > p_limbs + adjust) {
M.n = p_limbs + adjust;
}
- memset(Mp, 0, sizeof Mp);
+ memset(Mp, 0, sizeof(Mp));
memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
if (shift != 0) {
MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
diff --git a/library/entropy.c b/library/entropy.c
index 7e25f28..e55410c 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -677,7 +677,7 @@
goto cleanup;
}
- if ((ret = mbedtls_entropy_update_manual(&ctx, buf, sizeof buf)) != 0) {
+ if ((ret = mbedtls_entropy_update_manual(&ctx, buf, sizeof(buf))) != 0) {
goto cleanup;
}
diff --git a/library/ripemd160.c b/library/ripemd160.c
index eed664f..ba97c1f 100644
--- a/library/ripemd160.c
+++ b/library/ripemd160.c
@@ -456,7 +456,7 @@
int i, ret = 0;
unsigned char output[20];
- memset(output, 0, sizeof output);
+ memset(output, 0, sizeof(output));
for (i = 0; i < TESTS; i++) {
if (verbose != 0) {
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 0330097..eabafe9 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1652,10 +1652,10 @@
memset(&sb, 0, sizeof(sb));
while ((entry = readdir(dir)) != NULL) {
- snp_ret = mbedtls_snprintf(entry_name, sizeof entry_name,
+ snp_ret = mbedtls_snprintf(entry_name, sizeof(entry_name),
"%s/%s", path, entry->d_name);
- if (snp_ret < 0 || (size_t) snp_ret >= sizeof entry_name) {
+ if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) {
ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
goto cleanup;
} else if (stat(entry_name, &sb) == -1) {
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index febd0e6..4f23395 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -52,14 +52,11 @@
{
memset(ctx, 0, sizeof(mbedtls_x509write_cert));
- mbedtls_mpi_init(&ctx->serial);
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
}
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
{
- mbedtls_mpi_free(&ctx->serial);
-
mbedtls_asn1_free_named_data_list(&ctx->subject);
mbedtls_asn1_free_named_data_list(&ctx->issuer);
mbedtls_asn1_free_named_data_list(&ctx->extensions);
@@ -103,17 +100,42 @@
return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name);
}
+#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
const mbedtls_mpi *serial)
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int ret;
+ size_t tmp_len;
- if ((ret = mbedtls_mpi_copy(&ctx->serial, serial)) != 0) {
+ /* Ensure that the MPI value fits into the buffer */
+ tmp_len = mbedtls_mpi_size(serial);
+ if (tmp_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ ctx->serial_len = tmp_len;
+
+ ret = mbedtls_mpi_write_binary(serial, ctx->serial, tmp_len);
+ if (ret < 0) {
return ret;
}
return 0;
}
+#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
+
+int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
+ unsigned char *serial, size_t serial_len)
+{
+ if (serial_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ ctx->serial_len = serial_len;
+ memcpy(ctx->serial, serial, serial_len);
+
+ return 0;
+}
int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx,
const char *not_before,
@@ -510,9 +532,29 @@
/*
* Serial ::= INTEGER
+ *
+ * Written data is:
+ * - "ctx->serial_len" bytes for the raw serial buffer
+ * - if MSb of "serial" is 1, then prepend an extra 0x00 byte
+ * - 1 byte for the length
+ * - 1 byte for the TAG
*/
- MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&c, buf,
- &ctx->serial));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf,
+ ctx->serial, ctx->serial_len));
+ if (*c & 0x80) {
+ if (c - buf < 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ *(--c) = 0x0;
+ len++;
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf,
+ ctx->serial_len + 1));
+ } else {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf,
+ ctx->serial_len));
+ }
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_INTEGER));
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c
index d880a1a..9804417 100644
--- a/programs/pkey/ecdh_curve25519.c
+++ b/programs/pkey/ecdh_curve25519.c
@@ -74,7 +74,7 @@
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy,
(const unsigned char *) pers,
- sizeof pers)) != 0) {
+ sizeof(pers))) != 0) {
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
ret);
goto exit;
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index be2ca90..953c144 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -73,7 +73,7 @@
size_t len;
if (mbedtls_ecp_point_write_binary(&key->MBEDTLS_PRIVATE(grp), &key->MBEDTLS_PRIVATE(Q),
- MBEDTLS_ECP_PF_UNCOMPRESSED, &len, buf, sizeof buf) != 0) {
+ MBEDTLS_ECP_PF_UNCOMPRESSED, &len, buf, sizeof(buf)) != 0) {
mbedtls_printf("internal error\n");
return;
}
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 3e134dd..287dd34 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -43,10 +43,12 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/md.h"
#include "mbedtls/error.h"
+#include "test/helpers.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <errno.h>
#define SET_OID(x, oid) \
do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0)
@@ -75,6 +77,7 @@
#define DFL_NOT_BEFORE "20010101000000"
#define DFL_NOT_AFTER "20301231235959"
#define DFL_SERIAL "1"
+#define DFL_SERIAL_HEX "1"
#define DFL_SELFSIGN 0
#define DFL_IS_CA 0
#define DFL_MAX_PATHLEN -1
@@ -110,6 +113,13 @@
" issuer_pwd=%%s default: (empty)\n" \
" output_file=%%s default: cert.crt\n" \
" serial=%%s default: 1\n" \
+ " In decimal format; it can be used as\n" \
+ " alternative to serial_hex, but it's\n" \
+ " limited in max length to\n" \
+ " unsigned long long int\n" \
+ " serial_hex=%%s default: 1\n" \
+ " In hex format; it can be used as\n" \
+ " alternative to serial\n" \
" not_before=%%s default: 20010101000000\n" \
" not_after=%%s default: 20301231235959\n" \
" is_ca=%%d default: 0 (disabled)\n" \
@@ -159,6 +169,11 @@
" format=pem|der default: pem\n" \
"\n"
+typedef enum {
+ SERIAL_FRMT_UNSPEC,
+ SERIAL_FRMT_DEC,
+ SERIAL_FRMT_HEX
+} serial_format_t;
/*
* global options
@@ -175,7 +190,8 @@
const char *issuer_name; /* issuer name for certificate */
const char *not_before; /* validity period not before */
const char *not_after; /* validity period not after */
- const char *serial; /* serial number string */
+ const char *serial; /* serial number string (decimal) */
+ const char *serial_hex; /* serial number string (hex) */
int selfsign; /* selfsign the certificate */
int is_ca; /* is a CA certificate */
int max_pathlen; /* maximum CA path length */
@@ -235,6 +251,44 @@
return 0;
}
+int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax,
+ const char *ibuf, size_t *len)
+{
+ unsigned long long int dec;
+ unsigned int remaining_bytes = sizeof(dec);
+ unsigned char *p = obuf;
+ unsigned char val;
+ char *end_ptr = NULL;
+
+ errno = 0;
+ dec = strtoull(ibuf, &end_ptr, 10);
+
+ if ((errno != 0) || (end_ptr == ibuf)) {
+ return -1;
+ }
+
+ *len = 0;
+
+ while (remaining_bytes > 0) {
+ if (obufmax < (*len + 1)) {
+ return -1;
+ }
+
+ val = (dec >> ((remaining_bytes - 1) * 8)) & 0xFF;
+
+ /* Skip leading zeros */
+ if ((val != 0) || (*len != 0)) {
+ *p = val;
+ (*len)++;
+ p++;
+ }
+
+ remaining_bytes--;
+ }
+
+ return 0;
+}
+
int main(int argc, char *argv[])
{
int ret = 1;
@@ -252,7 +306,9 @@
mbedtls_x509_csr csr;
#endif
mbedtls_x509write_cert crt;
- mbedtls_mpi serial;
+ serial_format_t serial_frmt = SERIAL_FRMT_UNSPEC;
+ unsigned char serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN];
+ size_t serial_len;
mbedtls_asn1_sequence *ext_key_usage;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -264,7 +320,6 @@
mbedtls_x509write_crt_init(&crt);
mbedtls_pk_init(&loaded_issuer_key);
mbedtls_pk_init(&loaded_subject_key);
- mbedtls_mpi_init(&serial);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_X509_CSR_PARSE_C)
@@ -272,6 +327,7 @@
#endif
mbedtls_x509_crt_init(&issuer_crt);
memset(buf, 0, sizeof(buf));
+ memset(serial, 0, sizeof(serial));
if (argc == 0) {
usage:
@@ -291,6 +347,7 @@
opt.not_before = DFL_NOT_BEFORE;
opt.not_after = DFL_NOT_AFTER;
opt.serial = DFL_SERIAL;
+ opt.serial_hex = DFL_SERIAL_HEX;
opt.selfsign = DFL_SELFSIGN;
opt.is_ca = DFL_IS_CA;
opt.max_pathlen = DFL_MAX_PATHLEN;
@@ -335,7 +392,19 @@
} else if (strcmp(p, "not_after") == 0) {
opt.not_after = q;
} else if (strcmp(p, "serial") == 0) {
+ if (serial_frmt != SERIAL_FRMT_UNSPEC) {
+ mbedtls_printf("Invalid attempt to set the serial more than once\n");
+ goto usage;
+ }
+ serial_frmt = SERIAL_FRMT_DEC;
opt.serial = q;
+ } else if (strcmp(p, "serial_hex") == 0) {
+ if (serial_frmt != SERIAL_FRMT_UNSPEC) {
+ mbedtls_printf("Invalid attempt to set the serial more than once\n");
+ goto usage;
+ }
+ serial_frmt = SERIAL_FRMT_HEX;
+ opt.serial_hex = q;
} else if (strcmp(p, "authority_identifier") == 0) {
opt.authority_identifier = atoi(q);
if (opt.authority_identifier != 0 &&
@@ -514,10 +583,16 @@
mbedtls_printf(" . Reading serial number...");
fflush(stdout);
- if ((ret = mbedtls_mpi_read_string(&serial, 10, opt.serial)) != 0) {
- mbedtls_strerror(ret, buf, sizeof(buf));
- mbedtls_printf(" failed\n ! mbedtls_mpi_read_string "
- "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf);
+ if (serial_frmt == SERIAL_FRMT_HEX) {
+ ret = mbedtls_test_unhexify(serial, sizeof(serial),
+ opt.serial_hex, &serial_len);
+ } else { // SERIAL_FRMT_DEC || SERIAL_FRMT_UNSPEC
+ ret = parse_serial_decimal_format(serial, sizeof(serial),
+ opt.serial, &serial_len);
+ }
+
+ if (ret != 0) {
+ mbedtls_printf(" failed\n ! Unable to parse serial\n");
goto exit;
}
@@ -661,10 +736,10 @@
mbedtls_x509write_crt_set_version(&crt, opt.version);
mbedtls_x509write_crt_set_md_alg(&crt, opt.md);
- ret = mbedtls_x509write_crt_set_serial(&crt, &serial);
+ ret = mbedtls_x509write_crt_set_serial_raw(&crt, serial, serial_len);
if (ret != 0) {
mbedtls_strerror(ret, buf, sizeof(buf));
- mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial "
+ mbedtls_printf(" failed\n ! mbedtls_x509write_crt_set_serial_raw "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf);
goto exit;
}
@@ -807,7 +882,6 @@
mbedtls_x509write_crt_free(&crt);
mbedtls_pk_free(&loaded_subject_key);
mbedtls_pk_free(&loaded_issuer_key);
- mbedtls_mpi_free(&serial);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
diff --git a/scripts/code_style.py b/scripts/code_style.py
index 3958e87..dd8305f 100755
--- a/scripts/code_style.py
+++ b/scripts/code_style.py
@@ -1,9 +1,7 @@
#!/usr/bin/env python3
"""Check or fix the code style by running Uncrustify.
-Note: The code style enforced by this script is not yet introduced to
-Mbed TLS. At present this script will only be used to prepare for a future
-change of code style.
+This script must be run from the root of a Git work tree containing Mbed TLS.
"""
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
@@ -20,7 +18,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import argparse
-import io
import os
import re
import subprocess
@@ -31,12 +28,10 @@
CONFIG_FILE = ".uncrustify.cfg"
UNCRUSTIFY_EXE = "uncrustify"
UNCRUSTIFY_ARGS = ["-c", CONFIG_FILE]
-STDOUT_UTF8 = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8')
-STDERR_UTF8 = io.TextIOWrapper(sys.stderr.buffer, encoding='utf-8')
CHECK_GENERATED_FILES = "tests/scripts/check-generated-files.sh"
def print_err(*args):
- print("Error: ", *args, file=STDERR_UTF8)
+ print("Error: ", *args, file=sys.stderr)
# Match FILENAME(s) in "check SCRIPT (FILENAME...)"
CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)",
@@ -69,8 +64,8 @@
"tests/suites/*.function",
"scripts/data_files/*.fmt"]
- result = subprocess.run(git_ls_files_cmd, stdout=subprocess.PIPE, \
- stderr=STDERR_UTF8, check=False)
+ result = subprocess.run(git_ls_files_cmd, stdout=subprocess.PIPE,
+ check=False)
if result.returncode != 0:
print_err("git ls-files returned: " + str(result.returncode))
@@ -90,8 +85,9 @@
"""
Get the version string from Uncrustify
"""
- result = subprocess.run([UNCRUSTIFY_EXE, "--version"], \
- stdout=subprocess.PIPE, stderr=subprocess.PIPE, check=False)
+ result = subprocess.run([UNCRUSTIFY_EXE, "--version"],
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE,
+ check=False)
if result.returncode != 0:
print_err("Could not get Uncrustify version:", str(result.stderr, "utf-8"))
return ""
@@ -106,26 +102,25 @@
style_correct = True
for src_file in src_file_list:
uncrustify_cmd = [UNCRUSTIFY_EXE] + UNCRUSTIFY_ARGS + [src_file]
- result = subprocess.run(uncrustify_cmd, stdout=subprocess.PIPE, \
- stderr=subprocess.PIPE, check=False)
+ result = subprocess.run(uncrustify_cmd, stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, check=False)
if result.returncode != 0:
- print_err("Uncrustify returned " + str(result.returncode) + \
- " correcting file " + src_file)
+ print_err("Uncrustify returned " + str(result.returncode) +
+ " correcting file " + src_file)
return False
# Uncrustify makes changes to the code and places the result in a new
# file with the extension ".uncrustify". To get the changes (if any)
# simply diff the 2 files.
diff_cmd = ["diff", "-u", src_file, src_file + ".uncrustify"]
- result = subprocess.run(diff_cmd, stdout=subprocess.PIPE, \
- stderr=STDERR_UTF8, check=False)
- if len(result.stdout) > 0:
- print(src_file + " - Incorrect code style.", file=STDOUT_UTF8)
- print("File changed - diff:", file=STDOUT_UTF8)
- print(str(result.stdout, "utf-8"), file=STDOUT_UTF8)
+ cp = subprocess.run(diff_cmd, check=False)
+
+ if cp.returncode == 1:
+ print(src_file + " changed - code style is incorrect.")
style_correct = False
- else:
- print(src_file + " - OK.", file=STDOUT_UTF8)
+ elif cp.returncode != 0:
+ raise subprocess.CalledProcessError(cp.returncode, cp.args,
+ cp.stdout, cp.stderr)
# Tidy up artifact
os.remove(src_file + ".uncrustify")
@@ -139,12 +134,11 @@
code_change_args = UNCRUSTIFY_ARGS + ["--no-backup"]
for src_file in src_file_list:
uncrustify_cmd = [UNCRUSTIFY_EXE] + code_change_args + [src_file]
- result = subprocess.run(uncrustify_cmd, check=False, \
- stdout=STDOUT_UTF8, stderr=STDERR_UTF8)
+ result = subprocess.run(uncrustify_cmd, check=False)
if result.returncode != 0:
- print_err("Uncrustify with file returned: " + \
- str(result.returncode) + " correcting file " + \
- src_file)
+ print_err("Uncrustify with file returned: " +
+ str(result.returncode) + " correcting file " +
+ src_file)
return False
return True
@@ -160,7 +154,7 @@
# Guard against future changes that cause the codebase to require
# more passes.
if not check_style_is_correct(src_file_list):
- print("Code style still incorrect after second run of Uncrustify.")
+ print_err("Code style still incorrect after second run of Uncrustify.")
return 1
else:
return 0
@@ -172,9 +166,9 @@
uncrustify_version = get_uncrustify_version().strip()
if UNCRUSTIFY_SUPPORTED_VERSION not in uncrustify_version:
print("Warning: Using unsupported Uncrustify version '" +
- uncrustify_version + "'", file=STDOUT_UTF8)
+ uncrustify_version + "'")
print("Note: The only supported version is " +
- UNCRUSTIFY_SUPPORTED_VERSION, file=STDOUT_UTF8)
+ UNCRUSTIFY_SUPPORTED_VERSION)
parser = argparse.ArgumentParser()
parser.add_argument('-f', '--fix', action='store_true',
@@ -203,6 +197,7 @@
else:
# Check mode
if check_style_is_correct(src_files):
+ print("Checked {} files, style ok.".format(len(src_files)))
return 0
else:
return 1
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index f9d9899..d197b54 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -51,6 +51,37 @@
result = (self.int_a - self.int_b) % self.int_n
return [self.format_result(result)]
+class BignumModRawFixQuasiReduction(bignum_common.ModOperationCommon,
+ BignumModRawTarget):
+ """Test cases for ecp quasi_reduction()."""
+ symbol = "-"
+ test_function = "mpi_mod_raw_fix_quasi_reduction"
+ test_name = "fix_quasi_reduction"
+ input_style = "fixed"
+ arity = 1
+
+ # Extend the default values with n < x < 2n
+ input_values = bignum_common.ModOperationCommon.input_values + [
+ "73",
+
+ # First number generated by random.getrandbits(1024) - seed(3,2)
+ "ea7b5bf55eb561a4216363698b529b4a97b750923ceb3ffd",
+
+ # First number generated by random.getrandbits(1024) - seed(1,2)
+ ("cd447e35b8b6d8fe442e3d437204e52db2221a58008a05a6c4647159c324c985"
+ "9b810e766ec9d28663ca828dd5f4b3b2e4b06ce60741c7a87ce42c8218072e8c"
+ "35bf992dc9e9c616612e7696a6cecc1b78e510617311d8a3c2ce6f447ed4d57b"
+ "1e2feb89414c343c1027c4d1c386bbc4cd613e30d8f16adf91b7584a2265b1f5")
+ ] # type: List[str]
+
+ def result(self) -> List[str]:
+ result = self.int_a % self.int_n
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return bool(self.int_a < 2 * self.int_n)
+
class BignumModRawMul(bignum_common.ModOperationCommon,
BignumModRawTarget):
"""Test cases for bignum mpi_mod_raw_mul()."""
diff --git a/tests/compat.sh b/tests/compat.sh
index 7693400..ef82736 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -89,7 +89,7 @@
# - NULL: excluded from our default config + requires OpenSSL legacy
# - ARIA: requires OpenSSL >= 1.1.1
# - ChachaPoly: requires OpenSSL >= 1.1.0
-EXCLUDE='NULL\|ARIA\|CHACHA20-POLY1305'
+EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
VERBOSE=""
MEMCHECK=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@@ -205,7 +205,7 @@
check_openssl_server_bug()
{
if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
- echo "$1" | grep "^TLS-PSK" >/dev/null;
+ test "$TYPE" = "PSK";
then
SKIP_NEXT="YES"
fi
@@ -239,9 +239,14 @@
G_CIPHERS=""
}
-check_translation()
+# translate_ciphers {g|m|o} {STANDARD_CIPHER_SUITE_NAME...}
+# Set $ciphers to the cipher suite name translations for the specified
+# program (gnutls, mbedtls or openssl). $ciphers is a space-separated
+# list of entries of the form "STANDARD_NAME=PROGRAM_NAME".
+translate_ciphers()
{
- if [ $1 -ne 0 ]; then
+ ciphers=$(scripts/translate_ciphers.py "$@")
+ if [ $? -ne 0 ]; then
echo "translate_ciphers.py failed with exit code $1" >&2
echo "$2" >&2
exit 1
@@ -258,71 +263,66 @@
"ECDSA")
CIPHERS="$CIPHERS \
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
- TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \
- TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \
- TLS-ECDHE-ECDSA-WITH-NULL-SHA \
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 \
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 \
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA \
"
;;
"RSA")
CIPHERS="$CIPHERS \
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \
- TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA \
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \
- TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \
- TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \
- TLS-ECDHE-RSA-WITH-NULL-SHA \
- TLS-RSA-WITH-AES-128-CBC-SHA \
- TLS-RSA-WITH-AES-128-CBC-SHA256 \
- TLS-RSA-WITH-AES-128-GCM-SHA256 \
- TLS-RSA-WITH-AES-256-CBC-SHA \
- TLS-RSA-WITH-AES-256-CBC-SHA256 \
- TLS-RSA-WITH-AES-256-GCM-SHA384 \
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \
- TLS-RSA-WITH-NULL-MD5 \
- TLS-RSA-WITH-NULL-SHA \
- TLS-RSA-WITH-NULL-SHA256 \
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
+ TLS_ECDHE_RSA_WITH_NULL_SHA \
+ TLS_RSA_WITH_AES_128_CBC_SHA \
+ TLS_RSA_WITH_AES_128_CBC_SHA256 \
+ TLS_RSA_WITH_AES_128_GCM_SHA256 \
+ TLS_RSA_WITH_AES_256_CBC_SHA \
+ TLS_RSA_WITH_AES_256_CBC_SHA256 \
+ TLS_RSA_WITH_AES_256_GCM_SHA384 \
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA \
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA \
+ TLS_RSA_WITH_NULL_MD5 \
+ TLS_RSA_WITH_NULL_SHA \
+ TLS_RSA_WITH_NULL_SHA256 \
"
;;
"PSK")
CIPHERS="$CIPHERS \
- TLS-PSK-WITH-AES-128-CBC-SHA \
- TLS-PSK-WITH-AES-256-CBC-SHA \
+ TLS_PSK_WITH_AES_128_CBC_SHA \
+ TLS_PSK_WITH_AES_256_CBC_SHA \
"
;;
esac
+ O_CIPHERS="$O_CIPHERS $CIPHERS"
+ G_CIPHERS="$G_CIPHERS $CIPHERS"
M_CIPHERS="$M_CIPHERS $CIPHERS"
-
- T=$(./scripts/translate_ciphers.py g $CIPHERS)
- check_translation $? "$T"
- G_CIPHERS="$G_CIPHERS $T"
-
- T=$(./scripts/translate_ciphers.py o $CIPHERS)
- check_translation $? "$T"
- O_CIPHERS="$O_CIPHERS $T"
}
# Ciphersuites usable only with Mbed TLS and OpenSSL
-# A list of ciphersuites in the Mbed TLS convention is compiled and
-# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
-# is translated to the OpenSSL naming convention and appended to the list of
-# OpenSSL ciphersuites $O_CIPHERS.
+# A list of ciphersuites in the standard naming convention is appended
+# to the list of Mbed TLS ciphersuites $M_CIPHERS and
+# to the list of OpenSSL ciphersuites $O_CIPHERS respectively.
+# Based on client's naming convention, all ciphersuite names will be
+# translated into another naming format before sent to the client.
#
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
# so RSA-PSK ciphersuites need to go in other sections, see
@@ -337,57 +337,55 @@
"ECDSA")
CIPHERS="$CIPHERS \
- TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \
- TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \
- TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
- TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \
- TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
- TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
- TLS-ECDH-ECDSA-WITH-NULL-SHA \
- TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
- TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
- TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \
+ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \
+ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \
+ TLS_ECDH_ECDSA_WITH_NULL_SHA \
+ TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \
+ TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
"
;;
"RSA")
CIPHERS="$CIPHERS \
- TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
- TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
- TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
- TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
- TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
- TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
- TLS-RSA-WITH-ARIA-128-GCM-SHA256 \
- TLS-RSA-WITH-ARIA-256-GCM-SHA384 \
+ TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 \
+ TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 \
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
+ TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 \
+ TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 \
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
+ TLS_RSA_WITH_ARIA_128_GCM_SHA256 \
+ TLS_RSA_WITH_ARIA_256_GCM_SHA384 \
"
;;
"PSK")
CIPHERS="$CIPHERS \
- TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
- TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \
- TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
- TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
- TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
- TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
- TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \
+ TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 \
+ TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 \
+ TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
+ TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
+ TLS_PSK_WITH_ARIA_128_GCM_SHA256 \
+ TLS_PSK_WITH_ARIA_256_GCM_SHA384 \
+ TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 \
"
;;
esac
+ O_CIPHERS="$O_CIPHERS $CIPHERS"
M_CIPHERS="$M_CIPHERS $CIPHERS"
-
- T=$(./scripts/translate_ciphers.py o $CIPHERS)
- check_translation $? "$T"
- O_CIPHERS="$O_CIPHERS $T"
}
# Ciphersuites usable only with Mbed TLS and GnuTLS
-# A list of ciphersuites in the Mbed TLS convention is compiled and
-# appended to the list of Mbed TLS ciphersuites $M_CIPHERS. The same list
-# is translated to the GnuTLS naming convention and appended to the list of
-# GnuTLS ciphersuites $G_CIPHERS.
+# A list of ciphersuites in the standard naming convention is appended
+# to the list of Mbed TLS ciphersuites $M_CIPHERS and
+# to the list of GnuTLS ciphersuites $G_CIPHERS respectively.
+# Based on client's naming convention, all ciphersuite names will be
+# translated into another naming format before sent to the client.
add_gnutls_ciphersuites()
{
CIPHERS=""
@@ -395,107 +393,104 @@
"ECDSA")
CIPHERS="$CIPHERS \
- TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
- TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
- TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
- TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
- TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
+ TLS_ECDHE_ECDSA_WITH_AES_128_CCM \
+ TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 \
+ TLS_ECDHE_ECDSA_WITH_AES_256_CCM \
+ TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 \
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
"
;;
"RSA")
CIPHERS="$CIPHERS \
- TLS-DHE-RSA-WITH-AES-128-CCM \
- TLS-DHE-RSA-WITH-AES-128-CCM-8 \
- TLS-DHE-RSA-WITH-AES-256-CCM \
- TLS-DHE-RSA-WITH-AES-256-CCM-8 \
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
- TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-RSA-WITH-AES-128-CCM \
- TLS-RSA-WITH-AES-128-CCM-8 \
- TLS-RSA-WITH-AES-256-CCM \
- TLS-RSA-WITH-AES-256-CCM-8 \
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \
- TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
+ TLS_DHE_RSA_WITH_AES_128_CCM \
+ TLS_DHE_RSA_WITH_AES_128_CCM_8 \
+ TLS_DHE_RSA_WITH_AES_256_CCM \
+ TLS_DHE_RSA_WITH_AES_256_CCM_8 \
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 \
+ TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
+ TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
+ TLS_RSA_WITH_AES_128_CCM \
+ TLS_RSA_WITH_AES_128_CCM_8 \
+ TLS_RSA_WITH_AES_256_CCM \
+ TLS_RSA_WITH_AES_256_CCM_8 \
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 \
+ TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
"
;;
"PSK")
CIPHERS="$CIPHERS \
- TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
- TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-DHE-PSK-WITH-AES-128-CCM \
- TLS-DHE-PSK-WITH-AES-128-CCM-8 \
- TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
- TLS-DHE-PSK-WITH-AES-256-CBC-SHA \
- TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-DHE-PSK-WITH-AES-256-CCM \
- TLS-DHE-PSK-WITH-AES-256-CCM-8 \
- TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
- TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-DHE-PSK-WITH-NULL-SHA256 \
- TLS-DHE-PSK-WITH-NULL-SHA384 \
- TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
- TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \
- TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-ECDHE-PSK-WITH-NULL-SHA256 \
- TLS-ECDHE-PSK-WITH-NULL-SHA384 \
- TLS-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-PSK-WITH-AES-128-CCM \
- TLS-PSK-WITH-AES-128-CCM-8 \
- TLS-PSK-WITH-AES-128-GCM-SHA256 \
- TLS-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-PSK-WITH-AES-256-CCM \
- TLS-PSK-WITH-AES-256-CCM-8 \
- TLS-PSK-WITH-AES-256-GCM-SHA384 \
- TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-PSK-WITH-NULL-SHA256 \
- TLS-PSK-WITH-NULL-SHA384 \
- TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
- TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
- TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \
- TLS-RSA-PSK-WITH-AES-256-CBC-SHA \
- TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
- TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \
- TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-RSA-PSK-WITH-NULL-SHA256 \
- TLS-RSA-PSK-WITH-NULL-SHA384 \
+ TLS_DHE_PSK_WITH_AES_128_CBC_SHA \
+ TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 \
+ TLS_DHE_PSK_WITH_AES_128_CCM \
+ TLS_DHE_PSK_WITH_AES_128_CCM_8 \
+ TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 \
+ TLS_DHE_PSK_WITH_AES_256_CBC_SHA \
+ TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 \
+ TLS_DHE_PSK_WITH_AES_256_CCM \
+ TLS_DHE_PSK_WITH_AES_256_CCM_8 \
+ TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 \
+ TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
+ TLS_DHE_PSK_WITH_NULL_SHA256 \
+ TLS_DHE_PSK_WITH_NULL_SHA384 \
+ TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA \
+ TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 \
+ TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA \
+ TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 \
+ TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_ECDHE_PSK_WITH_NULL_SHA256 \
+ TLS_ECDHE_PSK_WITH_NULL_SHA384 \
+ TLS_PSK_WITH_AES_128_CBC_SHA256 \
+ TLS_PSK_WITH_AES_128_CCM \
+ TLS_PSK_WITH_AES_128_CCM_8 \
+ TLS_PSK_WITH_AES_128_GCM_SHA256 \
+ TLS_PSK_WITH_AES_256_CBC_SHA384 \
+ TLS_PSK_WITH_AES_256_CCM \
+ TLS_PSK_WITH_AES_256_CCM_8 \
+ TLS_PSK_WITH_AES_256_GCM_SHA384 \
+ TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
+ TLS_PSK_WITH_NULL_SHA256 \
+ TLS_PSK_WITH_NULL_SHA384 \
+ TLS_RSA_PSK_WITH_AES_128_CBC_SHA \
+ TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 \
+ TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 \
+ TLS_RSA_PSK_WITH_AES_256_CBC_SHA \
+ TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 \
+ TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 \
+ TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 \
+ TLS_RSA_PSK_WITH_NULL_SHA256 \
+ TLS_RSA_PSK_WITH_NULL_SHA384 \
"
;;
esac
+ G_CIPHERS="$G_CIPHERS $CIPHERS"
M_CIPHERS="$M_CIPHERS $CIPHERS"
-
- T=$(./scripts/translate_ciphers.py g $CIPHERS)
- check_translation $? "$T"
- G_CIPHERS="$G_CIPHERS $T"
}
# Ciphersuites usable only with Mbed TLS (not currently supported by another
-# peer usable in this script). This provide only very rudimentaty testing, as
+# peer usable in this script). This provides only very rudimentaty testing, as
# this is not interop testing, but it's better than nothing.
add_mbedtls_ciphersuites()
{
@@ -503,48 +498,48 @@
"ECDSA")
M_CIPHERS="$M_CIPHERS \
- TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \
- TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \
- TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \
- TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
- TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
- TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \
+ TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \
+ TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \
+ TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \
+ TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
+ TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
+ TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
+ TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
+ TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \
+ TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \
"
;;
"RSA")
M_CIPHERS="$M_CIPHERS \
- TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \
- TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
- TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
- TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
- TLS-RSA-WITH-ARIA-128-CBC-SHA256 \
- TLS-RSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 \
+ TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 \
+ TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 \
+ TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 \
+ TLS_RSA_WITH_ARIA_128_CBC_SHA256 \
+ TLS_RSA_WITH_ARIA_256_CBC_SHA384 \
"
;;
"PSK")
- # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
+ # *PSK_NULL_SHA suites supported by GnuTLS 3.3.5 but not 3.2.15
M_CIPHERS="$M_CIPHERS \
- TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \
- TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \
- TLS-DHE-PSK-WITH-NULL-SHA \
- TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \
- TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \
- TLS-ECDHE-PSK-WITH-NULL-SHA \
- TLS-PSK-WITH-ARIA-128-CBC-SHA256 \
- TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
- TLS-PSK-WITH-NULL-SHA \
- TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
- TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \
- TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
- TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \
- TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \
- TLS-RSA-PSK-WITH-NULL-SHA \
+ TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 \
+ TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 \
+ TLS_DHE_PSK_WITH_NULL_SHA \
+ TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 \
+ TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \
+ TLS_ECDHE_PSK_WITH_NULL_SHA \
+ TLS_PSK_WITH_ARIA_128_CBC_SHA256 \
+ TLS_PSK_WITH_ARIA_256_CBC_SHA384 \
+ TLS_PSK_WITH_NULL_SHA \
+ TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 \
+ TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 \
+ TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 \
+ TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 \
+ TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 \
+ TLS_RSA_PSK_WITH_NULL_SHA \
"
;;
esac
@@ -684,7 +679,11 @@
# is_mbedtls <cmd_line>
is_mbedtls() {
- echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
+ case $1 in
+ *ssl_client2*) true;;
+ *ssl_server2*) true;;
+ *) false;;
+ esac
}
# has_mem_err <log_file_name>
@@ -803,16 +802,14 @@
echo "EXIT: $EXIT" >> $CLI_OUT
}
-# run_client <name> <cipher>
+# run_client PROGRAM_NAME STANDARD_CIPHER_SUITE PROGRAM_CIPHER_SUITE
run_client() {
# announce what we're going to do
TESTS=$(( $TESTS + 1 ))
- VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
- TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
+ TITLE="${1%"${1#?}"}->${SERVER_NAME%"${SERVER_NAME#?}"}"
TITLE="$TITLE $MODE,$VERIF $2"
- printf "%s " "$TITLE"
- LEN=$(( 72 - `echo "$TITLE" | wc -c` ))
- for i in `seq 1 $LEN`; do printf '.'; done; printf ' '
+ DOTS72="........................................................................"
+ printf "%s %.*s " "$TITLE" "$((71 - ${#TITLE}))" "$DOTS72"
# should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then
@@ -825,7 +822,7 @@
# run the command and interpret result
case $1 in
[Oo]pen*)
- CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $2"
+ CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $3"
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
@@ -850,7 +847,7 @@
else
G_HOST="localhost"
fi
- CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST"
+ CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST"
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
@@ -872,7 +869,7 @@
;;
mbed*)
- CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2"
+ CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$3"
if [ "$MEMCHECK" -gt 0 ]; then
CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD"
fi
@@ -1005,6 +1002,7 @@
trap cleanup INT TERM HUP
for VERIFY in $VERIFIES; do
+ VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
for MODE in $MODES; do
for TYPE in $TYPES; do
for PEER in $PEERS; do
@@ -1035,17 +1033,19 @@
if [ "X" != "X$M_CIPHERS" ]; then
start_server "OpenSSL"
- for i in $M_CIPHERS; do
- check_openssl_server_bug $i
- run_client mbedTLS $i
+ translate_ciphers m $M_CIPHERS
+ for i in $ciphers; do
+ check_openssl_server_bug
+ run_client mbedTLS ${i%%=*} ${i#*=}
done
stop_server
fi
if [ "X" != "X$O_CIPHERS" ]; then
start_server "mbedTLS"
- for i in $O_CIPHERS; do
- run_client OpenSSL $i
+ translate_ciphers o $O_CIPHERS
+ for i in $ciphers; do
+ run_client OpenSSL ${i%%=*} ${i#*=}
done
stop_server
fi
@@ -1061,16 +1061,18 @@
if [ "X" != "X$M_CIPHERS" ]; then
start_server "GnuTLS"
- for i in $M_CIPHERS; do
- run_client mbedTLS $i
+ translate_ciphers m $M_CIPHERS
+ for i in $ciphers; do
+ run_client mbedTLS ${i%%=*} ${i#*=}
done
stop_server
fi
if [ "X" != "X$G_CIPHERS" ]; then
start_server "mbedTLS"
- for i in $G_CIPHERS; do
- run_client GnuTLS $i
+ translate_ciphers g $G_CIPHERS
+ for i in $ciphers; do
+ run_client GnuTLS ${i%%=*} ${i#*=}
done
stop_server
fi
@@ -1088,8 +1090,9 @@
if [ "X" != "X$M_CIPHERS" ]; then
start_server "mbedTLS"
- for i in $M_CIPHERS; do
- run_client mbedTLS $i
+ translate_ciphers m $M_CIPHERS
+ for i in $ciphers; do
+ run_client mbedTLS ${i%%=*} ${i#*=}
done
stop_server
fi
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 388b0ce..9c7a95d 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -972,6 +972,15 @@
server1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@
+server1.long_serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+ echo "112233445566778899aabbccddeeff0011223344" > test-ca.server1.tmp.serial
+ $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
+server1.80serial.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+ echo "8011223344" > test-ca.server1.tmp.serial
+ $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
+server1.long_serial_FF.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+ echo "ffffffffffffffffffffffffffffffff" > test-ca.server1.tmp.serial
+ $(OPENSSL) ca -in server1.req.sha256 -key PolarSSLTest -config test-ca.server1.test_serial.opensslconf -notext -batch -out $@
server1.noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
server1.crt.der: server1.crt
diff --git a/tests/data_files/server1.80serial.crt b/tests/data_files/server1.80serial.crt
new file mode 100644
index 0000000..3ce8570
--- /dev/null
+++ b/tests/data_files/server1.80serial.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAiygAwIBAgIGAIARIjNEMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD
+QTAeFw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDwxCzAJBgNVBAYTAk5M
+MREwDwYDVQQKDAhQb2xhclNTTDEaMBgGA1UEAwwRUG9sYXJTU0wgU2VydmVyIDEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUu
+FWFeib+46EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQ
+g2rVQUN3Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A
++G2BJV8KsVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+
+rWUsZOuVm9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE
+2y6mT3Buns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSx
+AgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1D
+WQKmMB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB
+BQUAA4IBAQBJKeTUCctb/wCxBte2AIiaTfATzukTVtGhKkdy3cY6U2DVSXc+s+jr
+Kut8AYnjp1T6bho98RHbbk+hu+0gBWL2ysJd1+slLBUEotUMTkzgA1YdBXy9J/eM
+HJ2a0ydFll/m2rXx7RRJWSbcgPZxQLDfollnNVfhcb75O3GsT3YfEIsjLmon7NHr
+rJmTp773trg0cNJ6j5dKMA/2SQH5PL1cmcFgNfVZ+etNRIhwpIQYySWJ/468Mcg5
+ZKPY6nubIIj+HPB3Mhy8d9U3gAJvc9iEdzbKjrkJdVROONsyMYge4vnbjyKUr7/m
+ZN1O6pZy9Fvgbdhvx4ZHpfgEsa1qfLCH
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.long_serial.crt b/tests/data_files/server1.long_serial.crt
new file mode 100644
index 0000000..1bd6955
--- /dev/null
+++ b/tests/data_files/server1.long_serial.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUjCCAjqgAwIBAgIUESIzRFVmd4iZqrvM3e7/ABEiM0QwDQYJKoZIhvcNAQEF
+BQAwOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQ
+b2xhclNTTCBUZXN0IENBMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlow
+PDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRowGAYDVQQDDBFQb2xh
+clNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkC
+Hz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3P
+kuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzD
+tN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG
+1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3Px
+LaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p
+26twEtxaymsXq1KCVLECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TW
+PynBdHRFOwUSLD2ovUNZAqYwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH
+/f8wDQYJKoZIhvcNAQEFBQADggEBAC9qt4BC8zKb5o00ZVtTX0XYKWchHKYSrHk2
+r+zfW8pRcSaTGRTtMGkF7vozFrCX4Pr4vCKXOYFKQ/UEpWv5WzW7nB0+Ja0g4gnc
+9bLtg51n+IIG93ITGDm5+9YpsX6HsXSBpfY0vo9TwKg3bG1X26WG8j6m+V684hwV
+yveRUIrSvvgVJOBSe5rhn/pLmcpbI0nkPBGlqPd10qWc0RYSrSAa3bq/dpoqR7hY
+BGbbV1/9IgFhr2r44R17bhqevK3VhK4KOPRT5VMXjTh1iG4L13lIxBIuu+Lw0Pc0
+s+gQTGntA/sZkijC7mw0/q3nsRDKhHHXTDf2gjdUhMvFwYzmKBI=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server1.long_serial_FF.crt b/tests/data_files/server1.long_serial_FF.crt
new file mode 100644
index 0000000..8094fd7
--- /dev/null
+++ b/tests/data_files/server1.long_serial_FF.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIRAP////////////////////8wDQYJKoZIhvcNAQEFBQAw
+OzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xh
+clNTTCBUZXN0IENBMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0NDQwNlowPDEL
+MAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNT
+TCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1A
+atVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGR
+W+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/d
+Bh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1Qkl
+iXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj
+/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26tw
+EtxaymsXq1KCVLECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynB
+dHRFOwUSLD2ovUNZAqYwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8w
+DQYJKoZIhvcNAQEFBQADggEBADYfhZU2lWxBamt7m3A4XQj6bZ4BZlabv5IbLI32
+nej6w/6/gsXPI85nfZqpIn6IYwAeDRdJo/eUqYkIdoy5DEP+50pgCGJK5HAoBWVJ
+THKeVJn/vPH3Dz/CaCYQoHTmSi+ChfIhPh84UUdfVpv2qNInII4RxFlSAHUkRMbV
+BX6imMSD5M508G6vWGUUc6G/sx/s7vtVeGGPyNOQPgwMTes60Mewpu9LKKaSwfqQ
+DgEa8WzxPrPEyOUiIp7ClwlXe3JECHIjm445qmENgfY/8tlsyAdYKSkotfiuoUWb
+daylD6QVUXn67loYDPZALghpDxmSm21VE7feTWOUbOpe14U=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca.server1.test_serial.opensslconf b/tests/data_files/test-ca.server1.test_serial.opensslconf
new file mode 100644
index 0000000..43a520e
--- /dev/null
+++ b/tests/data_files/test-ca.server1.test_serial.opensslconf
@@ -0,0 +1,25 @@
+ [ ca ]
+ default_ca = test-ca
+
+ [ test-ca ]
+ certificate = test-ca.crt
+ private_key = test-ca.key
+ serial = test-ca.server1.tmp.serial
+ default_md = sha1
+ default_startdate = 20190210144406Z
+ default_enddate = 20290210144406Z
+ x509_extensions = v3_ca
+ new_certs_dir = ./
+ database = ./test-ca.server1.db
+ policy = policy_match
+ unique_subject = no
+
+ [v3_ca]
+ basicConstraints = CA:false
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always
+
+ [policy_match]
+ countryName = supplied
+ organizationName = supplied
+ commonName = supplied
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 2221d59..883d58b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1768,6 +1768,9 @@
msg "test: make, full_no_deprecated config" # ~ 5s
make test
+
+ msg "test: ensure that X509 has no direct dependency on BIGNUM_C"
+ not grep mbedtls_mpi library/libmbedx509.a
}
component_test_full_no_deprecated_deprecated_warning () {
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index eeded5f..2cdcbf1 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -61,24 +61,32 @@
# fixed this branch to have full coverage of test cases.
results.warning('Test case not executed: {}', key)
-def analyze_driver_vs_reference(outcomes, component_ref, component_driver, ignored_tests):
+def analyze_driver_vs_reference(outcomes, component_ref, component_driver,
+ ignored_suites, ignored_test=None):
"""Check that all tests executed in the reference component are also
executed in the corresponding driver component.
- Skip test suites provided in ignored_tests list.
+ Skip:
+ - full test suites provided in ignored_suites list
+ - only some specific test inside a test suite, for which the corresponding
+ output string is provided
"""
available = check_test_cases.collect_available_test_cases()
result = True
for key in available:
- # Skip ignored test suites
- test_suite = key.split(';')[0] # retrieve test suit name
- test_suite = test_suite.split('.')[0] # retrieve main part of test suit name
- if test_suite in ignored_tests:
- continue
# Continue if test was not executed by any component
hits = outcomes[key].hits() if key in outcomes else 0
if hits == 0:
continue
+ # Skip ignored test suites
+ full_test_suite = key.split(';')[0] # retrieve full test suite name
+ test_string = key.split(';')[1] # retrieve the text string of this test
+ test_suite = full_test_suite.split('.')[0] # retrieve main part of test suite name
+ if test_suite in ignored_suites:
+ continue
+ if ((full_test_suite in ignored_test) and
+ (test_string in ignored_test[full_test_suite])):
+ continue
# Search for tests that run in reference component and not in driver component
driver_test_passed = False
reference_test_passed = False
@@ -129,13 +137,14 @@
def do_analyze_driver_vs_reference(outcome_file, args):
"""Perform driver vs reference analyze."""
- ignored_tests = ['test_suite_' + x for x in args['ignored_suites']]
+ ignored_suites = ['test_suite_' + x for x in args['ignored_suites']]
outcomes = read_outcome_file(outcome_file)
print("\n*** Analyze driver {} vs reference {} ***\n".format(
args['component_driver'], args['component_ref']))
return analyze_driver_vs_reference(outcomes, args['component_ref'],
- args['component_driver'], ignored_tests)
+ args['component_driver'], ignored_suites,
+ args['ignored_tests'])
# List of tasks with a function that can handle this task and additional arguments if required
TASKS = {
@@ -154,7 +163,11 @@
'ignored_suites': [
'shax', 'mdx', # the software implementations that are being excluded
'md', # the legacy abstraction layer that's being excluded
- ]}},
+ ],
+ 'ignored_tests': {
+ }
+ }
+ },
'analyze_driver_vs_reference_ecdsa': {
'test_function': do_analyze_driver_vs_reference,
'args': {
@@ -164,15 +177,19 @@
'ecdsa', # the software implementation that's excluded
# the following lines should not be needed,
# they will be removed by upcoming work
- 'psa_crypto_se_driver_hal', # #6856
- 'random', # #6856
- 'ecp', # #6856
'pk', # #6857
'x509parse', # #6858
'x509write', # #6858
'debug', # #6860
'ssl', # #6860
- ]}},
+ ],
+ 'ignored_tests': {
+ 'test_suite_random': [
+ 'PSA classic wrapper: ECDSA signature (SECP256R1)',
+ ],
+ }
+ }
+ },
}
def main():
diff --git a/tests/scripts/translate_ciphers.py b/tests/scripts/translate_ciphers.py
index d5f847f..a8db4bb 100755
--- a/tests/scripts/translate_ciphers.py
+++ b/tests/scripts/translate_ciphers.py
@@ -18,8 +18,7 @@
# limitations under the License.
"""
-Translate ciphersuite names in Mbed TLS format to OpenSSL and GNUTLS
-standards.
+Translate standard ciphersuite names to GnuTLS, OpenSSL and Mbed TLS standards.
To test the translation functions run:
python3 -m unittest translate_cipher.py
@@ -36,124 +35,158 @@
"""
def test_translate_all_cipher_names(self):
"""
- Translate MbedTLS ciphersuite names to their OpenSSL and
- GnuTLS counterpart. Use only a small subset of ciphers
- that exercise each step of the translate functions
+ Translate standard ciphersuite names to GnuTLS, OpenSSL and
+ Mbed TLS counterpart. Use only a small subset of ciphers
+ that exercise each step of the translation functions
"""
ciphers = [
- ("TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+ ("TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"+ECDHE-ECDSA:+NULL:+SHA1",
- "ECDHE-ECDSA-NULL-SHA"),
- ("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+ "ECDHE-ECDSA-NULL-SHA",
+ "TLS-ECDHE-ECDSA-WITH-NULL-SHA"),
+ ("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"+ECDHE-ECDSA:+AES-128-GCM:+AEAD",
- "ECDHE-ECDSA-AES128-GCM-SHA256"),
- ("TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"),
+ ("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"+DHE-RSA:+3DES-CBC:+SHA1",
- "EDH-RSA-DES-CBC3-SHA"),
- ("TLS-RSA-WITH-AES-256-CBC-SHA",
+ "EDH-RSA-DES-CBC3-SHA",
+ "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"),
+ ("TLS_RSA_WITH_AES_256_CBC_SHA",
"+RSA:+AES-256-CBC:+SHA1",
- "AES256-SHA"),
- ("TLS-PSK-WITH-3DES-EDE-CBC-SHA",
+ "AES256-SHA",
+ "TLS-RSA-WITH-AES-256-CBC-SHA"),
+ ("TLS_PSK_WITH_3DES_EDE_CBC_SHA",
"+PSK:+3DES-CBC:+SHA1",
- "PSK-3DES-EDE-CBC-SHA"),
- ("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+ "PSK-3DES-EDE-CBC-SHA",
+ "TLS-PSK-WITH-3DES-EDE-CBC-SHA"),
+ ("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
None,
- "ECDHE-ECDSA-CHACHA20-POLY1305"),
- ("TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+ "ECDHE-ECDSA-CHACHA20-POLY1305",
+ "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"),
+ ("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
"+ECDHE-ECDSA:+AES-128-CCM:+AEAD",
- None),
- ("TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
None,
- "ECDHE-ARIA256-GCM-SHA384"),
+ "TLS-ECDHE-ECDSA-WITH-AES-128-CCM"),
+ ("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+ None,
+ "ECDHE-ARIA256-GCM-SHA384",
+ "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384"),
]
- for m, g_exp, o_exp in ciphers:
+ for s, g_exp, o_exp, m_exp in ciphers:
if g_exp is not None:
- g = translate_gnutls(m)
+ g = translate_gnutls(s)
self.assertEqual(g, g_exp)
if o_exp is not None:
- o = translate_ossl(m)
+ o = translate_ossl(s)
self.assertEqual(o, o_exp)
-def translate_gnutls(m_cipher):
+ if m_exp is not None:
+ m = translate_mbedtls(s)
+ self.assertEqual(m, m_exp)
+
+def translate_gnutls(s_cipher):
"""
- Translate m_cipher from Mbed TLS ciphersuite naming convention
+ Translate s_cipher from standard ciphersuite naming convention
and return the GnuTLS naming convention
"""
- m_cipher = re.sub(r'\ATLS-', '+', m_cipher)
- m_cipher = m_cipher.replace("-WITH-", ":+")
- m_cipher = m_cipher.replace("-EDE", "")
+ # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
+ # naming convention
+ s_cipher = s_cipher.replace("_", "-")
+
+ s_cipher = re.sub(r'\ATLS-', '+', s_cipher)
+ s_cipher = s_cipher.replace("-WITH-", ":+")
+ s_cipher = s_cipher.replace("-EDE", "")
# SHA in Mbed TLS == SHA1 GnuTLS,
# if the last 3 chars are SHA append 1
- if m_cipher[-3:] == "SHA":
- m_cipher = m_cipher+"1"
+ if s_cipher[-3:] == "SHA":
+ s_cipher = s_cipher+"1"
# CCM or CCM-8 should be followed by ":+AEAD"
# Replace "GCM:+SHAxyz" with "GCM:+AEAD"
- if "CCM" in m_cipher or "GCM" in m_cipher:
- m_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", m_cipher)
- m_cipher = m_cipher+":+AEAD"
+ if "CCM" in s_cipher or "GCM" in s_cipher:
+ s_cipher = re.sub(r"GCM-SHA\d\d\d", "GCM", s_cipher)
+ s_cipher = s_cipher+":+AEAD"
# Replace the last "-" with ":+"
else:
- index = m_cipher.rindex("-")
- m_cipher = m_cipher[:index] + ":+" + m_cipher[index+1:]
+ index = s_cipher.rindex("-")
+ s_cipher = s_cipher[:index] + ":+" + s_cipher[index+1:]
- return m_cipher
+ return s_cipher
-def translate_ossl(m_cipher):
+def translate_ossl(s_cipher):
"""
- Translate m_cipher from Mbed TLS ciphersuite naming convention
+ Translate s_cipher from standard ciphersuite naming convention
and return the OpenSSL naming convention
"""
- m_cipher = re.sub(r'^TLS-', '', m_cipher)
- m_cipher = m_cipher.replace("-WITH", "")
+ # Replace "_" with "-" to handle ciphersuite names based on Mbed TLS
+ # naming convention
+ s_cipher = s_cipher.replace("_", "-")
+
+ s_cipher = re.sub(r'^TLS-', '', s_cipher)
+ s_cipher = s_cipher.replace("-WITH", "")
# Remove the "-" from "ABC-xyz"
- m_cipher = m_cipher.replace("AES-", "AES")
- m_cipher = m_cipher.replace("CAMELLIA-", "CAMELLIA")
- m_cipher = m_cipher.replace("ARIA-", "ARIA")
+ s_cipher = s_cipher.replace("AES-", "AES")
+ s_cipher = s_cipher.replace("CAMELLIA-", "CAMELLIA")
+ s_cipher = s_cipher.replace("ARIA-", "ARIA")
# Remove "RSA" if it is at the beginning
- m_cipher = re.sub(r'^RSA-', r'', m_cipher)
+ s_cipher = re.sub(r'^RSA-', r'', s_cipher)
# For all circumstances outside of PSK
- if "PSK" not in m_cipher:
- m_cipher = m_cipher.replace("-EDE", "")
- m_cipher = m_cipher.replace("3DES-CBC", "DES-CBC3")
+ if "PSK" not in s_cipher:
+ s_cipher = s_cipher.replace("-EDE", "")
+ s_cipher = s_cipher.replace("3DES-CBC", "DES-CBC3")
# Remove "CBC" if it is not prefixed by DES
- m_cipher = re.sub(r'(?<!DES-)CBC-', r'', m_cipher)
+ s_cipher = re.sub(r'(?<!DES-)CBC-', r'', s_cipher)
# ECDHE-RSA-ARIA does not exist in OpenSSL
- m_cipher = m_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
+ s_cipher = s_cipher.replace("ECDHE-RSA-ARIA", "ECDHE-ARIA")
# POLY1305 should not be followed by anything
- if "POLY1305" in m_cipher:
- index = m_cipher.rindex("POLY1305")
- m_cipher = m_cipher[:index+8]
+ if "POLY1305" in s_cipher:
+ index = s_cipher.rindex("POLY1305")
+ s_cipher = s_cipher[:index+8]
# If DES is being used, Replace DHE with EDH
- if "DES" in m_cipher and "DHE" in m_cipher and "ECDHE" not in m_cipher:
- m_cipher = m_cipher.replace("DHE", "EDH")
+ if "DES" in s_cipher and "DHE" in s_cipher and "ECDHE" not in s_cipher:
+ s_cipher = s_cipher.replace("DHE", "EDH")
- return m_cipher
+ return s_cipher
+
+def translate_mbedtls(s_cipher):
+ """
+ Translate s_cipher from standard ciphersuite naming convention
+ and return Mbed TLS ciphersuite naming convention
+ """
+
+ # Replace "_" with "-"
+ s_cipher = s_cipher.replace("_", "-")
+
+ return s_cipher
def format_ciphersuite_names(mode, names):
- t = {"g": translate_gnutls, "o": translate_ossl}[mode]
- return " ".join(t(c) for c in names)
+ t = {"g": translate_gnutls,
+ "o": translate_ossl,
+ "m": translate_mbedtls
+ }[mode]
+ return " ".join(c + '=' + t(c) for c in names)
def main(target, names):
print(format_ciphersuite_names(target, names))
if __name__ == "__main__":
PARSER = argparse.ArgumentParser()
- PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g'])
+ PARSER.add_argument('target', metavar='TARGET', choices=['o', 'g', 'm'])
PARSER.add_argument('names', metavar='NAMES', nargs='+')
ARGS = PARSER.parse_args()
main(ARGS.target, ARGS.names)
diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index 9310b0e..24ecba3 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -6,6 +6,8 @@
#include "constant_time_internal.h"
#include "test/constant_flow.h"
+#include "bignum_mod_raw_invasive.h"
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -338,6 +340,56 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void mpi_mod_raw_fix_quasi_reduction(char *input_N,
+ char *input_X,
+ char *result)
+{
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *res = NULL;
+ mbedtls_mpi_uint *tmp = NULL;
+ size_t limbs_X;
+ size_t limbs_N;
+ size_t limbs_res;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
+
+ size_t limbs = limbs_N;
+ size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
+
+ TEST_EQUAL(limbs_X, limbs);
+ TEST_EQUAL(limbs_res, limbs);
+
+ ASSERT_ALLOC(tmp, limbs);
+ memcpy(tmp, X, bytes);
+
+ /* Check that 0 <= X < 2N */
+ mbedtls_mpi_uint c = mbedtls_mpi_core_sub(tmp, X, N, limbs);
+ TEST_ASSERT(c || mbedtls_mpi_core_lt_ct(tmp, N, limbs));
+
+ TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
+
+ mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
+ ASSERT_COMPARE(X, bytes, res, bytes);
+
+exit:
+ mbedtls_free(X);
+ mbedtls_free(res);
+ mbedtls_free(tmp);
+
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_free(N);
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void mpi_mod_raw_mul(char *input_A,
char *input_B,
diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index 85c00eb..7d81608 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@@ -284,7 +284,7 @@
}
TEST_EQUAL(test_offset_idx, expected_idx);
- /* Call update with too much data (sizeof entropy > MAX(_SEED)_INPUT).
+ /* Call update with too much data (sizeof(entropy) > MAX(_SEED)_INPUT).
* Make sure it's detected as an error and doesn't cause memory
* corruption. */
TEST_ASSERT(mbedtls_ctr_drbg_update(
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 9311200..9a13793 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -1038,4 +1038,3 @@
ECP check order for CURVE448
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
ecp_check_order:MBEDTLS_ECP_DP_CURVE448:"3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"
-
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 394253d..c8a0a82 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -811,7 +811,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_ECDH_C:MBEDTLS_ECDSA_C */
+/* BEGIN_CASE */
void mbedtls_ecp_group_metadata(int id, int bit_size, int crv_type,
char *P, char *A, char *B,
char *G_x, char *G_y, char *N,
@@ -903,9 +903,13 @@
// Check curve type, and if it can be used for ECDH/ECDSA
TEST_EQUAL(mbedtls_ecp_get_type(&grp), crv_type);
+#if defined(MBEDTLS_ECDH_C)
TEST_EQUAL(mbedtls_ecdh_can_do(id), 1);
+#endif
+#if defined(MBEDTLS_ECDSA_C)
TEST_EQUAL(mbedtls_ecdsa_can_do(id),
crv_type == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS);
+#endif
// Copy group and compare with original
TEST_EQUAL(mbedtls_ecp_group_copy(&grp_cpy, &grp), 0);
diff --git a/tests/suites/test_suite_mdx.function b/tests/suites/test_suite_mdx.function
index 93f4101..df94d16 100644
--- a/tests/suites/test_suite_mdx.function
+++ b/tests/suites/test_suite_mdx.function
@@ -10,8 +10,8 @@
unsigned char src_str[100];
unsigned char output[16];
- memset(src_str, 0x00, sizeof src_str);
- memset(output, 0x00, sizeof output);
+ memset(src_str, 0x00, sizeof(src_str));
+ memset(output, 0x00, sizeof(output));
strncpy((char *) src_str, text_src_string, sizeof(src_str) - 1);
@@ -19,7 +19,7 @@
TEST_ASSERT(ret == 0);
TEST_ASSERT(mbedtls_test_hexcmp(output, hash->x,
- sizeof output, hash->len) == 0);
+ sizeof(output), hash->len) == 0);
}
/* END_CASE */
@@ -30,8 +30,8 @@
unsigned char src_str[100];
unsigned char output[20];
- memset(src_str, 0x00, sizeof src_str);
- memset(output, 0x00, sizeof output);
+ memset(src_str, 0x00, sizeof(src_str));
+ memset(output, 0x00, sizeof(output));
strncpy((char *) src_str, text_src_string, sizeof(src_str) - 1);
@@ -39,7 +39,7 @@
TEST_ASSERT(ret == 0);
TEST_ASSERT(mbedtls_test_hexcmp(output, hash->x,
- sizeof output, hash->len) == 0);
+ sizeof(output), hash->len) == 0);
}
/* END_CASE */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 13b5162..67d3235 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -726,7 +726,7 @@
slen = sizeof(sig);
ret = mbedtls_pk_sign_restartable(&prv, md_alg, hash->x, hash->len,
- sig, sizeof sig, &slen,
+ sig, sizeof(sig), &slen,
mbedtls_test_rnd_std_rand, NULL,
&rs_ctx);
TEST_ASSERT(ret == MBEDTLS_ERR_ECP_IN_PROGRESS);
@@ -763,15 +763,15 @@
mbedtls_pk_init(&pk);
USE_PSA_INIT();
- memset(hash, 0x2a, sizeof hash);
- memset(sig, 0, sizeof sig);
+ memset(hash, 0x2a, sizeof(hash));
+ memset(sig, 0, sizeof(sig));
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256,
hash, hash_len,
- sig, sizeof sig, &sig_len,
+ sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL,
rs_ctx) == sign_ret);
if (sign_ret == 0) {
@@ -796,7 +796,7 @@
}
TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, hash_len,
- sig, sizeof sig, &sig_len,
+ sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand,
NULL) == sign_ret);
if (sign_ret == 0) {
@@ -811,12 +811,12 @@
if (verify_ret == 0) {
hash[0]++;
TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256,
- hash, sizeof hash, sig, sig_len, rs_ctx) != 0);
+ hash, sizeof(hash), sig, sig_len, rs_ctx) != 0);
hash[0]--;
sig[0]++;
TEST_ASSERT(mbedtls_pk_verify_restartable(&pk, MBEDTLS_MD_SHA256,
- hash, sizeof hash, sig, sig_len, rs_ctx) != 0);
+ hash, sizeof(hash), sig, sig_len, rs_ctx) != 0);
sig[0]--;
}
@@ -1068,8 +1068,8 @@
return;
}
- memset(hash, 0x2a, sizeof hash);
- memset(sig, 0, sizeof sig);
+ memset(hash, 0x2a, sizeof(hash));
+ memset(sig, 0, sizeof(sig));
mbedtls_pk_init(&pk);
@@ -1086,7 +1086,7 @@
sig, sig_len) == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len,
- sig, sizeof sig, &sig_len,
+ sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL)
== MBEDTLS_ERR_PK_BAD_INPUT_DATA);
@@ -1116,11 +1116,11 @@
mbedtls_rsa_init(&raw);
mbedtls_pk_init(&rsa); mbedtls_pk_init(&alt);
- memset(hash, 0x2a, sizeof hash);
- memset(sig, 0, sizeof sig);
- memset(msg, 0x2a, sizeof msg);
- memset(ciph, 0, sizeof ciph);
- memset(test, 0, sizeof test);
+ memset(hash, 0x2a, sizeof(hash));
+ memset(sig, 0, sizeof(sig));
+ memset(msg, 0x2a, sizeof(msg));
+ memset(ciph, 0, sizeof(ciph));
+ memset(test, 0, sizeof(test));
/* Initialize PK RSA context with random key */
TEST_ASSERT(mbedtls_pk_setup(&rsa,
@@ -1145,34 +1145,34 @@
/* Test signature */
#if SIZE_MAX > UINT_MAX
TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, SIZE_MAX,
- sig, sizeof sig, &sig_len,
+ sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL)
== MBEDTLS_ERR_PK_BAD_INPUT_DATA);
#endif /* SIZE_MAX > UINT_MAX */
- TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, sizeof hash,
- sig, sizeof sig, &sig_len,
+ TEST_ASSERT(mbedtls_pk_sign(&alt, MBEDTLS_MD_NONE, hash, sizeof(hash),
+ sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL)
== 0);
TEST_ASSERT(sig_len == RSA_KEY_LEN);
TEST_ASSERT(mbedtls_pk_verify(&rsa, MBEDTLS_MD_NONE,
- hash, sizeof hash, sig, sig_len) == 0);
+ hash, sizeof(hash), sig, sig_len) == 0);
/* Test decrypt */
- TEST_ASSERT(mbedtls_pk_encrypt(&rsa, msg, sizeof msg,
- ciph, &ciph_len, sizeof ciph,
+ TEST_ASSERT(mbedtls_pk_encrypt(&rsa, msg, sizeof(msg),
+ ciph, &ciph_len, sizeof(ciph),
mbedtls_test_rnd_std_rand, NULL) == 0);
TEST_ASSERT(mbedtls_pk_decrypt(&alt, ciph, ciph_len,
- test, &test_len, sizeof test,
+ test, &test_len, sizeof(test),
mbedtls_test_rnd_std_rand, NULL) == 0);
- TEST_ASSERT(test_len == sizeof msg);
+ TEST_ASSERT(test_len == sizeof(msg));
TEST_ASSERT(memcmp(test, msg, test_len) == 0);
/* Test forbidden operations */
- TEST_ASSERT(mbedtls_pk_encrypt(&alt, msg, sizeof msg,
- ciph, &ciph_len, sizeof ciph,
+ TEST_ASSERT(mbedtls_pk_encrypt(&alt, msg, sizeof(msg),
+ ciph, &ciph_len, sizeof(ciph),
mbedtls_test_rnd_std_rand, NULL) == ret);
TEST_ASSERT(mbedtls_pk_verify(&alt, MBEDTLS_MD_NONE,
- hash, sizeof hash, sig, sig_len) == ret);
+ hash, sizeof(hash), sig, sig_len) == ret);
TEST_ASSERT(mbedtls_pk_debug(&alt, dbg_items) == ret);
exit:
@@ -1260,11 +1260,11 @@
TEST_EQUAL(psa_get_key_lifetime(&attributes),
PSA_KEY_LIFETIME_VOLATILE);
- memset(hash, 0x2a, sizeof hash);
- memset(sig, 0, sizeof sig);
+ memset(hash, 0x2a, sizeof(hash));
+ memset(sig, 0, sizeof(sig));
TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256,
- hash, sizeof hash, sig, sizeof sig, &sig_len,
+ hash, sizeof(hash), sig, sizeof(sig), &sig_len,
NULL, NULL) == 0);
/* Export underlying public key for re-importing in a psa context. */
@@ -1285,7 +1285,7 @@
TEST_ASSERT(mbedtls_pk_parse_public_key(&pk, pkey_legacy_start,
klen_legacy) == 0);
TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
- hash, sizeof hash, sig, sig_len) == 0);
+ hash, sizeof(hash), sig, sig_len) == 0);
exit:
/*
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.data b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
index 2bcf4e4..22b0570 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.data
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
@@ -178,25 +178,25 @@
register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MAX:1:PSA_ERROR_INVALID_ARGUMENT
Import-sign-verify: sign in driver, ECDSA
-depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256
sign_verify:SIGN_IN_DRIVER_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA_ANY:0:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
Import-sign-verify: sign in driver then export_public, ECDSA
-depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256
sign_verify:SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA_ANY:0:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
Import-sign-verify: sign in software, ECDSA
-depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256
sign_verify:SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA_ANY:0:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
Generate-sign-verify: sign in driver, ECDSA
-depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256
sign_verify:SIGN_IN_DRIVER_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA_ANY:256:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
Generate-sign-verify: sign in driver then export_public, ECDSA
-depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256
sign_verify:SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA_ANY:256:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
Generate-sign-verify: sign in software, ECDSA
-depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:PSA_WANT_ECC_SECP_R1_256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256
sign_verify:SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_ECDSA_ANY:256:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 5d896bf..b522c1a 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1217,9 +1217,9 @@
/* Load a chain with nb_int intermediates (from 01 to nb_int),
* plus one "end-entity" cert (nb_int + 1) */
- ret = mbedtls_snprintf(file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir,
+ ret = mbedtls_snprintf(file_buf, sizeof(file_buf), "%s/c%02d.pem", chain_dir,
nb_int + 1);
- TEST_ASSERT(ret > 0 && (size_t) ret < sizeof file_buf);
+ TEST_ASSERT(ret > 0 && (size_t) ret < sizeof(file_buf));
TEST_ASSERT(mbedtls_x509_crt_parse_file(&chain, file_buf) == 0);
/* Try to verify that chain */
@@ -1312,13 +1312,13 @@
mbedtls_x509_buf oid;
char num_buf[100];
- memset(num_buf, 0x2a, sizeof num_buf);
+ memset(num_buf, 0x2a, sizeof(num_buf));
oid.tag = MBEDTLS_ASN1_OID;
oid.p = oid_buf->x;
oid.len = oid_buf->len;
- TEST_ASSERT((size_t) blen <= sizeof num_buf);
+ TEST_ASSERT((size_t) blen <= sizeof(num_buf));
TEST_ASSERT(mbedtls_oid_get_numeric_string(num_buf, blen, &oid) == ret);
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index c55c9d1..885ba00 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -60,95 +60,107 @@
Certificate write check Server1 SHA1
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, not before 1970
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, not after 2050
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, not before 1970, not after 2050
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, not before 2050, not after 2059
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, key_usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, one ext_key_usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, two ext_key_usages
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, ns_cert_type
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, version 1
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, CA
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, RSA_ALT
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, RSA_ALT, key_usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, RSA_ALT, version 1
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, RSA_ALT, CA
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, Opaque
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, Opaque, key_usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, Opaque, ns_cert_type
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, Opaque, version 1
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt"
Certificate write check Server1 SHA1, Opaque, CA
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt"
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt"
+
+Certificate write check Server1 SHA1, Full length serial
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial.crt":0:0:"data_files/test-ca.crt"
+
+Certificate write check Server1 SHA1, Serial starting with 0x80
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt"
+
+Certificate write check Server1 SHA1, All 0xFF full length serial
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial_FF.crt":0:0:"data_files/test-ca.crt"
Certificate write check Server5 ECDSA
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt"
+x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt"
Certificate write check Server5 ECDSA, Opaque
depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_USE_PSA_CRYPTO
-x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt"
+x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt"
X509 String to Names #1
mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark\, Inc., OU=PolarSSL":0
@@ -167,3 +179,6 @@
X509 String to Names #6 (Escape at end)
mbedtls_x509_string_to_names:"C=NL, O=Offspark\":"":MBEDTLS_ERR_X509_INVALID_NAME
+
+Check max serial length
+x509_set_serial_check:
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 03b9bae..056d26a 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -300,7 +300,7 @@
void x509_crt_check(char *subject_key_file, char *subject_pwd,
char *subject_name, char *issuer_key_file,
char *issuer_pwd, char *issuer_name,
- char *serial_str, char *not_before, char *not_after,
+ data_t *serial_arg, char *not_before, char *not_after,
int md_type, int key_usage, int set_key_usage,
char *ext_key_usage,
int cert_type, int set_cert_type, int auth_ident,
@@ -315,7 +315,9 @@
unsigned char check_buf[5000];
unsigned char *p, *end;
unsigned char tag, sz;
- mbedtls_mpi serial;
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+ mbedtls_mpi serial_mpi;
+#endif
int ret, before_tag, after_tag;
size_t olen = 0, pem_len = 0, buf_index = 0;
int der_len = -1;
@@ -327,7 +329,9 @@
mbedtls_pk_type_t issuer_key_type;
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
- mbedtls_mpi_init(&serial);
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+ mbedtls_mpi_init(&serial_mpi);
+#endif
USE_PSA_INIT();
@@ -384,13 +388,18 @@
TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE);
}
- TEST_ASSERT(mbedtls_test_read_mpi(&serial, serial_str) == 0);
-
if (ver != -1) {
mbedtls_x509write_crt_set_version(&crt, ver);
}
- TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial) == 0);
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+ TEST_ASSERT(mbedtls_mpi_read_binary(&serial_mpi, serial_arg->x,
+ serial_arg->len) == 0);
+ TEST_ASSERT(mbedtls_x509write_crt_set_serial(&crt, &serial_mpi) == 0);
+#else
+ TEST_ASSERT(mbedtls_x509write_crt_set_serial_raw(&crt, serial_arg->x,
+ serial_arg->len) == 0);
+#endif
TEST_ASSERT(mbedtls_x509write_crt_set_validity(&crt, not_before,
not_after) == 0);
mbedtls_x509write_crt_set_md_alg(&crt, md_type);
@@ -549,7 +558,9 @@
mbedtls_pk_free(&issuer_key_alt);
mbedtls_pk_free(&subject_key);
mbedtls_pk_free(&issuer_key);
- mbedtls_mpi_free(&serial);
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+ mbedtls_mpi_free(&serial_mpi);
+#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(key_id);
#endif
@@ -557,6 +568,37 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */
+void x509_set_serial_check()
+{
+ mbedtls_x509write_cert ctx;
+ uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1];
+
+ memset(invalid_serial, 0x01, sizeof(invalid_serial));
+
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+ mbedtls_mpi serial_mpi;
+
+ mbedtls_mpi_init(&serial_mpi);
+ TEST_EQUAL(mbedtls_mpi_read_binary(&serial_mpi, invalid_serial,
+ sizeof(invalid_serial)), 0);
+ TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi),
+ MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+#endif
+
+ TEST_EQUAL(mbedtls_x509write_crt_set_serial_raw(&ctx, invalid_serial,
+ sizeof(invalid_serial)),
+ MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+exit:
+#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
+ mbedtls_mpi_free(&serial_mpi);
+#else
+ ;
+#endif
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
void mbedtls_x509_string_to_names(char *name, char *parsed_name, int result
)