Merge pull request #10214 from ariwo17/fix-typo
Fixed some minor typos in comments.
diff --git a/ChangeLog.d/unterminated-string-initialization.txt b/ChangeLog.d/unterminated-string-initialization.txt
new file mode 100644
index 0000000..75a72ca
--- /dev/null
+++ b/ChangeLog.d/unterminated-string-initialization.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Silence spurious -Wunterminated-string-initialization warnings introduced
+ by GCC 15. Fixes #9944.
diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h
index 7a33b0d..e4de8b3 100644
--- a/configs/crypto-config-ccm-psk-tls1_2.h
+++ b/configs/crypto-config-ccm-psk-tls1_2.h
@@ -31,7 +31,6 @@
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_PLATFORM_C
/* Save RAM at the expense of ROM */
#define MBEDTLS_AES_ROM_TABLES
diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h
index 92549ba..dd304c1 100644
--- a/configs/crypto-config-suite-b.h
+++ b/configs/crypto-config-suite-b.h
@@ -49,8 +49,6 @@
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h
index d1c449e..18206e1 100644
--- a/configs/crypto-config-thread.h
+++ b/configs/crypto-config-thread.h
@@ -56,10 +56,8 @@
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_PLATFORM_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_MD_C
-#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index cd52300..cc2c51e 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -6,10 +6,7 @@
EXTRACT_PRIVATE = YES
EXTRACT_STATIC = YES
CASE_SENSE_NAMES = NO
-INPUT = ../include ../tf-psa-crypto/include input ../tf-psa-crypto/drivers/builtin/include ../tests/include/alt-dummy
-EXCLUDE = \
- ../tf-psa-crypto/drivers/builtin/include/mbedtls/build_info.h \
- ../tf-psa-crypto/drivers/builtin/include/mbedtls/oid.h
+INPUT = ../include input ../tf-psa-crypto/include ../tests/include/alt-dummy
FILE_PATTERNS = *.h
RECURSIVE = YES
EXCLUDE_SYMLINKS = YES
diff --git a/framework b/framework
index 1a83e0c..2a3e2c5 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 1a83e0c84d4b7aa11c7cfd3771322486fc87d281
+Subproject commit 2a3e2c5ea053c14b745dbdf41f609b1edc6a72fa
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 8a220cd..a3f0789 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -272,7 +272,7 @@
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
} mbedtls_x509_crt_verify_chain;
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
/**
* \brief Context for resuming X.509 verify operations
@@ -299,12 +299,12 @@
} mbedtls_x509_crt_restart_ctx;
-#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#else /* MBEDTLS_ECP_RESTARTABLE */
/* Now we can declare functions that take a pointer to that */
typedef void mbedtls_x509_crt_restart_ctx;
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
@@ -733,7 +733,7 @@
* to disable restartable ECC.
*
* \return See \c mbedtls_crt_verify_with_profile(), or
- * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * \return #PSA_OPERATION_INCOMPLETE if maximum number of
* operations was reached: see \c mbedtls_ecp_set_max_ops().
*/
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
@@ -880,7 +880,7 @@
*/
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
/**
* \brief Initialize a restart context
*/
@@ -890,7 +890,7 @@
* \brief Free the components of a restart context
*/
void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx);
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/**
diff --git a/library/Makefile b/library/Makefile
index fb61911..2f695c6 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -109,82 +109,10 @@
endif
endif
-OBJS_CRYPTO= \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_client.o \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_slot_management.o \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_storage.o \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_its_file.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aes.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesni.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesce.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aria.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1parse.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1write.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/base64.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_core.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod_raw.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/block_cipher.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/camellia.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ccm.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chacha20.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chachapoly.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher_wrap.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cmac.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves_new.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy_poll.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/gcm.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hkdf.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hmac_drbg.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lmots.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lms.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md5.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/memory_buffer_alloc.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/nist_kw.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/oid.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pem.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_ecc.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_wrap.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs12.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs5.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkparse.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkwrite.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform_util.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/poly1305.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_aead.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_cipher.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_ecp.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_ffdh.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_hash.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_mac.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_pake.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_crypto_rsa.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/psa_util.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ripemd160.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa_alt_helpers.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha1.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha256.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha512.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha3.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/threading.o \
- # This line is intentionally left blank
+OBJS_CRYPTO = $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/*.c))
+GENERATED_OBJS_CRYPTO = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o
+OBJS_CRYPTO := $(filter-out $(GENERATED_OBJS_CRYPTO),$(OBJS_CRYPTO))
+OBJS_CRYPTO += $(GENERATED_OBJS_CRYPTO)
THIRDPARTY_DIR := $(MBEDTLS_PATH)/tf-psa-crypto/drivers
include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/everest/Makefile.inc
diff --git a/library/debug.c b/library/debug.c
index 8d55b41..5210f0c 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -219,29 +219,8 @@
#endif /* MBEDTLS_BIGNUM_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
-#if defined(MBEDTLS_ECP_LIGHT)
-static void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
- const char *file, int line,
- const char *text, const mbedtls_ecp_point *X)
-{
- char str[DEBUG_BUF_SIZE];
- if (NULL == ssl ||
- NULL == ssl->conf ||
- NULL == ssl->conf->f_dbg ||
- level > debug_threshold) {
- return;
- }
-
- mbedtls_snprintf(str, sizeof(str), "%s(X)", text);
- mbedtls_debug_print_mpi(ssl, level, file, line, str, &X->X);
-
- mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
- mbedtls_debug_print_mpi(ssl, level, file, line, str, &X->Y);
-}
-#endif /* MBEDTLS_ECP_LIGHT */
-
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
static void mbedtls_debug_print_ec_coord(const mbedtls_ssl_context *ssl, int level,
const char *file, int line, const char *text,
const unsigned char *buf, size_t len)
@@ -311,7 +290,7 @@
mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
mbedtls_debug_print_ec_coord(ssl, level, file, line, str, coord_start, coord_len);
}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
static void debug_print_pk(const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
@@ -342,16 +321,11 @@
mbedtls_debug_print_mpi(ssl, level, file, line, name, items[i].value);
} else
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECP_LIGHT)
- if (items[i].type == MBEDTLS_PK_DEBUG_ECP) {
- mbedtls_debug_print_ecp(ssl, level, file, line, name, items[i].value);
- } else
-#endif /* MBEDTLS_ECP_LIGHT */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
if (items[i].type == MBEDTLS_PK_DEBUG_PSA_EC) {
mbedtls_debug_print_psa_ec(ssl, level, file, line, name, items[i].value);
} else
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
{ debug_send_line(ssl, level, file, line,
"should not happen\n"); }
}
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 7be56eb..9af175b 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1758,10 +1758,6 @@
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
-#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
-
uint16_t tls_id = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
@@ -1786,23 +1782,9 @@
ssl->handshake->xxdh_psa_type = key_type;
/* Store peer's public key in psa format. */
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
ret = 0;
-#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
- size_t olen = 0;
- ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
- MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
- ssl->handshake->xxdh_psa_peerkey,
- sizeof(ssl->handshake->xxdh_psa_peerkey));
-
- if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
- return ret;
- }
- ssl->handshake->xxdh_psa_peerkey_len = olen;
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it,
* so that more RAM is available for upcoming expensive
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 2b2b49f..b2b5e33 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2525,12 +2525,6 @@
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
size_t key_len;
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- uint16_t tls_id = 0;
- psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
- mbedtls_ecp_group_id grp_id;
- mbedtls_ecp_keypair *key;
-#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
pk = mbedtls_ssl_own_key(ssl);
@@ -2542,11 +2536,9 @@
switch (pk_type) {
case MBEDTLS_PK_OPAQUE:
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
@@ -2561,7 +2553,6 @@
ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
-#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
if (pk_type != MBEDTLS_PK_OPAQUE) {
/* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
* module and only have ECDSA capabilities. Since we need
@@ -2594,7 +2585,6 @@
ret = 0;
break;
}
-#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/* Opaque key is created by the user (externally from Mbed TLS)
* so we assume it already has the right algorithm and flags
@@ -2604,53 +2594,6 @@
ret = 0;
break;
-#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
- case MBEDTLS_PK_ECKEY:
- case MBEDTLS_PK_ECKEY_DH:
- case MBEDTLS_PK_ECDSA:
- key = mbedtls_pk_ec_rw(*pk);
- grp_id = mbedtls_pk_get_ec_group_id(pk);
- if (grp_id == MBEDTLS_ECP_DP_NONE) {
- return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
- }
- tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
- if (tls_id == 0) {
- /* This elliptic curve is not supported */
- return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
- }
-
- /* If the above conversion to TLS ID was fine, then also this one will
- be, so there is no need to check the return value here */
- mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
- &ssl->handshake->xxdh_psa_bits);
-
- ssl->handshake->xxdh_psa_type = key_type;
-
- key_attributes = psa_key_attributes_init();
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
- psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
- psa_set_key_type(&key_attributes,
- PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
- psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
-
- ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
- if (ret != 0) {
- mbedtls_platform_zeroize(buf, sizeof(buf));
- break;
- }
-
- status = psa_import_key(&key_attributes, buf, key_len,
- &ssl->handshake->xxdh_psa_privkey);
- if (status != PSA_SUCCESS) {
- ret = PSA_TO_MBEDTLS_ERR(status);
- mbedtls_platform_zeroize(buf, sizeof(buf));
- break;
- }
-
- mbedtls_platform_zeroize(buf, sizeof(buf));
- ret = 0;
- break;
-#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
default:
ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index dbc703a..865e02c 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -80,7 +80,8 @@
* the HkdfLabel structure on success.
*/
-static const char tls13_label_prefix[6] = "tls13 ";
+/* We need to tell the compiler that we meant to leave out the null character. */
+static const char tls13_label_prefix[6] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "tls13 ";
#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
(2 /* expansion length */ \
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index 14f6e48..1509e9a 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -40,8 +40,9 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* We need to tell the compiler that we meant to leave out the null character. */
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
- const unsigned char name [sizeof(string) - 1];
+ const unsigned char name [sizeof(string) - 1] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING;
union mbedtls_ssl_tls13_labels_union {
MBEDTLS_SSL_TLS1_3_LABEL_LIST
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 0a43d87..4ac5d9b 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2124,7 +2124,7 @@
return -1;
}
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) {
return mbedtls_pk_verify_restartable(&parent->pk,
child->sig_md, hash, hash_len,
@@ -2234,7 +2234,7 @@
mbedtls_x509_crt *parent, *fallback_parent;
int signature_is_good = 0, fallback_signature_is_good;
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
/* did we have something in progress? */
if (rs_ctx != NULL && rs_ctx->parent != NULL) {
/* restore saved state */
@@ -2268,12 +2268,12 @@
}
/* Signature */
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
check_signature:
#endif
ret = x509_crt_check_signature(child, parent, rs_ctx);
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
/* save state */
rs_ctx->parent = parent;
@@ -2358,7 +2358,7 @@
*parent_is_trusted = 1;
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
/* restore then clear saved state if we have some stored */
if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) {
*parent_is_trusted = rs_ctx->parent_is_trusted;
@@ -2374,7 +2374,7 @@
*parent_is_trusted,
path_cnt, self_cnt, rs_ctx, now);
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
/* save state */
rs_ctx->parent_is_trusted = *parent_is_trusted;
@@ -2501,7 +2501,7 @@
}
#endif
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
/* resume if we had an operation in progress */
if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) {
/* restore saved state */
@@ -2515,7 +2515,7 @@
goto find_parent;
}
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
child = crt;
self_cnt = 0;
@@ -2561,7 +2561,7 @@
return 0;
}
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
find_parent:
#endif
@@ -2593,7 +2593,7 @@
ver_chain->len - 1, self_cnt, rs_ctx,
&now);
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
/* save state */
rs_ctx->in_progress = x509_crt_rs_find_parent;
@@ -3087,7 +3087,7 @@
ver_chain.trust_ca_cb_result = NULL;
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
mbedtls_x509_crt_restart_free(rs_ctx);
}
@@ -3223,7 +3223,7 @@
}
}
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+#if defined(MBEDTLS_ECP_RESTARTABLE)
/*
* Initialize a restart context
*/
@@ -3254,7 +3254,7 @@
mbedtls_pk_restart_free(&ctx->pk);
mbedtls_x509_crt_restart_init(ctx);
}
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
{
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index f1ed511..4d329f2 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -7,7 +7,7 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-#include "mbedtls/build_info.h"
+#include "tf-psa-crypto/build_info.h"
#include "mbedtls/platform.h"
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index 92d9660..1598986 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -7,7 +7,7 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-#include "mbedtls/build_info.h"
+#include "tf-psa-crypto/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index 8ae612b..d9e3bf1 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -7,7 +7,7 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-#include "mbedtls/build_info.h"
+#include "tf-psa-crypto/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index a5e06fb..94333ae 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -7,7 +7,7 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-#include "mbedtls/build_info.h"
+#include "tf-psa-crypto/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index 2bb140f..19f92af 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -7,7 +7,7 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
-#include "mbedtls/build_info.h"
+#include "tf-psa-crypto/build_info.h"
#include "mbedtls/platform.h"
/* md.h is included this early since MD_CAN_XXX macros are defined there. */
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 4b5ea7c..d5e7fdf 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2173,7 +2173,6 @@
#if defined(MBEDTLS_ECP_RESTARTABLE)
if (opt.ec_max_ops != DFL_EC_MAX_OPS) {
psa_interruptible_set_max_ops(opt.ec_max_ops);
- mbedtls_ecp_set_max_ops(opt.ec_max_ops);
}
#endif
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 089f8a6..9497084 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -2,20 +2,16 @@
${mbedtls_target}
)
-set(executables_libs
+set(executables
metatest
query_compile_time_config
query_included_headers
selftest
udp_proxy
-)
-add_dependencies(${programs_target} ${executables_libs})
-add_dependencies(${ssl_opt_target} udp_proxy)
-
-set(executables_mbedcrypto
zeroize
)
-add_dependencies(${programs_target} ${executables_mbedcrypto})
+add_dependencies(${programs_target} ${executables})
+add_dependencies(${ssl_opt_target} udp_proxy)
add_dependencies(${ssl_opt_target} query_compile_time_config)
if(TEST_CPP)
@@ -74,7 +70,7 @@
link_to_source(query_config.c)
endif()
-foreach(exe IN LISTS executables_libs executables_mbedcrypto)
+foreach(exe IN LISTS executables)
set(source ${exe}.c)
set(extra_sources "")
if(NOT EXISTS ${source} AND
@@ -102,16 +98,9 @@
# Request C11, required for memory poisoning
set_target_properties(${exe} PROPERTIES C_STANDARD 11)
-
- # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
- list(FIND executables_libs ${exe} exe_index)
- if (${exe_index} GREATER -1)
- target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
- else()
- target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
- endif()
+ target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
endforeach()
-install(TARGETS ${executables_libs} ${executables_mbedcrypto}
+install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
diff --git a/programs/test/cmake_package/CMakeLists.txt b/programs/test/cmake_package/CMakeLists.txt
index 85270bc..287a0c3 100644
--- a/programs/test/cmake_package/CMakeLists.txt
+++ b/programs/test/cmake_package/CMakeLists.txt
@@ -35,4 +35,4 @@
add_executable(cmake_package cmake_package.c)
target_link_libraries(cmake_package
- MbedTLS::tfpsacrypto MbedTLS::mbedtls MbedTLS::mbedx509)
+ MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::tfpsacrypto)
diff --git a/programs/test/cmake_package_install/CMakeLists.txt b/programs/test/cmake_package_install/CMakeLists.txt
index f10109e..0d7dbe4 100644
--- a/programs/test/cmake_package_install/CMakeLists.txt
+++ b/programs/test/cmake_package_install/CMakeLists.txt
@@ -38,4 +38,4 @@
add_executable(cmake_package_install cmake_package_install.c)
target_link_libraries(cmake_package_install
- MbedTLS::tfpsacrypto MbedTLS::mbedtls MbedTLS::mbedx509)
+ MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::tfpsacrypto)
diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt
index 7acdcc3..5bd0c87 100644
--- a/programs/test/cmake_subproject/CMakeLists.txt
+++ b/programs/test/cmake_subproject/CMakeLists.txt
@@ -14,9 +14,9 @@
# Link against all the Mbed TLS libraries. Verifies that the targets have been
# created using the specified prefix
set(libs
- subproject_test_tfpsacrypto
- subproject_test_mbedx509
subproject_test_mbedtls
+ subproject_test_mbedx509
+ subproject_test_tfpsacrypto
)
add_executable(cmake_subproject cmake_subproject.c)
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index 5157573..8516f3a 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -290,7 +290,10 @@
#if defined(MBEDTLS_SHA512_C)
{ "sha512", mbedtls_sha512_self_test },
#endif
-#if defined(MBEDTLS_SHA3_C)
+#if defined(PSA_WANT_ALG_SHA3_224) || \
+ defined(PSA_WANT_ALG_SHA3_256) || \
+ defined(PSA_WANT_ALG_SHA3_384) || \
+ defined(PSA_WANT_ALG_SHA3_512)
{ "sha3", mbedtls_sha3_self_test },
#endif
#if defined(MBEDTLS_DES_C)
diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt
index c1b6b75..fb3ba18 100644
--- a/programs/util/CMakeLists.txt
+++ b/programs/util/CMakeLists.txt
@@ -1,6 +1,6 @@
set(libs
- ${tfpsacrypto_target}
${mbedx509_target}
+ ${tfpsacrypto_target}
)
set(executables
diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh
index 415608a..86ed74e 100755
--- a/scripts/bump_version.sh
+++ b/scripts/bump_version.sh
@@ -124,8 +124,8 @@
mv tmp include/mbedtls/build_info.h
[ $VERBOSE ] && echo "Bumping version in tests/suites/test_suite_version.data"
-sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tf-psa-crypto/tests/suites/test_suite_version.data > tmp
-mv tmp tf-psa-crypto/tests/suites/test_suite_version.data
+sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tests/suites/test_suite_version.data > tmp
+mv tmp tests/suites/test_suite_version.data
[ $VERBOSE ] && echo "Bumping PROJECT_NAME in doxygen/mbedtls.doxyfile and doxygen/input/doc_mainpage.h"
for i in doxygen/mbedtls.doxyfile doxygen/input/doc_mainpage.h;
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index aae1fc8..977047a 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -38,7 +38,7 @@
my @low_level_modules = qw( AES ARIA ASN1 BASE64 BIGNUM
CAMELLIA CCM CHACHA20 CHACHAPOLY CMAC CTR_DRBG DES
ENTROPY ERROR GCM HKDF HMAC_DRBG LMS MD5
- NET OID PBKDF2 PLATFORM POLY1305 RIPEMD160
+ NET PBKDF2 PLATFORM POLY1305 RIPEMD160
SHA1 SHA256 SHA512 SHA3 THREADING );
my @high_level_modules = qw( CIPHER ECP MD
PEM PK PKCS12 PKCS5
@@ -96,8 +96,8 @@
}
}
-my $ll_old_define = "";
-my $hl_old_define = "";
+my @ll_old_define = ("", "", "");
+my @hl_old_define = ("", "", "");
my $ll_code_check = "";
my $hl_code_check = "";
@@ -129,6 +129,14 @@
$define_name = "SSL_TLS" if ($define_name eq "SSL");
$define_name = "PEM_PARSE,PEM_WRITE" if ($define_name eq "PEM");
$define_name = "PKCS7" if ($define_name eq "PKCS7");
+ $define_name = "ALG_SHA3_224,ALG_SHA3_256,ALG_SHA3_384,ALG_SHA3_512"
+ if ($define_name eq "SHA3");
+
+ my $define_prefix = "MBEDTLS_";
+ $define_prefix = "PSA_WANT_" if ($module_name eq "SHA3");
+
+ my $define_suffix = "_C";
+ $define_suffix = "" if ($module_name eq "SHA3");
my $include_name = $module_name;
$include_name =~ tr/A-Z/a-z/;
@@ -154,26 +162,30 @@
if ($found_ll)
{
$code_check = \$ll_code_check;
- $old_define = \$ll_old_define;
+ $old_define = \@ll_old_define;
$white_space = ' ';
}
else
{
$code_check = \$hl_code_check;
- $old_define = \$hl_old_define;
+ $old_define = \@hl_old_define;
$white_space = ' ';
}
- if ($define_name ne ${$old_define})
+ my $old_define_name = \${$old_define}[0];
+ my $old_define_prefix = \${$old_define}[1];
+ my $old_define_suffix = \${$old_define}[2];
+
+ if ($define_name ne ${$old_define_name})
{
- if (${$old_define} ne "")
+ if (${$old_define_name} ne "")
{
${$code_check} .= "#endif /* ";
$first = 0;
- foreach my $dep (split(/,/, ${$old_define}))
+ foreach my $dep (split(/,/, ${$old_define_name}))
{
- ${$code_check} .= " || " if ($first++);
- ${$code_check} .= "MBEDTLS_${dep}_C";
+ ${$code_check} .= " || \n " if ($first++);
+ ${$code_check} .= "${$old_define_prefix}${dep}${$old_define_suffix}";
}
${$code_check} .= " */\n\n";
}
@@ -183,49 +195,51 @@
$first = 0;
foreach my $dep (split(/,/, ${define_name}))
{
- ${$code_check} .= " || " if ($first);
- $headers .= " || " if ($first++);
+ ${$code_check} .= " || \\\n " if ($first);
+ $headers .= " || \\\n " if ($first++);
- ${$code_check} .= "defined(MBEDTLS_${dep}_C)";
- $headers .= "defined(MBEDTLS_${dep}_C)" if
- ($include_name ne "");
+ ${$code_check} .= "defined(${define_prefix}${dep}${define_suffix})";
+ $headers .= "defined(${define_prefix}${dep}${define_suffix})"
+ if ($include_name ne "");
}
${$code_check} .= "\n";
$headers .= "\n#include \"mbedtls/${include_name}.h\"\n".
"#endif\n\n" if ($include_name ne "");
- ${$old_define} = $define_name;
+ ${$old_define_name} = $define_name;
+ ${$old_define_prefix} = $define_prefix;
+ ${$old_define_suffix} = $define_suffix;
}
${$code_check} .= "${white_space}case -($error_name):\n".
"${white_space} return( \"$module_name - $description\" );\n"
};
-if ($ll_old_define ne "")
+if ($ll_old_define[0] ne "")
{
$ll_code_check .= "#endif /* ";
my $first = 0;
- foreach my $dep (split(/,/, $ll_old_define))
+ foreach my $dep (split(/,/, $ll_old_define[0]))
{
- $ll_code_check .= " || " if ($first++);
- $ll_code_check .= "MBEDTLS_${dep}_C";
+ $ll_code_check .= " || \n " if ($first++);
+ $ll_code_check .= "${ll_old_define[1]}${dep}${ll_old_define[2]}";
}
$ll_code_check .= " */\n";
}
-if ($hl_old_define ne "")
+if ($hl_old_define[0] ne "")
{
$hl_code_check .= "#endif /* ";
my $first = 0;
- foreach my $dep (split(/,/, $hl_old_define))
+ foreach my $dep (split(/,/, $hl_old_define[0]))
{
- $hl_code_check .= " || " if ($first++);
- $hl_code_check .= "MBEDTLS_${dep}_C";
+ $hl_code_check .= " || \n " if ($first++);
+ $hl_code_check .= "${hl_old_define[1]}${dep}${hl_old_define[2]}";
}
$hl_code_check .= " */\n";
}
$error_format =~ s/HEADER_INCLUDED\n/$headers/g;
-$error_format =~ s/LOW_LEVEL_CODE_CHECKS\n/$ll_code_check/g;
-$error_format =~ s/HIGH_LEVEL_CODE_CHECKS\n/$hl_code_check/g;
+$error_format =~ s/ *LOW_LEVEL_CODE_CHECKS\n/$ll_code_check/g;
+$error_format =~ s/ *HIGH_LEVEL_CODE_CHECKS\n/$hl_code_check/g;
open(ERROR_FILE, ">$error_file") or die "Opening destination file '$error_file': $!";
print ERROR_FILE $error_format;
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 8152189..5a18afc 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -49,9 +49,20 @@
my $test_drivers_header_dir = 'framework/tests/include/test/drivers';
my $test_drivers_source_dir = 'framework/tests/src/drivers';
-my @thirdparty_header_dirs = qw(
- tf-psa-crypto/drivers/everest/include/everest
-);
+# This is a dirty patch to allow mbedtls#10091 to be merged without updating
+# tf-psa-crypto to psa#235. Once psa#235 will be merged, this dirty fix can
+# be removed.
+# The same holds also for @include_directories below.
+my @thirdparty_header_dirs;
+if (-d "tf-psa-crypto/drivers/everest/include/tf-psa-crypto/private/everest") {
+ @thirdparty_header_dirs = qw(
+ tf-psa-crypto/drivers/everest/include/tf-psa-crypto/private/everest
+ );
+} else {
+ @thirdparty_header_dirs = qw(
+ tf-psa-crypto/drivers/everest/include/everest
+ );
+}
my @thirdparty_source_dirs = qw(
tf-psa-crypto/drivers/everest/library
tf-psa-crypto/drivers/everest/library/kremlib
@@ -61,19 +72,36 @@
# Directories to add to the include path.
# Order matters in case there are files with the same name in more than
# one directory: the compiler will use the first match.
-my @include_directories = qw(
- include
- tf-psa-crypto/include
- tf-psa-crypto/drivers/builtin/include
- tf-psa-crypto/drivers/everest/include/
- tf-psa-crypto/drivers/everest/include/everest
- tf-psa-crypto/drivers/everest/include/everest/vs2013
- tf-psa-crypto/drivers/everest/include/everest/kremlib
- tests/include
- tf-psa-crypto/tests/include
- framework/tests/include
- framework/tests/programs
-);
+my @include_directories;
+if (-d "tf-psa-crypto/drivers/everest/include/tf-psa-crypto/private/everest") {
+ @include_directories = qw(
+ include
+ tf-psa-crypto/include
+ tf-psa-crypto/drivers/builtin/include
+ tf-psa-crypto/drivers/everest/include/
+ tf-psa-crypto/drivers/everest/include/tf-psa-crypto/private/everest
+ tf-psa-crypto/drivers/everest/include/tf-psa-crypto/private/everest/vs2013
+ tf-psa-crypto/drivers/everest/include/tf-psa-crypto/private/everest/kremlib
+ tests/include
+ tf-psa-crypto/tests/include
+ framework/tests/include
+ framework/tests/programs
+ );
+} else {
+ @include_directories = qw(
+ include
+ tf-psa-crypto/include
+ tf-psa-crypto/drivers/builtin/include
+ tf-psa-crypto/drivers/everest/include/
+ tf-psa-crypto/drivers/everest/include/everest
+ tf-psa-crypto/drivers/everest/include/everest/vs2013
+ tf-psa-crypto/drivers/everest/include/everest/kremlib
+ tests/include
+ tf-psa-crypto/tests/include
+ framework/tests/include
+ framework/tests/programs
+ );
+}
my $include_directories = join(';', map {"../../$_"} @include_directories);
# Directories to add to the include path when building the libraries, but not
diff --git a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
index ca090cc..71173d2 100644
--- a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
+++ b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
@@ -4,6 +4,21 @@
*/
#include "psa/crypto.h"
+/*
+ * Temporary hack: psasim’s Makefile only does:
+ * -Itests/psa-client-server/psasim/include
+ * -I$(MBEDTLS_ROOT_PATH)/include
+ * -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/include
+ * -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include
+ * None of those cover tf-psa-crypto/core, so we rely on the
+ * “-I$(MBEDTLS_ROOT_PATH)/include” entry plus a parent-relative
+ * include "../tf-psa-crypto/core/common.h" in order to pull in common.h here,
+ * which in turn gets MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING (to silence the
+ * new GCC-15 unterminated-string-initialization warning).
+ * See GitHub issue #10223 for the proper long-term fix.
+ * https://github.com/Mbed-TLS/mbedtls/issues/10223
+ */
+#include "../tf-psa-crypto/core/common.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
@@ -25,7 +40,9 @@
uint8_t encrypt[BUFFER_SIZE] = { 0 };
uint8_t decrypt[BUFFER_SIZE] = { 0 };
const uint8_t plaintext[] = "Hello World!";
- const uint8_t key_bytes[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+ /* We need to tell the compiler that we meant to leave out the null character. */
+ const uint8_t key_bytes[32] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
uint8_t nonce[PSA_AEAD_NONCE_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CCM)];
size_t nonce_length = sizeof(nonce);
size_t ciphertext_length;
diff --git a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
index a923feb..25c0b8a 100644
--- a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
+++ b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
@@ -4,6 +4,7 @@
*/
#include "psa/crypto.h"
+#include "../tf-psa-crypto/core/common.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
@@ -25,7 +26,9 @@
uint8_t original[BUFFER_SIZE] = { 0 };
uint8_t encrypt[BUFFER_SIZE] = { 0 };
uint8_t decrypt[BUFFER_SIZE] = { 0 };
- const uint8_t key_bytes[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+ /* We need to tell the compiler that we meant to leave out the null character. */
+ const uint8_t key_bytes[32] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
size_t encrypted_length;
size_t decrypted_length;
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index a06ef1d..9de7597 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -1557,7 +1557,6 @@
scripts/config.py unset MBEDTLS_SHA256_C
scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C
- scripts/config.py unset MBEDTLS_SHA3_C
# Build
# -----
@@ -1597,7 +1596,6 @@
scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
- scripts/config.py unset MBEDTLS_SHA3_C
fi
}
@@ -2207,7 +2205,6 @@
#define MBEDTLS_AES_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
- #define MBEDTLS_PLATFORM_C
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_SELF_TEST
END
diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh
index 4f212be..5fd9ede 100644
--- a/tests/scripts/components-configuration.sh
+++ b/tests/scripts/components-configuration.sh
@@ -351,16 +351,3 @@
# MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out.
tests/ssl-opt.sh -e '^DTLS proxy'
}
-
-# Temporary component for SHA3 config option removal
-# Will be removed according to this issue:
-# https://github.com/Mbed-TLS/mbedtls/issues/10203
-component_test_full_no_sha3 () {
- msg "build: full config without SHA3"
- scripts/config.py full
- scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*'
- make
-
- msg "test: full - PSA_WANT_ALG_SHA3_*"
- make test
-}
diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index cfd9f40..0cb5537 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -328,30 +328,26 @@
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_RSA_C'],
- 'MBEDTLS_MD5_C' : ['PSA_WANT_ALG_MD5'],
- 'MBEDTLS_RIPEMD160_C' : ['PSA_WANT_ALG_RIPEMD160'],
- 'MBEDTLS_SHA1_C' : ['PSA_WANT_ALG_SHA_1'],
- 'MBEDTLS_SHA224_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
- 'MBEDTLS_ENTROPY_FORCE_SHA256',
- 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
- 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
- 'PSA_WANT_ALG_SHA_224'],
- 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
- 'MBEDTLS_ENTROPY_FORCE_SHA256',
- 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
- 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
- 'MBEDTLS_LMS_C',
- 'MBEDTLS_LMS_PRIVATE',
- 'PSA_WANT_ALG_SHA_256',
- 'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'],
- 'MBEDTLS_SHA384_C' : ['PSA_WANT_ALG_SHA_384'],
- 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
- 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
- 'PSA_WANT_ALG_SHA_512'],
- 'MBEDTLS_SHA3_C' : ['PSA_WANT_ALG_SHA3_224',
- 'PSA_WANT_ALG_SHA3_256',
- 'PSA_WANT_ALG_SHA3_384',
- 'PSA_WANT_ALG_SHA3_512'],
+ 'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'],
+ 'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'],
+ 'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'],
+ 'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
+ 'MBEDTLS_ENTROPY_FORCE_SHA256',
+ 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
+ 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
+ 'MBEDTLS_SHA224_C'],
+ 'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
+ 'MBEDTLS_ENTROPY_FORCE_SHA256',
+ 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
+ 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
+ 'MBEDTLS_LMS_C',
+ 'MBEDTLS_LMS_PRIVATE',
+ 'MBEDTLS_SHA256_C',
+ 'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'],
+ 'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'],
+ 'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
+ 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
+ 'MBEDTLS_SHA512_C'],
'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'],
}
@@ -359,8 +355,8 @@
# These are not necessarily dependencies, but just minimal required changes
# if a given define is the only one enabled from an exclusive group.
EXCLUSIVE_GROUPS = {
- 'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C',
- '-MBEDTLS_SSL_TLS_C'],
+ 'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C',
+ '-MBEDTLS_SSL_TLS_C'],
'PSA_WANT_ECC_MONTGOMERY_448': ['-PSA_WANT_ALG_ECDSA',
'-PSA_WANT_ALG_JPAKE',],
'PSA_WANT_ECC_MONTGOMERY_255': ['-PSA_WANT_ALG_ECDSA',
@@ -507,10 +503,12 @@
for expr in psa_info.generate_expressions([key_type]))
if symbol in self.all_config_symbols}
- # Find hash modules by name.
- hash_symbols = self.config_symbols_matching(r'MBEDTLS_(MD|RIPEMD|SHA)[0-9]+_C\Z')
+ # Find hash modules by category.
+ hash_symbols = {symbol
+ for alg, symbol in algs.items()
+ if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)}
- # Find elliptic curve enabling macros
+ # Find elliptic curve enabling macros by name.
# MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves
curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|'
r'MBEDTLS_ECP_DP_SECP224K1_ENABLED')
@@ -544,19 +542,16 @@
build_and_test),
# Elliptic curves. Run the test suites.
- 'curves': ExclusiveDomain(curve_symbols, build_and_test,
- exclude=r'MBEDTLS_ECP_DP_SECP224K1_ENABLED'),
+ 'curves': ExclusiveDomain(curve_symbols, build_and_test),
- # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1,
+ # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, SHA3*,
# SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used
# across various modules, but it depends on either SHA256 or SHA512.
# As a consequence an "exclusive" test of anything other than SHA256
# or SHA512 with MBEDTLS_ENTROPY_C enabled is not possible.
'hashes': DualDomain(hash_symbols, build_and_test,
- exclude=r'MBEDTLS_(MD|RIPEMD|SHA1_)' \
- '|MBEDTLS_SHA224_' \
- '|MBEDTLS_SHA384_' \
- '|MBEDTLS_SHA3_'),
+ exclude=r'PSA_WANT_ALG_(?!SHA_(256|512))'),
+
# Key exchange types.
'kex': ExclusiveDomain(key_exchange_symbols, build_and_test),
diff --git a/tests/suites/test_suite_ssl_decrypt.function b/tests/suites/test_suite_ssl_decrypt.function
index 909e6cf..37265de 100644
--- a/tests/suites/test_suite_ssl_decrypt.function
+++ b/tests/suites/test_suite_ssl_decrypt.function
@@ -37,7 +37,8 @@
mbedtls_ssl_write_version(rec_good.ver,
MBEDTLS_SSL_TRANSPORT_STREAM,
version);
- const char sample_plaintext[3] = "ABC";
+ /* We need to tell the compiler that we meant to leave out the null character. */
+ const char sample_plaintext[3] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "ABC";
mbedtls_ssl_context ssl;
mbedtls_ssl_init(&ssl);
uint8_t *buf = NULL;
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 1276941..09b248e 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -681,7 +681,6 @@
TEST_EQUAL(mbedtls_x509_crt_parse_file(&ca, ca_file), 0);
psa_interruptible_set_max_ops(max_ops);
- mbedtls_ecp_set_max_ops(max_ops);
cnt_restart = 0;
do {
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 35ae18c..a07506e 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 35ae18cf891d3675584da41f7e830f1de5f87f07
+Subproject commit a07506eab0b693152d5a522273b812d222ddd87c