Merge pull request #376 from jcowgill/x32
Support for x32
diff --git a/.travis.yml b/.travis.yml
index f30a4e3..fa01e5a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,6 +9,7 @@
- tests/scripts/check-generated-files.sh
- tests/scripts/check-doxy-blocks.pl
- tests/scripts/check-names.sh
+- tests/scripts/doxygen.sh
- cmake -D CMAKE_BUILD_TYPE:String="Check" .
- make
- make test
@@ -18,11 +19,17 @@
- tests/scripts/test-ref-configs.pl
- tests/scripts/curves.pl
- tests/scripts/key-exchanges.pl
+after_failure:
+- tests/scripts/travis-log-failure.sh
env:
global:
secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k="
addons:
+ apt:
+ packages:
+ - doxygen
+ - graphviz
coverity_scan:
project:
name: "ARMmbed/mbedtls"
diff --git a/ChangeLog b/ChangeLog
index bb50581..3b32873 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,14 +1,63 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS 2.2.1 released 2015-12-xx
+= mbed TLS 2.x branch
+
+Features
+ * Support for platform abstraction of the standard C library time()
+ function.
+
+Bugfix
+ * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
+ arguments where the same (in-place doubling). Found and fixed by Janos
+ Follath. #309
+ * Fix potential build failures related to the 'apidoc' target, introduced
+ in the previous patch release. Found by Robert Scheck. #390 #391
+ * Fix issue in Makefile that prevented building using armar. #386
+ * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
+ ECDSA was disabled in config.h . The leak didn't occur by default.
+ * Fix an issue that caused valid certificates to be rejected whenever an
+ expired or not yet valid certificate was parsed before a valid certificate
+ in the trusted certificate list.
+ * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
+ buffer after DER certificates to be included in the raw representation.
+ * Fix issue that caused a hang when generating RSA keys of odd bitlength
+ * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
+ dereference possible.
+ * Fix issue that caused a crash if invalid curves were passed to
+ mbedtls_ssl_conf_curves. #373
+ * Fix issue in ssl_fork_server which was preventing it from functioning. #429
Changes
- * To avoid dropping an entire DTLS datagram if a single record in a datagram
- is invalid, we now only drop the record and look at subsequent records (if
- any are presemt) in the same datagram to avoid interoperability issues.
- Previously the library was dropping the entire datagram. Where a record is
- unexpected, the function mbedtls_ssl_read_record() will now return
- MBEDTLS_ERR_SSL_UNEXPECTED_RECORD.
+ * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
+ don't use the optimized assembly for bignum multiplication. This removes
+ the need to pass -fomit-frame-pointer to avoid a build error with -O0.
+ * Disabled SSLv3 in the default configuration.
+ * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
+ Skalozub).
+
+= mbed TLS 2.2.1 released 2016-01-05
+
+Security
+ * Fix potential double free when mbedtls_asn1_store_named_data() fails to
+ allocate memory. Only used for certificate generation, not triggerable
+ remotely in SSL/TLS. Found by RafaĆ Przywara. #367
+ * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
+ SLOTH attack on TLS 1.2 server authentication (other attacks from the
+ SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
+ https://www.mitls.org/pages/attacks/SLOTH
+
+Bugfix
+ * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
+ * Fix bug in certificate validation that caused valid chains to be rejected
+ when the first intermediate certificate has pathLenConstraint=0. Found by
+ Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
+ * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
+ JayaraghavendranK. #372
+ * Fix suboptimal handling of unexpected records that caused interop issues
+ with some peers over unreliable links. Avoid dropping an entire DTLS
+ datagram if a single record in a datagram is unexpected, instead only
+ drop the record and look at subsequent records (if any are present) in
+ the same datagram. Found by jeannotlapin. #345
= mbed TLS 2.2.0 released 2015-11-04
diff --git a/doxygen/input/doc_hashing.h b/doxygen/input/doc_hashing.h
index de82050..49f15ea 100644
--- a/doxygen/input/doc_hashing.h
+++ b/doxygen/input/doc_hashing.h
@@ -23,13 +23,14 @@
/**
* @addtogroup hashing_module Hashing module
*
- * The Hashing module provides one-way hashing functions. Such functions can be
- * used for creating a hash message authentication code (HMAC) when sending a
- * message. Such a HMAC can be used in combination with a private key
- * for authentication, which is a message integrity control.
+ * The Message Digest (MD) or Hashing module provides one-way hashing
+ * functions. Such functions can be used for creating a hash message
+ * authentication code (HMAC) when sending a message. Such a HMAC can be used
+ * in combination with a private key for authentication, which is a message
+ * integrity control.
*
* All hash algorithms can be accessed via the generic MD layer (see
- * \c md_setup())
+ * \c mbedtls_md_setup())
*
* The following hashing-algorithms are provided:
* - MD2, MD4, MD5 128-bit one-way hash functions by Ron Rivest.
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 35131ce..9643a6f 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -21,7 +21,7 @@
*/
/**
- * @mainpage mbed TLS v2.2.0 source code documentation
+ * @mainpage mbed TLS v2.2.1 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/input/doc_rng.h b/doxygen/input/doc_rng.h
index bd99a1a..0159ef3 100644
--- a/doxygen/input/doc_rng.h
+++ b/doxygen/input/doc_rng.h
@@ -24,19 +24,19 @@
* @addtogroup rng_module Random number generator (RNG) module
*
* The Random number generator (RNG) module provides random number
- * generation, see \c ctr_dbrg_random().
+ * generation, see \c mbedtls_ctr_drbg_random().
*
* The block-cipher counter-mode based deterministic random
* bit generator (CTR_DBRG) as specified in NIST SP800-90. It needs an external
- * source of entropy. For these purposes \c mbedtls_entropy_func() can be used. This is
- * an implementation based on a simple entropy accumulator design.
+ * source of entropy. For these purposes \c mbedtls_entropy_func() can be used.
+ * This is an implementation based on a simple entropy accumulator design.
*
- * The other number generator that is included is less strong and uses the HAVEGE
- * (HArdware Volatile Entropy Gathering and Expansion) software heuristic
+ * The other number generator that is included is less strong and uses the
+ * HAVEGE (HArdware Volatile Entropy Gathering and Expansion) software heuristic
* which considered unsafe for primary usage, but provides additional random
* to the entropy pool if enables.
*
- * \* Meaning that there seems to be no practical algorithm that can guess
+ * Meaning that there seems to be no practical algorithm that can guess
* the next bit with a probability larger than 1/2 in an output sequence.
*
* This module can be used to generate random numbers.
diff --git a/doxygen/input/doc_x509.h b/doxygen/input/doc_x509.h
index 7acd90f..315f0e3 100644
--- a/doxygen/input/doc_x509.h
+++ b/doxygen/input/doc_x509.h
@@ -23,18 +23,20 @@
/**
* @addtogroup x509_module X.509 module
*
- * The X.509 module provides X.509 support which includes:
- * - X.509 certificate (CRT) reading (see \c x509parse_crt() and
- * \c x509parse_crtfile()).
- * - X.509 certificate revocation list (CRL) reading (see \c x509parse_crl()
- * and\c x509parse_crlfile()).
- * - X.509 (RSA and ECC) private key reading (see \c x509parse_key() and
- * \c x509parse_keyfile()).
- * - X.509 certificate signature verification (see \c x509parse_verify())
- * - X.509 certificate writing and certificate request writing (see
- * \c mbedtls_x509write_crt_der() and \c mbedtls_x509write_csr_der()).
+ * The X.509 module provides X.509 support for reading, writing and verification
+ * of certificates.
+ * In summary:
+ * - X.509 certificate (CRT) reading (see \c mbedtls_x509_crt_parse(),
+ * \c mbedtls_x509_crt_parse_der(), \c mbedtls_x509_crt_parse_file()).
+ * - X.509 certificate revocation list (CRL) reading (see
+ * \c mbedtls_x509_crl_parse(), \c mbedtls_x509_crl_parse_der(),
+ * and \c mbedtls_x509_crl_parse_file()).
+ * - X.509 certificate signature verification (see \c
+ * mbedtls_x509_crt_verify() and \c mbedtls_x509_crt_verify_with_profile().
+ * - X.509 certificate writing and certificate request writing (see
+ * \c mbedtls_x509write_crt_der() and \c mbedtls_x509write_csr_der()).
*
* This module can be used to build a certificate authority (CA) chain and
* verify its signature. It is also used to generate Certificate Signing
- * Requests and X509 certificates just as a CA would do.
+ * Requests and X.509 certificates just as a CA would do.
*/
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index e0591fd..2fc0b7f 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.2.0"
+PROJECT_NAME = "mbed TLS v2.2.1"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
@@ -696,7 +696,7 @@
# Note that relative paths are relative to the directory from which doxygen is
# run.
-EXCLUDE = configs
+EXCLUDE = configs yotta/module
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
@@ -710,7 +710,7 @@
# against the file with absolute path, so to exclude all test directories
# for example use the pattern */test/*
-EXCLUDE_PATTERNS =
+EXCLUDE_PATTERNS = *_internal.h *_wrap.h
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
@@ -1485,13 +1485,13 @@
# which can be used by a validating XML parser to check the
# syntax of the XML files.
-XML_SCHEMA =
+#XML_SCHEMA =
# The XML_DTD tag can be used to specify an XML DTD,
# which can be used by a validating XML parser to check the
# syntax of the XML files.
-XML_DTD =
+#XML_DTD =
# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
# dump the program listings (including syntax highlighting
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 146224a..aa51556 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -122,6 +122,7 @@
#define MBEDTLS_HAVE_INT64
typedef int64_t mbedtls_mpi_sint;
typedef uint64_t mbedtls_mpi_uint;
+ /* mbedtls_t_udbl defined as 128-bit unsigned int */
typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
#define MBEDTLS_HAVE_UDBL
#else
diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h
index 71dd672..cac3f14 100644
--- a/include/mbedtls/bn_mul.h
+++ b/include/mbedtls/bn_mul.h
@@ -556,7 +556,23 @@
#endif /* TriCore */
-#if defined(__arm__)
+/*
+ * gcc -O0 by default uses r7 for the frame pointer, so it complains about our
+ * use of r7 below, unless -fomit-frame-pointer is passed. Unfortunately,
+ * passing that option is not easy when building with yotta.
+ *
+ * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
+ * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
+ * clang and armcc5 under the same conditions).
+ *
+ * So, only use the optimized assembly below for optimized build, which avoids
+ * the build error and is pretty reasonable anyway.
+ */
+#if defined(__GNUC__) && !defined(__OPTIMIZE__)
+#define MULADDC_CANNOT_USE_R7
+#endif
+
+#if defined(__arm__) && !defined(MULADDC_CANNOT_USE_R7)
#if defined(__thumb__) && !defined(__thumb2__)
diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
index 1ddfff8..27abbd9 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -1,7 +1,8 @@
/**
- * \file config.h
+ * \file compat-1.3.h
*
- * \brief Compatibility names (set of defines)
+ * \brief Compatibility definitions for using mbed TLS with client code written
+ * for the PolarSSL naming conventions.
*
* \deprecated Use the new names directly instead
*
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 3e39998..0efee04 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3,6 +3,10 @@
*
* \brief Configuration options (set of defines)
*
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ *
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
@@ -21,11 +25,6 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
-/*
- * This set of compile-time options may be used to enable
- * or disable features selectively, and reduce the global
- * memory footprint.
- */
#ifndef MBEDTLS_CONFIG_H
#define MBEDTLS_CONFIG_H
@@ -132,10 +131,10 @@
//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
/**
- * \def MBEDTLS_PLATFORM_XXX_ALT
+ * \def MBEDTLS_PLATFORM_EXIT_ALT
*
- * Uncomment a macro to let mbed TLS support the function in the platform
- * abstraction layer.
+ * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
+ * function in the platform abstraction layer.
*
* Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
* provide a function "mbedtls_platform_set_printf()" that allows you to set an
@@ -153,6 +152,7 @@
* platform function
*/
//#define MBEDTLS_PLATFORM_EXIT_ALT
+//#define MBEDTLS_PLATFORM_TIME_ALT
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
//#define MBEDTLS_PLATFORM_PRINTF_ALT
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
@@ -208,12 +208,12 @@
//#define MBEDTLS_TIMING_ALT
/**
- * \def MBEDTLS__MODULE_NAME__ALT
+ * \def MBEDTLS_AES_ALT
*
- * Uncomment a macro to let mbed TLS use your alternate core implementation of
- * a symmetric crypto or hash module (e.g. platform specific assembly
- * optimized implementations). Keep in mind that the function prototypes
- * should remain the same.
+ * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternate core implementation of a symmetric crypto or hash module (e.g.
+ * platform specific assembly optimized implementations). Keep in mind that
+ * the function prototypes should remain the same.
*
* This replaces the whole module. If you only want to replace one of the
* functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
@@ -241,11 +241,11 @@
//#define MBEDTLS_SHA512_ALT
/**
- * \def MBEDTLS__FUNCTION_NAME__ALT
+ * \def MBEDTLS_MD2_PROCESS_ALT
*
- * Uncomment a macro to let mbed TLS use you alternate core implementation of
- * symmetric crypto or hash function. Keep in mind that function prototypes
- * should remain the same.
+ * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
+ * alternate core implementation of symmetric crypto or hash function. Keep in
+ * mind that function prototypes should remain the same.
*
* This replaces only one function. The header file from mbed TLS is still
* used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
@@ -364,10 +364,11 @@
//#define MBEDTLS_CIPHER_NULL_CIPHER
/**
- * \def MBEDTLS_CIPHER_PADDING_XXX
+ * \def MBEDTLS_CIPHER_PADDING_PKCS7
*
- * Uncomment or comment macros to add support for specific padding modes
- * in the cipher layer with cipher modes that support padding (e.g. CBC)
+ * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
+ * specific padding modes in the cipher layer with cipher modes that support
+ * padding (e.g. CBC)
*
* If you disable all padding modes, only full blocks can be used with CBC.
*
@@ -407,10 +408,10 @@
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
/**
- * \def MBEDTLS_ECP_XXXX_ENABLED
+ * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
*
- * Enables specific curves within the Elliptic Curve module.
- * By default all supported curves are enabled.
+ * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
+ * module. By default all supported curves are enabled.
*
* Comment macros to disable the curve and functions for it
*/
@@ -1058,7 +1059,7 @@
*
* Comment this macro to disable support for SSL 3.0
*/
-#define MBEDTLS_SSL_PROTO_SSL3
+//#define MBEDTLS_SSL_PROTO_SSL3
/**
* \def MBEDTLS_SSL_PROTO_TLS1
@@ -1897,11 +1898,19 @@
/**
* \def MBEDTLS_NET_C
*
- * Enable the TCP/IP networking routines.
+ * Enable the TCP and UDP over IPv6/IPv4 networking routines.
+ *
+ * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
+ * and Windows. For other platforms, you'll want to disable it, and write your
+ * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
*
* Module: library/net.c
*
- * This module provides TCP/IP networking routines.
+ * This module provides networking routines.
*/
#define MBEDTLS_NET_C
@@ -2247,7 +2256,8 @@
* By default mbed TLS assumes it is used in a non-threaded environment or that
* contexts are not shared between threads. If you do intend to use contexts
* between threads, you will need to enable this layer to prevent race
- * conditions.
+ * conditions. See also our Knowledge Base article about threading:
+ * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
*
* Module: library/threading.c
*
@@ -2264,7 +2274,18 @@
/**
* \def MBEDTLS_TIMING_C
*
- * Enable the portable timing interface.
+ * Enable the semi-portable timing interface.
+ *
+ * \note The provided implementation only works on POSIX/Unix (including Linux,
+ * BSD and OS X) and Windows. On other platforms, you can either disable that
+ * module and provide your own implementations of the callbacks needed by
+ * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
+ * your own implementation of the whole module by setting
+ * \c MBEDTLS_TIMING_ALT in the current file.
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
*
* Module: library/timing.c
* Caller: library/havege.c
@@ -2445,16 +2466,21 @@
//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */
diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h
index d859dd5..2957996 100644
--- a/include/mbedtls/debug.h
+++ b/include/mbedtls/debug.h
@@ -1,7 +1,7 @@
/**
* \file debug.h
*
- * \brief Debug functions
+ * \brief Functions for controlling and providing debug output from the library.
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
@@ -80,39 +80,141 @@
#endif
/**
- * \brief Set the level threshold to handle globally. Messages that have a
- * level over the threshold value are ignored.
- * (Default value: 0 (No debug))
+ * \brief Set the threshold error level to handle globally all debug output.
+ * Debug messages that have a level over the threshold value are
+ * discarded.
+ * (Default value: 0 = No debug )
*
- * \param threshold maximum level of messages to pass on
+ * \param threshold theshold level of messages to filter on. Messages at a
+ * higher level will be discarded.
+ * - Debug levels
+ * - 0 No debug
+ * - 1 Error
+ * - 2 State change
+ * - 3 Informational
+ * - 4 Verbose
*/
void mbedtls_debug_set_threshold( int threshold );
+/**
+ * \brief Print a message to the debug output. This function is always used
+ * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ * context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the message has occurred in
+ * \param line line number the message has occurred at
+ * \param format format specifier, in printf format
+ * \param ... variables used by the format specifier
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *format, ... );
+/**
+ * \brief Print the return value of a function to the debug output. This
+ * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text the name of the function that returned the error
+ * \param ret the return code value
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, int ret );
+/**
+ * \brief Output a buffer of size len bytes to the debug output. This function
+ * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the buffer being dumped. Normally the
+ * variable or buffer name
+ * \param buf the buffer to be outputted
+ * \param len length of the buffer
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
const char *file, int line, const char *text,
const unsigned char *buf, size_t len );
#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief Print a MPI variable to the debug output. This function is always
+ * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ * ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the MPI being output. Normally the
+ * variable name
+ * \param X the MPI variable
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, const mbedtls_mpi *X );
#endif
#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief Print an ECP point to the debug output. This function is always
+ * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ * ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the ECP point being output. Normally the
+ * variable name
+ * \param X the ECP point
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, const mbedtls_ecp_point *X );
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief Print a X.509 certificate structure to the debug output. This
+ * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the certificate being output
+ * \param crt X.509 certificate structure
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, const mbedtls_x509_crt *crt );
@@ -123,3 +225,4 @@
#endif
#endif /* debug.h */
+
diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h
index 3bbf27e..b7b6160 100644
--- a/include/mbedtls/ecjpake.h
+++ b/include/mbedtls/ecjpake.h
@@ -64,7 +64,7 @@
*
* In order to benefit from this symmetry, we choose a different naming
* convetion from the Thread v1.0 spec. Correspondance is indicated in the
- * description as a pair C: <client name>, S: <server name>
+ * description as a pair C: client name, S: server name
*/
typedef struct
{
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
index 77c2c6f..b902355 100644
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_md.h
+ * \file md.h
*
* \brief Generic message digest wrapper
*
diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h
index 51d7948..0f93fbf 100644
--- a/include/mbedtls/md2.h
+++ b/include/mbedtls/md2.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_md2.h
+ * \file md2.h
*
* \brief MD2 message digest algorithm (hash function)
*
diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h
index 12cb81d..45214d4 100644
--- a/include/mbedtls/md4.h
+++ b/include/mbedtls/md4.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_md4.h
+ * \file md4.h
*
* \brief MD4 message digest algorithm (hash function)
*
diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h
index 09d8a94..5a64061 100644
--- a/include/mbedtls/md5.h
+++ b/include/mbedtls/md5.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_md5.h
+ * \file md5.h
*
* \brief MD5 message digest algorithm (hash function)
*
diff --git a/include/mbedtls/memory_buffer_alloc.h b/include/mbedtls/memory_buffer_alloc.h
index 661bc08..d5df316 100644
--- a/include/mbedtls/memory_buffer_alloc.h
+++ b/include/mbedtls/memory_buffer_alloc.h
@@ -98,8 +98,10 @@
/**
* \brief Get the peak heap usage so far
*
- * \param max_used Peak number of bytes reauested by the application
- * \param max_blocks Peak number of blocks reauested by the application
+ * \param max_used Peak number of bytes in use or committed. This
+ * includes bytes in allocated blocks too small to split
+ * into smaller blocks but larger than the requested size.
+ * \param max_blocks Peak number of blocks in use, including free and used
*/
void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks );
@@ -111,8 +113,10 @@
/**
* \brief Get the current heap usage
*
- * \param cur_used Number of bytes reauested by the application
- * \param cur_blocks Number of blocks reauested by the application
+ * \param cur_used Current number of bytes in use or committed. This
+ * includes bytes in allocated blocks too small to split
+ * into smaller blocks but larger than the requested size.
+ * \param cur_blocks Current number of blocks in use, including free and used
*/
void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks );
#endif /* MBEDTLS_MEMORY_DEBUG */
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 458bb51..f9f9b9b 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -496,11 +496,12 @@
* \brief Load and parse a public key
*
* \param ctx key to be initialized
- * \param path filename to read the private key from
+ * \param path filename to read the public key from
*
* \note On entry, ctx must be empty, either freshly initialised
- * with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
- * specific key type, check the result with mbedtls_pk_can_do().
+ * with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
+ * you need a specific key type, check the result with
+ * mbedtls_pk_can_do().
*
* \note The key is also checked for correctness.
*
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index f71f1b6..039cb58 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -44,6 +44,7 @@
#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
#include <stdio.h>
#include <stdlib.h>
+#include <time.h>
#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
#if defined(_WIN32)
#define MBEDTLS_PLATFORM_STD_SNPRINTF mbedtls_platform_win32_snprintf /**< Default snprintf to use */
@@ -64,7 +65,16 @@
#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use */
#endif
#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
-#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default free to use */
+#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS /**< Default exit value to use */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE /**< Default exit value to use */
#endif
#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
@@ -207,6 +217,51 @@
#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+/*
+ * The default exit values
+ */
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_EXIT_SUCCESS MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#else
+#define MBEDTLS_EXIT_SUCCESS 0
+#endif
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_EXIT_FAILURE MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+#else
+#define MBEDTLS_EXIT_FAILURE 1
+#endif
+
+/*
+ * The time_t datatype
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
+#else
+typedef time_t mbedtls_time_t;
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+/*
+ * The function pointers for time
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+extern mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* time );
+
+/**
+ * \brief Set your own time function pointer
+ *
+ * \param time_func the time function implementation
+ *
+ * \return 0
+ */
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time ) );
+#else
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+#define mbedtls_time MBEDTLS_PLATFORM_TIME_MACRO
+#else
+#define mbedtls_time time
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
#ifdef __cplusplus
}
#endif
diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h
index a92d384..7083fc8 100644
--- a/include/mbedtls/ripemd160.h
+++ b/include/mbedtls/ripemd160.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_ripemd160.h
+ * \file ripemd160.h
*
* \brief RIPE MD-160 message digest
*
diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h
index 2b74d06..7a67c6c 100644
--- a/include/mbedtls/sha1.h
+++ b/include/mbedtls/sha1.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_sha1.h
+ * \file sha1.h
*
* \brief SHA-1 cryptographic hash function
*
diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h
index bc8b226..f8041ad 100644
--- a/include/mbedtls/sha256.h
+++ b/include/mbedtls/sha256.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_sha256.h
+ * \file sha256.h
*
* \brief SHA-224 and SHA-256 cryptographic hash function
*
diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h
index 9462764..627694f 100644
--- a/include/mbedtls/sha512.h
+++ b/include/mbedtls/sha512.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_sha512.h
+ * \file sha512.h
*
* \brief SHA-384 and SHA-512 cryptographic hash function
*
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 49b182a..96643eb 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -411,6 +411,116 @@
}
mbedtls_ssl_states;
+/**
+ * \brief Callback type: send data on the network.
+ *
+ * \note That callback may be either blocking or non-blocking.
+ *
+ * \param ctx Context for the send callback (typically a file descriptor)
+ * \param buf Buffer holding the data to send
+ * \param len Length of the data to send
+ *
+ * \return The callback must return the number of bytes sent if any,
+ * or a non-zero error code.
+ * If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE
+ * must be returned when the operation would block.
+ *
+ * \note The callback is allowed to send fewer bytes than requested.
+ * It must always return the number of bytes actually sent.
+ */
+typedef int mbedtls_ssl_send_t( void *ctx,
+ const unsigned char *buf,
+ size_t len );
+
+/**
+ * \brief Callback type: receive data from the network.
+ *
+ * \note That callback may be either blocking or non-blocking.
+ *
+ * \param ctx Context for the receive callback (typically a file
+ * descriptor)
+ * \param buf Buffer to write the received data to
+ * \param len Length of the receive buffer
+ *
+ * \return The callback must return the number of bytes received,
+ * or a non-zero error code.
+ * If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
+ * must be returned when the operation would block.
+ *
+ * \note The callback may receive fewer bytes than the length of the
+ * buffer. It must always return the number of bytes actually
+ * received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_t( void *ctx,
+ unsigned char *buf,
+ size_t len );
+
+/**
+ * \brief Callback type: receive data from the network, with timeout
+ *
+ * \note That callback must block until data is received, or the
+ * timeout delay expires, or the operation is interrupted by a
+ * signal.
+ *
+ * \param ctx Context for the receive callback (typically a file descriptor)
+ * \param buf Buffer to write the received data to
+ * \param len Length of the receive buffer
+ * \param timeout Maximum nomber of millisecondes to wait for data
+ * 0 means no timeout (potentially wait forever)
+ *
+ * \return The callback must return the number of bytes received,
+ * or a non-zero error code:
+ * \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ * \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note The callback may receive fewer bytes than the length of the
+ * buffer. It must always return the number of bytes actually
+ * received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_timeout_t( void *ctx,
+ unsigned char *buf,
+ size_t len,
+ uint32_t timeout );
+/**
+ * \brief Callback type: set a pair of timers/delays to watch
+ *
+ * \param ctx Context pointer
+ * \param int_ms Intermediate delay in milliseconds
+ * \param fin_ms Final delay in milliseconds
+ * 0 cancels the current timer.
+ *
+ * \note This callback must at least store the necessary information
+ * for the associated \c mbedtls_ssl_get_timer_t callback to
+ * return correct information.
+ *
+ * \note If using a event-driven style of programming, an event must
+ * be generated when the final delay is passed. The event must
+ * cause a call to \c mbedtls_ssl_handshake() with the proper
+ * SSL context to be scheduled. Care must be taken to ensure
+ * that at most one such call happens at a time.
+ *
+ * \note Only one timer at a time must be running. Calling this
+ * function while a timer is running must cancel it. Cancelled
+ * timers must not generate any event.
+ */
+typedef void mbedtls_ssl_set_timer_t( void * ctx,
+ uint32_t int_ms,
+ uint32_t fin_ms );
+
+/**
+ * \brief Callback type: get status of timers/delays
+ *
+ * \param ctx Context pointer
+ *
+ * \return This callback must return:
+ * -1 if cancelled (fin_ms == 0),
+ * 0 if none of the delays is passed,
+ * 1 if only the intermediate delay is passed,
+ * 2 if the final delay is passed.
+ */
+typedef int mbedtls_ssl_get_timer_t( void * ctx );
+
+
/* Defined below */
typedef struct mbedtls_ssl_session mbedtls_ssl_session;
typedef struct mbedtls_ssl_context mbedtls_ssl_context;
@@ -432,7 +542,7 @@
struct mbedtls_ssl_session
{
#if defined(MBEDTLS_HAVE_TIME)
- time_t start; /*!< starting time */
+ mbedtls_time_t start; /*!< starting time */
#endif
int ciphersuite; /*!< chosen ciphersuite */
int compression; /*!< chosen compression */
@@ -662,12 +772,11 @@
unsigned badmac_seen; /*!< records with a bad MAC received */
#endif
- /*
- * Callbacks
- */
- int (*f_send)(void *, const unsigned char *, size_t);
- int (*f_recv)(void *, unsigned char *, size_t);
- int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t);
+ mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
+ mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
+ mbedtls_ssl_recv_timeout_t *f_recv_timeout;
+ /*!< Callback for network receive with timeout */
+
void *p_bio; /*!< context for I/O operations */
/*
@@ -693,8 +802,9 @@
* Timers
*/
void *p_timer; /*!< context for the timer callbacks */
- void (*f_set_timer)(void *, uint32_t, uint32_t); /*!< set timer callback */
- int (*f_get_timer)(void *); /*!< get timer callback */
+
+ mbedtls_ssl_set_timer_t *f_set_timer; /*!< set timer callback */
+ mbedtls_ssl_get_timer_t *f_get_timer; /*!< get timer callback */
/*
* Record layer (incoming data)
@@ -866,7 +976,7 @@
* pointers and data.
*
* \param ssl SSL context
- * \return 0 if successful, or POLASSL_ERR_SSL_MALLOC_FAILED,
+ * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
* MBEDTLS_ERR_SSL_COMPRESSION_FAILED
*/
@@ -978,8 +1088,6 @@
* \param f_send write callback
* \param f_recv read callback
* \param f_recv_timeout blocking read callback with timeout.
- * The last argument is the timeout in milliseconds,
- * 0 means no timeout (block forever until a message comes)
*
* \note One of f_recv or f_recv_timeout can be NULL, in which case
* the other is used. If both are non-NULL, f_recv_timeout is
@@ -991,12 +1099,20 @@
*
* \note For DTLS, you need to provide either a non-NULL
* f_recv_timeout callback, or a f_recv that doesn't block.
+ *
+ * \note See the documentations of \c mbedtls_ssl_sent_t,
+ * \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
+ * the conventions those callbacks must follow.
+ *
+ * \note On some platforms, net.c provides \c mbedtls_net_send(),
+ * \c mbedtls_net_recv() and \c mbedtls_net_recv_timeout()
+ * that are suitable to be used here.
*/
void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
- void *p_bio,
- int (*f_send)(void *, const unsigned char *, size_t),
- int (*f_recv)(void *, unsigned char *, size_t),
- int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t) );
+ void *p_bio,
+ mbedtls_ssl_send_t *f_send,
+ mbedtls_ssl_recv_t *f_recv,
+ mbedtls_ssl_recv_timeout_t *f_recv_timeout );
/**
* \brief Set the timeout period for mbedtls_ssl_read()
@@ -1017,24 +1133,29 @@
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
/**
- * \brief Set the timer callbacks
- * (Mandatory for DTLS.)
+ * \brief Set the timer callbacks (Mandatory for DTLS.)
*
* \param ssl SSL context
- * \param p_timer parameter (context) shared by timer callback
+ * \param p_timer parameter (context) shared by timer callbacks
* \param f_set_timer set timer callback
- * Accepts an intermediate and a final delay in milliseconcs
- * If the final delay is 0, cancels the running timer.
* \param f_get_timer get timer callback. Must return:
- * -1 if cancelled
- * 0 if none of the delays is expired
- * 1 if the intermediate delay only is expired
- * 2 if the final delay is expired
+ *
+ * \note See the documentation of \c mbedtls_ssl_set_timer_t and
+ * \c mbedtls_ssl_get_timer_t for the conventions this pair of
+ * callbacks must fallow.
+ *
+ * \note On some platforms, timing.c provides
+ * \c mbedtls_timing_set_delay() and
+ * \c mbedtls_timing_get_delay() that are suitable for using
+ * here, except if using an event-driven style.
+ *
+ * \note See also the "DTLS tutorial" article in our knowledge base.
+ * https://tls.mbed.org/kb/how-to/dtls-tutorial
*/
void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
void *p_timer,
- void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms),
- int (*f_get_timer)(void *) );
+ mbedtls_ssl_set_timer_t *f_set_timer,
+ mbedtls_ssl_get_timer_t *f_get_timer );
/**
* \brief Callback type: generate and write session ticket
@@ -1309,9 +1430,24 @@
*
* \note Default values are from RFC 6347 section 4.2.4.1.
*
- * \note Higher values for initial timeout may increase average
- * handshake latency. Lower values may increase the risk of
- * network congestion by causing more retransmissions.
+ * \note The 'min' value should typically be slightly above the
+ * expected round-trip time to your peer, plus whatever time
+ * it takes for the peer to process the message. For example,
+ * if your RTT is about 600ms and you peer needs up to 1s to
+ * do the cryptographic operations in the handshake, then you
+ * should set 'min' slightly above 1600. Lower values of 'min'
+ * might cause spurious resends which waste network resources,
+ * while larger value of 'min' will increase overall latency
+ * on unreliable network links.
+ *
+ * \note The more unreliable your network connection is, the larger
+ * your max / min ratio needs to be in order to achieve
+ * reliable handshakes.
+ *
+ * \note Messages are retransmitted up to log2(ceil(max/min)) times.
+ * For example, if min = 1s and max = 5s, the retransmit plan
+ * goes: send ... 1s -> resend ... 2s -> resend ... 4s ->
+ * resend ... 5s -> give up and return a timeout error.
*/
void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
@@ -1459,7 +1595,12 @@
* adequate, preference is given to the one set by the first
* call to this function, then second, etc.
*
- * \note On client, only the first call has any effect.
+ * \note On client, only the first call has any effect. That is,
+ * only one client certificate can be provisioned. The
+ * server's preferences in its CertficateRequest message will
+ * be ignored and our only cert will be sent regardless of
+ * whether it matches those preferences - the server can then
+ * decide what it wants to do with it.
*
* \param conf SSL configuration
* \param own_cert own public certificate chain
@@ -1479,6 +1620,12 @@
* \note This is mainly useful for clients. Servers will usually
* want to use \c mbedtls_ssl_conf_psk_cb() instead.
*
+ * \note Currently clients can only register one pre-shared key.
+ * In other words, the servers' identity hint is ignored.
+ * Support for setting multiple PSKs on clients and selecting
+ * one based on the identity hint is not a planned feature but
+ * feedback is welcomed.
+ *
* \param conf SSL configuration
* \param psk pointer to the pre-shared key
* \param psk_len pre-shared key length
@@ -1611,7 +1758,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
/**
* \brief Set the allowed hashes for signatures during the handshake.
- * (Default: all available hashes.)
+ * (Default: all available hashes except MD5.)
*
* \note This only affects which hashes are offered and can be used
* for signatures during the handshake. Hashes for message
@@ -1747,8 +1894,11 @@
* \brief Set the supported Application Layer Protocols.
*
* \param conf SSL configuration
- * \param protos NULL-terminated list of supported protocols,
- * in decreasing preference order.
+ * \param protos Pointer to a NULL-terminated list of supported protocols,
+ * in decreasing preference order. The pointer to the list is
+ * recorded by the library for later reference as required, so
+ * the lifetime of the table should be as long as the
+ * SSL configuration structure.
*
* \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
*/
@@ -1862,11 +2012,13 @@
* \brief Disable or enable support for RC4
* (Default: MBEDTLS_SSL_ARC4_DISABLED)
*
- * \warning Use of RC4 in (D)TLS has been prohibited by RFC ????
- * for security reasons. Use at your own risks.
+ * \warning Use of RC4 in DTLS/TLS has been prohibited by RFC-7465
+ * for security reasons. Use at your own risk.
*
- * \note This function will likely be removed in future versions as
- * RC4 will then be disabled by default at compile time.
+ * \note This function is deprecated and will likely be removed in
+ * a future version of the library.
+ * RC4 is disabled by default at compile time and needs to be
+ * actively enabled for use with legacy systems.
*
* \param conf SSL configuration
* \param arc4 MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
@@ -2168,7 +2320,8 @@
* \note If this function returns something other than 0 or
* MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
* becomes unusable, and you should either free it or call
- * \c mbedtls_ssl_session_reset() on it before re-using it.
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
*
* \note If DTLS is in use, then you may choose to handle
* MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
@@ -2184,6 +2337,12 @@
* the following state after execution of this function.
* Do not call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
*
+ * \note If this function returns something other than 0 or
+ * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ * becomes unusable, and you should either free it or call
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
+ *
* \param ssl SSL context
*
* \return 0 if successful, or
@@ -2202,6 +2361,12 @@
* \param ssl SSL context
*
* \return 0 if successful, or any mbedtls_ssl_handshake() return value.
+ *
+ * \note If this function returns something other than 0 or
+ * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ * becomes unusable, and you should either free it or call
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
*/
int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -2219,6 +2384,13 @@
* MBEDTLS_ERR_SSL_CLIENT_RECONNECT (see below), or
* another negative error code.
*
+ * \note If this function returns something other than a positive
+ * value or MBEDTLS_ERR_SSL_WANT_READ/WRITE or
+ * MBEDTLS_ERR_SSL_CLIENT_RECONNECT, then the ssl context
+ * becomes unusable, and you should either free it or call
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
+ *
* \note When this function return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
* (which can only happen server-side), it means that a client
* is initiating a new connection using the same source port.
@@ -2252,6 +2424,12 @@
* or MBEDTLS_ERR_SSL_WANT_WRITE of MBEDTLS_ERR_SSL_WANT_READ,
* or another negative error code.
*
+ * \note If this function returns something other than a positive
+ * value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context
+ * becomes unusable, and you should either free it or call
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
+ *
* \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ,
* it must be called later with the *same* arguments,
* until it returns a positive value.
@@ -2275,6 +2453,12 @@
* \param message The alert message (SSL_ALERT_MSG_*)
*
* \return 0 if successful, or a specific SSL error code.
+ *
+ * \note If this function returns something other than 0 or
+ * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ * becomes unusable, and you should either free it or call
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
*/
int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
unsigned char level,
@@ -2283,6 +2467,14 @@
* \brief Notify the peer that the connection is being closed
*
* \param ssl SSL context
+ *
+ * \return 0 if successful, or a specific SSL error code.
+ *
+ * \note If this function returns something other than 0 or
+ * MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ * becomes unusable, and you should either free it or call
+ * \c mbedtls_ssl_session_reset() on it before re-using it for
+ * a new connection; the current connection must be closed.
*/
int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h
index 1155924..3734bb7 100644
--- a/include/mbedtls/ssl_cache.h
+++ b/include/mbedtls/ssl_cache.h
@@ -60,7 +60,7 @@
struct mbedtls_ssl_cache_entry
{
#if defined(MBEDTLS_HAVE_TIME)
- time_t timestamp; /*!< entry timestamp */
+ mbedtls_time_t timestamp; /*!< entry timestamp */
#endif
mbedtls_ssl_session session; /*!< entry session */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 3af059f..d63d7d4 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -166,7 +166,6 @@
* Handshake specific crypto variables
*/
int sig_alg; /*!< Hash algorithm for signature */
- int cert_type; /*!< Requested cert type */
int verify_sig_alg; /*!< Signature algorithm for verify */
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h
index c39cbf2..b0c34ec 100644
--- a/include/mbedtls/threading.h
+++ b/include/mbedtls/threading.h
@@ -81,6 +81,7 @@
void mbedtls_threading_free_alt( void );
#endif /* MBEDTLS_THREADING_ALT */
+#if defined(MBEDTLS_THREADING_C)
/*
* The function pointers for mutex_init, mutex_free, mutex_ and mutex_unlock
*
@@ -96,6 +97,7 @@
*/
extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif /* MBEDTLS_THREADING_C */
#ifdef __cplusplus
}
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index df2a1a7..ea2966e 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -39,16 +39,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 2
-#define MBEDTLS_VERSION_PATCH 0
+#define MBEDTLS_VERSION_PATCH 1
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02020000
-#define MBEDTLS_VERSION_STRING "2.2.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.2.0"
+#define MBEDTLS_VERSION_NUMBER 0x02020100
+#define MBEDTLS_VERSION_STRING "2.2.1"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.2.1"
#if defined(MBEDTLS_VERSION_C)
diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h
index c50c4ef..7988439 100644
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_x509_crl.h
+ * \file x509_crl.h
*
* \brief X.509 certificate revocation list parsing
*
@@ -100,6 +100,7 @@
*
* \param chain points to the start of the chain
* \param buf buffer holding the CRL data in DER format
+ * \param buflen size of the buffer
* (including the terminating null byte for PEM data)
*
* \return 0 if successful, or a specific X509 or PEM error code
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 294f36a..41b6bfe 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_x509_crt.h
+ * \file x509_crt.h
*
* \brief X.509 certificate parsing and writing
*
@@ -271,9 +271,14 @@
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
* default security profile.
*
- * \param crt a certificate to be verified
- * \param trust_ca the trusted CA chain
- * \param ca_crl the CRL chain for trusted CA's
+ * \note It is your responsibility to provide up-to-date CRLs for
+ * all trusted CAs. If no CRL is provided for the CA that was
+ * used to sign the certificate, CRL verification is skipped
+ * silently, that is *without* setting any flag.
+ *
+ * \param crt a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl the list of CRLs for trusted CAs (see note above)
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)
* \param flags result of the verification
@@ -304,9 +309,9 @@
* for ECDSA) apply to all certificates: trusted root,
* intermediate CAs if any, and end entity certificate.
*
- * \param crt a certificate to be verified
- * \param trust_ca the trusted CA chain
- * \param ca_crl the CRL chain for trusted CA's
+ * \param crt a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl the list of CRLs for trusted CAs
* \param profile security profile for verification
* \param cn expected Common Name (can be set to
* NULL if the CN must not be verified)
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index 98c75bc..7a9c2e0 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -1,5 +1,5 @@
/**
- * \file mbedtls_x509_csr.h
+ * \file x509_csr.h
*
* \brief X.509 certificate signing request parsing and writing
*
@@ -83,6 +83,8 @@
/**
* \brief Load a Certificate Signing Request (CSR) in DER format
*
+ * \note CSR attributes (if any) are currently silently ignored.
+ *
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
* \param buflen size of the buffer
@@ -95,6 +97,8 @@
/**
* \brief Load a Certificate Signing Request (CSR), DER or PEM format
*
+ * \note See notes for \c mbedtls_x509_csr_parse_der()
+ *
* \param csr CSR context to fill
* \param buf buffer holding the CRL data
* \param buflen size of the buffer
@@ -108,6 +112,8 @@
/**
* \brief Load a Certificate Signing Request (CSR)
*
+ * \note See notes for \c mbedtls_x509_csr_parse()
+ *
* \param csr CSR context to fill
* \param path filename to read the CSR from
*
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index a59bcf2..71d5485 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -139,15 +139,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
- set_target_properties(mbedcrypto PROPERTIES VERSION 2.2.0 SOVERSION 0)
+ set_target_properties(mbedcrypto PROPERTIES VERSION 2.2.1 SOVERSION 0)
target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.2.0 SOVERSION 0)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.2.1 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.2.0 SOVERSION 10)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.2.1 SOVERSION 10)
target_link_libraries(mbedtls ${libs} mbedx509)
install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/library/Makefile b/library/Makefile
index 7d25343..00528b3 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -90,9 +90,9 @@
# tls
libmbedtls.a: $(OBJS_TLS)
echo " AR $@"
- $(AR) rc $@ $(OBJS_TLS)
+ $(AR) -rc $@ $(OBJS_TLS)
echo " RL $@"
- $(AR) s $@
+ $(AR) -s $@
libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
echo " LD $@"
@@ -113,9 +113,9 @@
# x509
libmbedx509.a: $(OBJS_X509)
echo " AR $@"
- $(AR) rc $@ $(OBJS_X509)
+ $(AR) -rc $@ $(OBJS_X509)
echo " RL $@"
- $(AR) s $@
+ $(AR) -s $@
libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
echo " LD $@"
@@ -136,9 +136,9 @@
# crypto
libmbedcrypto.a: $(OBJS_CRYPTO)
echo " AR $@"
- $(AR) rc $@ $(OBJS_CRYPTO)
+ $(AR) -rc $@ $(OBJS_CRYPTO)
echo " RL $@"
- $(AR) s $@
+ $(AR) -s $@
libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
echo " LD $@"
diff --git a/library/asn1write.c b/library/asn1write.c
index 456660d..00ed73c 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -339,19 +339,18 @@
}
else if( cur->val.len < val_len )
{
- // Enlarge existing value buffer if needed
- //
- mbedtls_free( cur->val.p );
- cur->val.p = NULL;
-
- cur->val.len = val_len;
- cur->val.p = mbedtls_calloc( 1, val_len );
- if( cur->val.p == NULL )
- {
- mbedtls_free( cur->oid.p );
- mbedtls_free( cur );
+ /*
+ * Enlarge existing value buffer if needed
+ * Preserve old data until the allocation succeeded, to leave list in
+ * a consistent state in case allocation fails.
+ */
+ void *p = mbedtls_calloc( 1, val_len );
+ if( p == NULL )
return( NULL );
- }
+
+ mbedtls_free( cur->val.p );
+ cur->val.p = p;
+ cur->val.len = val_len;
}
if( val != NULL )
diff --git a/library/bignum.c b/library/bignum.c
index ca05f77..4536a3b 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -33,7 +33,7 @@
* [3] GNU Multi-Precision Arithmetic Library
* https://gmplib.org/manual/index.html
*
-*/
+ */
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
@@ -59,8 +59,8 @@
#endif
/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) {
+ volatile mbedtls_mpi_uint *p = v; while( n-- ) *p++ = 0;
}
#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
@@ -99,7 +99,7 @@
if( X->p != NULL )
{
- mbedtls_zeroize( X->p, X->n * ciL );
+ mbedtls_mpi_zeroize( X->p, X->n );
mbedtls_free( X->p );
}
@@ -126,7 +126,7 @@
if( X->p != NULL )
{
memcpy( p, X->p, X->n * ciL );
- mbedtls_zeroize( X->p, X->n * ciL );
+ mbedtls_mpi_zeroize( X->p, X->n );
mbedtls_free( X->p );
}
@@ -164,7 +164,7 @@
if( X->p != NULL )
{
memcpy( p, X->p, i * ciL );
- mbedtls_zeroize( X->p, X->n * ciL );
+ mbedtls_mpi_zeroize( X->p, X->n );
mbedtls_free( X->p );
}
@@ -883,7 +883,7 @@
{
int ret;
size_t i, j;
- mbedtls_mpi_uint *o, *p, c;
+ mbedtls_mpi_uint *o, *p, c, tmp;
if( X == B )
{
@@ -906,10 +906,14 @@
o = B->p; p = X->p; c = 0;
+ /*
+ * tmp is used because it might happen that p == o
+ */
for( i = 0; i < j; i++, o++, p++ )
{
+ tmp= *o;
*p += c; c = ( *p < c );
- *p += *o; c += ( *p < *o );
+ *p += tmp; c += ( *p < tmp );
}
while( c != 0 )
@@ -1212,23 +1216,30 @@
}
/*
- * Unsigned integer divide - 64bit dividend and 32bit divisor
+ * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
+ * mbedtls_mpi_uint divisor, d
*/
-static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
- mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r)
+static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
+ mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
{
#if defined(MBEDTLS_HAVE_UDBL)
mbedtls_t_udbl dividend, quotient;
+#else
+ const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
+ const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
+ mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
+ mbedtls_mpi_uint u0_msw, u0_lsw;
+ size_t s;
#endif
/*
* Check for overflow
*/
- if(( 0 == d ) || ( u1 >= d ))
+ if( 0 == d || u1 >= d )
{
- if (r != NULL) *r = (~0);
+ if (r != NULL) *r = ~0;
- return (~0);
+ return ( ~0 );
}
#if defined(MBEDTLS_HAVE_UDBL)
@@ -1239,14 +1250,10 @@
quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
if( r != NULL )
- *r = dividend - (quotient * d);
+ *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
return (mbedtls_mpi_uint) quotient;
#else
- const mbedtls_mpi_uint radix = 1 << biH;
- mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
- mbedtls_mpi_uint u0_msw, u0_lsw;
- int s;
/*
* Algorithm D, Section 4.3.1 - The Art of Computer Programming
@@ -1260,14 +1267,14 @@
d = d << s;
u1 = u1 << s;
- u1 |= (u0 >> (32 - s)) & ( (-s) >> 31);
+ u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
u0 = u0 << s;
d1 = d >> biH;
- d0 = d & 0xffff;
+ d0 = d & uint_halfword_mask;
u0_msw = u0 >> biH;
- u0_lsw = u0 & 0xffff;
+ u0_lsw = u0 & uint_halfword_mask;
/*
* Find the first quotient and remainder
@@ -1283,7 +1290,7 @@
if ( r0 >= radix ) break;
}
- rAX = (u1 * radix) + (u0_msw - q1 * d);
+ rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
q0 = rAX / d1;
r0 = rAX - q0 * d1;
@@ -1296,7 +1303,7 @@
}
if (r != NULL)
- *r = (rAX * radix + u0_lsw - q0 * d) >> s;
+ *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
quotient = q1 * radix + q0;
@@ -1535,12 +1542,15 @@
/*
* Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
*/
-static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
const mbedtls_mpi *T )
{
size_t i, n, m;
mbedtls_mpi_uint u0, u1, *d;
+ if( T->n < N->n + 1 || T->p == NULL )
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
memset( T->p, 0, T->n * ciL );
d = T->p;
@@ -1568,12 +1578,14 @@
else
/* prevent timing attacks */
mpi_sub_hlp( n, A->p, T->p );
+
+ return( 0 );
}
/*
* Montgomery reduction: A = A * R^-1 mod N
*/
-static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint mm, const mbedtls_mpi *T )
{
mbedtls_mpi_uint z = 1;
mbedtls_mpi U;
@@ -1581,7 +1593,7 @@
U.n = U.s = (int) z;
U.p = &z;
- mpi_montmul( A, &U, N, mm, T );
+ return( mpi_montmul( A, &U, N, mm, T ) );
}
/*
@@ -1658,13 +1670,13 @@
else
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
- mpi_montmul( &W[1], &RR, N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( &W[1], &RR, N, mm, &T ) );
/*
* X = R^2 * R^-1 mod N = R mod N
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
- mpi_montred( X, N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
if( wsize > 1 )
{
@@ -1677,7 +1689,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
for( i = 0; i < wsize - 1; i++ )
- mpi_montmul( &W[j], &W[j], N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( &W[j], &W[j], N, mm, &T ) );
/*
* W[i] = W[i - 1] * W[1]
@@ -1687,7 +1699,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
- mpi_montmul( &W[i], &W[1], N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( &W[i], &W[1], N, mm, &T ) );
}
}
@@ -1724,7 +1736,7 @@
/*
* out of window, square X
*/
- mpi_montmul( X, X, N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
continue;
}
@@ -1742,12 +1754,12 @@
* X = X^wsize R^-1 mod N
*/
for( i = 0; i < wsize; i++ )
- mpi_montmul( X, X, N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
/*
* X = X * W[wbits] R^-1 mod N
*/
- mpi_montmul( X, &W[wbits], N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( X, &W[wbits], N, mm, &T ) );
state--;
nbits = 0;
@@ -1760,18 +1772,18 @@
*/
for( i = 0; i < nbits; i++ )
{
- mpi_montmul( X, X, N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
wbits <<= 1;
if( ( wbits & ( one << wsize ) ) != 0 )
- mpi_montmul( X, &W[1], N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montmul( X, &W[1], N, mm, &T ) );
}
/*
* X = A^E * R * R^-1 mod N = A^E mod N
*/
- mpi_montred( X, N, mm, &T );
+ MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
if( neg )
{
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index aefddfa..386f8ad 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -67,8 +67,8 @@
}
/*
- * Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
- * tests to succeed (which require known length fixed entropy)
+ * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
+ * NIST tests to succeed (which require known length fixed entropy)
*/
int mbedtls_ctr_drbg_seed_entropy_len(
mbedtls_ctr_drbg_context *ctx,
diff --git a/library/debug.c b/library/debug.c
index 4752ab1..a032478 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -27,21 +27,22 @@
#if defined(MBEDTLS_DEBUG_C)
-#include "mbedtls/debug.h"
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdlib.h>
#define mbedtls_calloc calloc
#define mbedtls_free free
+#define mbedtls_time_t time_t
#define mbedtls_snprintf snprintf
#endif
+#include "mbedtls/debug.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
!defined(inline) && !defined(__cplusplus)
#define inline __inline
diff --git a/library/dhm.c b/library/dhm.c
index 0f4d316..a4715d1 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -19,9 +19,12 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
- * Reference:
+ * The following sources were referenced in the design of this implementation
+ * of the Diffie-Hellman-Merkle algorithm:
*
- * http://www.cacr.math.uwaterloo.ca/hac/ (chapter 12)
+ * [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ * Menezes, van Oorschot and Vanstone
+ *
*/
#if !defined(MBEDTLS_CONFIG_FILE)
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 25a27be..e2f45c7 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -39,6 +39,12 @@
#endif
#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+ !defined(__APPLE__) && !defined(_WIN32)
+#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
+#endif
+
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
#if !defined(_WIN32_WINNT)
@@ -61,7 +67,10 @@
}
if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
+ {
+ CryptReleaseContext( provider, 0 );
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+ }
CryptReleaseContext( provider, 0 );
*olen = len;
diff --git a/library/gcm.c b/library/gcm.c
index 4298254..aaacf97 100644
--- a/library/gcm.c
+++ b/library/gcm.c
@@ -362,7 +362,7 @@
/* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
* Also check for possible overflow */
if( ctx->len + length < ctx->len ||
- (uint64_t) ctx->len + length > 0x03FFFFE0ull )
+ (uint64_t) ctx->len + length > 0xFFFFFFFE0ull )
{
return( MBEDTLS_ERR_GCM_BAD_INPUT );
}
diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c
index b2c775a..545d5a2 100644
--- a/library/memory_buffer_alloc.c
+++ b/library/memory_buffer_alloc.c
@@ -417,6 +417,12 @@
heap.total_used -= hdr->size;
#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ free( hdr->trace );
+ hdr->trace = NULL;
+ hdr->trace_count = 0;
+#endif
+
// Regroup with block before
//
if( hdr->prev != NULL && hdr->prev->alloc == 0 )
@@ -432,9 +438,6 @@
if( hdr->next != NULL )
hdr->next->prev = hdr;
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
- free( old->trace );
-#endif
memset( old, 0, sizeof(memory_header) );
}
@@ -474,9 +477,6 @@
if( hdr->next != NULL )
hdr->next->prev = hdr;
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
- free( old->trace );
-#endif
memset( old, 0, sizeof(memory_header) );
}
@@ -491,11 +491,6 @@
heap.first_free = hdr;
}
-#if defined(MBEDTLS_MEMORY_BACKTRACE)
- hdr->trace = NULL;
- hdr->trace_count = 0;
-#endif
-
if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_FREE ) && verify_chain() != 0 )
mbedtls_exit( 1 );
}
diff --git a/library/net.c b/library/net.c
index a77268c..4142bc0 100644
--- a/library/net.c
+++ b/library/net.c
@@ -27,6 +27,18 @@
#if defined(MBEDTLS_NET_C)
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+ !defined(__APPLE__) && !defined(_WIN32)
+#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_time_t time_t
+#endif
+
#include "mbedtls/net.h"
#include <string.h>
@@ -81,7 +93,6 @@
#define MSVC_INT_CAST
#endif
-#include <stdlib.h>
#include <stdio.h>
#include <time.h>
diff --git a/library/pkcs12.c b/library/pkcs12.c
index 7023b9d..c603a13 100644
--- a/library/pkcs12.c
+++ b/library/pkcs12.c
@@ -93,7 +93,7 @@
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen )
{
- int ret, iterations;
+ int ret, iterations = 0;
mbedtls_asn1_buf salt;
size_t i;
unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
diff --git a/library/platform.c b/library/platform.c
index d634c62..89a2bd6 100644
--- a/library/platform.c
+++ b/library/platform.c
@@ -190,4 +190,27 @@
}
#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static mbedtls_time_t platform_time_uninit( mbedtls_time_t* timer )
+{
+ ((void) timer);
+ return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_TIME platform_time_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_TIME */
+
+mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* timer ) = MBEDTLS_PLATFORM_STD_TIME;
+
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* timer ) )
+{
+ mbedtls_time = time_func;
+ return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
#endif /* MBEDTLS_PLATFORM_C */
diff --git a/library/rsa.c b/library/rsa.c
index 1f907b7..9386a76 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -19,10 +19,16 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
- * RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
+ * The following sources were referenced in the design of this implementation
+ * of the RSA algorithm:
*
- * http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
- * http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
+ * [1] A method for obtaining digital signatures and public-key cryptosystems
+ * R Rivest, A Shamir, and L Adleman
+ * http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ * [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ * Menezes, van Oorschot and Vanstone
+ *
*/
#if !defined(MBEDTLS_CONFIG_FILE)
@@ -96,7 +102,8 @@
if( f_rng == NULL || nbits < 128 || exponent < 3 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
- mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
+ mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 );
+ mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
/*
* find primes P and Q with Q < P so that:
@@ -106,14 +113,19 @@
do
{
- MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
+ MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
f_rng, p_rng ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
+ if( nbits % 2 )
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits >> 1 ) + 1, 0,
f_rng, p_rng ) );
-
- if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
- mbedtls_mpi_swap( &ctx->P, &ctx->Q );
+ }
+ else
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
+ f_rng, p_rng ) );
+ }
if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
continue;
@@ -584,7 +596,8 @@
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
- if( f_rng == NULL )
+ // We don't check p_rng because it won't be dereferenced here
+ if( f_rng == NULL || input == NULL || output == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
olen = ctx->len;
@@ -791,7 +804,12 @@
int ret;
size_t ilen, pad_count = 0, i;
unsigned char *p, bad, pad_done = 0;
+#ifdef __clang_analyzer__
+ /* Shut up Clang, mbedtls_rsa_public/private writes to this */
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { };
+#else
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+#endif
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1086,10 +1104,16 @@
* temporary buffer and check it before returning it.
*/
sig_try = mbedtls_calloc( 1, ctx->len );
- verif = mbedtls_calloc( 1, ctx->len );
- if( sig_try == NULL || verif == NULL )
+ if( sig_try == NULL )
return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+ verif = mbedtls_calloc( 1, ctx->len );
+ if( verif == NULL )
+ {
+ mbedtls_free( sig_try );
+ return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+ }
+
MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
@@ -1163,13 +1187,18 @@
int ret;
size_t siglen;
unsigned char *p;
- unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
unsigned char result[MBEDTLS_MD_MAX_SIZE];
unsigned char zeros[8];
unsigned int hlen;
size_t slen, msb;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
+#ifdef __clang_analyzer__
+ /* Shut up Clang, mbedtls_rsa_public/private writes to this */
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { };
+#else
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+#endif
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1308,10 +1337,15 @@
int ret;
size_t len, siglen, asn1_len;
unsigned char *p, *end;
- unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
mbedtls_md_type_t msg_md_alg;
const mbedtls_md_info_t *md_info;
mbedtls_asn1_buf oid;
+#ifdef __clang_analyzer__
+ /* Shut up Clang, mbedtls_rsa_public/private writes to this */
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { };
+#else
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+#endif
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
diff --git a/library/sha512.c b/library/sha512.c
index af610bb..0f9e1e5 100644
--- a/library/sha512.c
+++ b/library/sha512.c
@@ -89,53 +89,6 @@
}
#endif /* PUT_UINT64_BE */
-/*
- * Round constants
- */
-static const uint64_t K[80] =
-{
- UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
- UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
- UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
- UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
- UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
- UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
- UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
- UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
- UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
- UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
- UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
- UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
- UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
- UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
- UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
- UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
- UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
- UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
- UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
- UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
- UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
- UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
- UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
- UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
- UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
- UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
- UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
- UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
- UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
- UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
- UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
- UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
- UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
- UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
- UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
- UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
- UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
- UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
- UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
- UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
-};
-
void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
@@ -192,6 +145,54 @@
}
#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+ UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
+ UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
+ UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
+ UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
+ UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
+ UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
+ UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
+ UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
+ UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
+ UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
+ UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
+ UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
+ UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
+ UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
+ UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
+ UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
+ UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
+ UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
+ UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
+ UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
+ UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
+ UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
+ UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
+ UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
+ UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
+ UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
+ UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
+ UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
+ UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
+ UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
+ UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
+ UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
+ UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
+ UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
+ UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
+ UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
+ UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
+ UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
+ UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
+ UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
+};
+
void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] )
{
int i;
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 711bc53..01c66ae 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -31,18 +31,20 @@
#if defined(MBEDTLS_SSL_CACHE_C)
-#include "mbedtls/ssl_cache.h"
-
-#include <string.h>
-
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdlib.h>
#define mbedtls_calloc calloc
-#define mbedtls_free free
+#define mbedtls_free free
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#endif
+#include "mbedtls/ssl_cache.h"
+
+#include <string.h>
+
void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
{
memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
@@ -59,7 +61,7 @@
{
int ret = 1;
#if defined(MBEDTLS_HAVE_TIME)
- time_t t = time( NULL );
+ mbedtls_time_t t = mbedtls_time( NULL );
#endif
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
mbedtls_ssl_cache_entry *cur, *entry;
@@ -138,7 +140,7 @@
{
int ret = 1;
#if defined(MBEDTLS_HAVE_TIME)
- time_t t = time( NULL ), oldest = 0;
+ mbedtls_time_t t = time( NULL ), oldest = 0;
mbedtls_ssl_cache_entry *old = NULL;
#endif
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 949b9ed..3546331 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -29,10 +29,16 @@
#if defined(MBEDTLS_SSL_TLS_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_time_t time_t
+#endif
+
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl.h"
-// #include <stdlib.h>
#include <string.h>
/*
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 9663fae..509484e 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -27,20 +27,22 @@
#if defined(MBEDTLS_SSL_CLI_C)
-#include "mbedtls/debug.h"
-#include "mbedtls/ssl.h"
-#include "mbedtls/ssl_internal.h"
-
-#include <string.h>
-
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdlib.h>
#define mbedtls_calloc calloc
-#define mbedtls_free free
+#define mbedtls_free free
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#endif
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
#include <stdint.h>
#if defined(MBEDTLS_HAVE_TIME)
@@ -265,11 +267,16 @@
#if defined(MBEDTLS_ECP_C)
for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
{
- info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
#else
for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
{
#endif
+ if( info == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
+ return;
+ }
+
elliptic_curve_len += 2;
}
@@ -289,7 +296,6 @@
for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
{
#endif
-
elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
}
@@ -664,7 +670,7 @@
int ret;
unsigned char *p = ssl->handshake->randbytes;
#if defined(MBEDTLS_HAVE_TIME)
- time_t t;
+ mbedtls_time_t t;
#endif
/*
@@ -679,7 +685,7 @@
#endif
#if defined(MBEDTLS_HAVE_TIME)
- t = time( NULL );
+ t = mbedtls_time( NULL );
*p++ = (unsigned char)( t >> 24 );
*p++ = (unsigned char)( t >> 16 );
*p++ = (unsigned char)( t >> 8 );
@@ -1587,7 +1593,7 @@
ssl->state++;
ssl->handshake->resume = 0;
#if defined(MBEDTLS_HAVE_TIME)
- ssl->session_negotiate->start = time( NULL );
+ ssl->session_negotiate->start = mbedtls_time( NULL );
#endif
ssl->session_negotiate->ciphersuite = i;
ssl->session_negotiate->compression = comp;
@@ -1981,8 +1987,11 @@
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
- // TODO: Retrieve PSK identity hint and callback to app
- //
+ /*
+ * Note: we currently ignore the PKS identity hint, as we only allow one
+ * PSK to be provisionned on the client. This could be changed later if
+ * someone needs that feature.
+ */
*p += len;
ret = 0;
@@ -2096,7 +2105,7 @@
*/
if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported "
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
"HashAlgorithm %d", *(p)[0] ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2106,7 +2115,7 @@
*/
if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported "
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
"SignatureAlgorithm %d", (*p)[1] ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2116,7 +2125,7 @@
*/
if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm "
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm "
"that was not offered" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2529,8 +2538,8 @@
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
{
int ret;
- unsigned char *buf, *p;
- size_t n = 0, m = 0;
+ unsigned char *buf;
+ size_t n = 0;
size_t cert_type_len = 0, dn_len = 0;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
@@ -2578,9 +2587,6 @@
ssl->record_read = 0;
- // TODO: handshake_failure alert for an anonymous server to request
- // client authentication
-
/*
* struct {
* ClientCertificateType certificate_types<1..2^8-1>;
@@ -2588,11 +2594,26 @@
* supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
* DistinguishedName certificate_authorities<0..2^16-1>;
* } CertificateRequest;
+ *
+ * Since we only support a single certificate on clients, let's just
+ * ignore all the information that's supposed to help us pick a
+ * certificate.
+ *
+ * We could check that our certificate matches the request, and bail out
+ * if it doesn't, but it's simpler to just send the certificate anyway,
+ * and give the server the opportunity to decide if it should terminate
+ * the connection when it doesn't like our certificate.
+ *
+ * Same goes for the hash in TLS 1.2's signature_algorithms: at this
+ * point we only have one hash available (see comments in
+ * write_certificate_verify), so let's just use what we have.
+ *
+ * However, we still minimally parse the message to check it is at least
+ * superficially sane.
*/
buf = ssl->in_msg;
- // Retrieve cert types
- //
+ /* certificate_types */
cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
n = cert_type_len;
@@ -2602,45 +2623,14 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
}
- p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1;
- while( cert_type_len > 0 )
- {
-#if defined(MBEDTLS_RSA_C)
- if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN &&
- mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
- {
- ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
- break;
- }
- else
-#endif
-#if defined(MBEDTLS_ECDSA_C)
- if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN &&
- mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
- {
- ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
- break;
- }
- else
-#endif
- {
- ; /* Unsupported cert type, ignore */
- }
-
- cert_type_len--;
- p++;
- }
-
+ /* supported_signature_algorithms */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- /* Ignored, see comments about hash in write_certificate_verify */
- // TODO: should check the signature part against our pk_key though
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
- m += 2;
- n += sig_alg_len;
+ n += 2 + sig_alg_len;
if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
{
@@ -2650,13 +2640,12 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- /* Ignore certificate_authorities, we only have one cert anyway */
- // TODO: should not send cert if no CA matches
- dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 )
- | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) );
+ /* certificate_authorities */
+ dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
+ | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
n += dn_len;
- if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n )
+ if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index 7e0c573..f241c86 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -31,16 +31,18 @@
#if defined(MBEDTLS_SSL_COOKIE_C)
-#include "mbedtls/ssl_cookie.h"
-#include "mbedtls/ssl_internal.h"
-
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#define mbedtls_calloc calloc
-#define mbedtls_free free
+#define mbedtls_free free
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#endif
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+
#include <string.h>
/* Implementation that should never be optimized out by the compiler */
@@ -172,7 +174,7 @@
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
#if defined(MBEDTLS_HAVE_TIME)
- t = (unsigned long) time( NULL );
+ t = (unsigned long) mbedtls_time( NULL );
#else
t = ctx->serial++;
#endif
@@ -242,7 +244,7 @@
return( -1 );
#if defined(MBEDTLS_HAVE_TIME)
- cur_time = (unsigned long) time( NULL );
+ cur_time = (unsigned long) mbedtls_time( NULL );
#else
cur_time = ctx->serial;
#endif
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 9afd399..9fc21a5 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -27,6 +27,16 @@
#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc calloc
+#define mbedtls_free free
+#define mbedtls_time time
+#define mbedtls_time_t time_t
+#endif
+
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_internal.h"
@@ -37,14 +47,6 @@
#include "mbedtls/ecp.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
-
#if defined(MBEDTLS_HAVE_TIME)
#include <time.h>
#endif
@@ -2210,7 +2212,7 @@
static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_HAVE_TIME)
- time_t t;
+ mbedtls_time_t t;
#endif
int ret;
size_t olen, ext_len = 0, n;
@@ -2253,7 +2255,7 @@
buf[4], buf[5] ) );
#if defined(MBEDTLS_HAVE_TIME)
- t = time( NULL );
+ t = mbedtls_time( NULL );
*p++ = (unsigned char)( t >> 24 );
*p++ = (unsigned char)( t >> 16 );
*p++ = (unsigned char)( t >> 8 );
@@ -2302,7 +2304,7 @@
ssl->state++;
#if defined(MBEDTLS_HAVE_TIME)
- ssl->session_negotiate->start = time( NULL );
+ ssl->session_negotiate->start = mbedtls_time( NULL );
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
@@ -2584,7 +2586,9 @@
{
dn_size = crt->subject_raw.len;
- if( end < p || (size_t)( end - p ) < 2 + dn_size )
+ if( end < p ||
+ (size_t)( end - p ) < dn_size ||
+ (size_t)( end - p ) < 2 + dn_size )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
break;
@@ -2716,7 +2720,8 @@
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
{
- /* TODO: Support identity hints */
+ /* Note: we don't support identity hints, until someone asks
+ * for them. */
*(p++) = 0x00;
*(p++) = 0x00;
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 0e27900..5d77403 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -27,16 +27,18 @@
#if defined(MBEDTLS_SSL_TICKET_C)
-#include "mbedtls/ssl_ticket.h"
-
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdlib.h>
#define mbedtls_calloc calloc
-#define mbedtls_free free
+#define mbedtls_free free
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#endif
+#include "mbedtls/ssl_ticket.h"
+
#include <string.h>
/* Implementation that should never be optimized out by the compiler */
@@ -69,7 +71,7 @@
mbedtls_ssl_ticket_key *key = ctx->keys + index;
#if defined(MBEDTLS_HAVE_TIME)
- key->generation_time = (uint32_t) time( NULL );
+ key->generation_time = (uint32_t) mbedtls_time( NULL );
#endif
if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
@@ -98,7 +100,7 @@
#else
if( ctx->ticket_lifetime != 0 )
{
- uint32_t current_time = (uint32_t) time( NULL );
+ uint32_t current_time = (uint32_t) mbedtls_time( NULL );
uint32_t key_time = ctx->keys[ctx->active].generation_time;
if( current_time > key_time &&
@@ -451,7 +453,7 @@
#if defined(MBEDTLS_HAVE_TIME)
{
/* Check for expiration */
- time_t current_time = time( NULL );
+ mbedtls_time_t current_time = mbedtls_time( NULL );
if( current_time < session->start ||
(uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index aa473e9..9208ec9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -35,6 +35,15 @@
#if defined(MBEDTLS_SSL_TLS_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc calloc
+#define mbedtls_free free
+#define mbedtls_time_t time_t
+#endif
+
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_internal.h"
@@ -46,14 +55,6 @@
#include "mbedtls/oid.h"
#endif
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#endif
-
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@@ -2708,7 +2709,7 @@
*/
int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
{
- int ret, done = 0;
+ int ret, done = 0, out_msg_type;
size_t len = ssl->out_msglen;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
@@ -2724,7 +2725,9 @@
#endif
if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
{
- if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST &&
+ out_msg_type = ssl->out_msg[0];
+
+ if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
ssl->handshake == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@@ -2751,7 +2754,7 @@
len += 8;
/* Write message_seq and update it, except for HelloRequest */
- if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST )
+ if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
{
ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
@@ -2769,7 +2772,7 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
- if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST )
+ if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
}
@@ -3706,10 +3709,6 @@
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
return( ret );
}
-
- // TODO: what's the purpose of these lines? is in_len used?
- ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
- ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
}
#endif /* MBEDTLS_ZLIB_SUPPORT */
@@ -5015,7 +5014,12 @@
ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
- // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
+ /*
+ * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
+ * may define some other value. Currently (early 2016), no defined
+ * ciphersuite does this (and this is unlikely to change as activity has
+ * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
+ */
hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -5597,9 +5601,9 @@
void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
void *p_bio,
- int (*f_send)(void *, const unsigned char *, size_t),
- int (*f_recv)(void *, unsigned char *, size_t),
- int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t) )
+ mbedtls_ssl_send_t *f_send,
+ mbedtls_ssl_recv_t *f_recv,
+ mbedtls_ssl_recv_timeout_t *f_recv_timeout )
{
ssl->p_bio = p_bio;
ssl->f_send = f_send;
@@ -5614,8 +5618,8 @@
void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
void *p_timer,
- void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms),
- int (*f_get_timer)(void *) )
+ mbedtls_ssl_set_timer_t *f_set_timer,
+ mbedtls_ssl_get_timer_t *f_get_timer )
{
ssl->p_timer = p_timer;
ssl->f_set_timer = f_set_timer;
@@ -6949,7 +6953,8 @@
#endif
#endif
-#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/* explicit void pointer cast for buggy MS compiler */
mbedtls_free( (void *) handshake->curves );
#endif
@@ -7097,6 +7102,23 @@
memset( conf, 0, sizeof( mbedtls_ssl_config ) );
}
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_default_hashes[] = {
+#if defined(MBEDTLS_SHA512_C)
+ MBEDTLS_MD_SHA512,
+ MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ MBEDTLS_MD_SHA1,
+#endif
+ MBEDTLS_MD_NONE
+};
+#endif
+
static int ssl_preset_suiteb_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@@ -7253,7 +7275,7 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
- conf->sig_hashes = mbedtls_md_list();
+ conf->sig_hashes = ssl_preset_default_hashes;
#endif
#if defined(MBEDTLS_ECP_C)
diff --git a/library/timing.c b/library/timing.c
index 5d8b25b..a7c7ff0 100644
--- a/library/timing.c
+++ b/library/timing.c
@@ -38,6 +38,11 @@
#if !defined(MBEDTLS_TIMING_ALT)
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+ !defined(__APPLE__) && !defined(_WIN32)
+#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
+#endif
+
#ifndef asm
#define asm __asm
#endif
diff --git a/library/version_features.c b/library/version_features.c
index 1575e09..b852ca8 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -54,6 +54,9 @@
#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
"MBEDTLS_PLATFORM_EXIT_ALT",
#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+ "MBEDTLS_PLATFORM_TIME_ALT",
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
"MBEDTLS_PLATFORM_FPRINTF_ALT",
#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
diff --git a/library/x509.c b/library/x509.c
index ffc3d6c..a0df817 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -53,10 +53,12 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_free free
+#define mbedtls_free free
#define mbedtls_calloc calloc
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
+#define mbedtls_time time
+#define mbedtls_time_t time_t
+#define mbedtls_printf printf
+#define mbedtls_snprintf snprintf
#endif
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
@@ -843,7 +845,7 @@
static int x509_get_current_time( mbedtls_x509_time *now )
{
struct tm *lt;
- time_t tt;
+ mbedtls_time_t tt;
int ret = 0;
#if defined(MBEDTLS_THREADING_C)
@@ -851,7 +853,7 @@
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
#endif
- tt = time( NULL );
+ tt = mbedtls_time( NULL );
lt = gmtime( &tt );
if( lt == NULL )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 91e4f50..c3adf7c 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -516,9 +516,6 @@
/*
* X.509 v3 extensions
*
- * TODO: Perform all of the basic constraints tests required by the RFC
- * TODO: Set values for undetected extensions to a sane default?
- *
*/
static int x509_get_crt_ext( unsigned char **p,
const unsigned char *end,
@@ -680,14 +677,9 @@
if( crt == NULL || buf == NULL )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
- p = mbedtls_calloc( 1, len = buflen );
- if( p == NULL )
- return( MBEDTLS_ERR_X509_ALLOC_FAILED );
-
- memcpy( p, buf, buflen );
-
- crt->raw.p = p;
- crt->raw.len = len;
+ // Use the original buffer until we figure out actual length
+ p = (unsigned char*) buf;
+ len = buflen;
end = p + len;
/*
@@ -711,6 +703,18 @@
}
crt_end = p + len;
+ // Create and populate a new buffer for the raw field
+ crt->raw.len = crt_end - buf;
+ crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
+ if( p == NULL )
+ return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+ memcpy( p, buf, crt->raw.len );
+
+ // Direct pointers to the new buffer
+ p += crt->raw.len - len;
+ end = crt_end = p + len;
+
/*
* TBSCertificate ::= SEQUENCE {
*/
@@ -1600,7 +1604,8 @@
}
/*
- * Check that the given certificate is valid according to the CRL.
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation is no CRL for the given CA is present.
*/
static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
mbedtls_x509_crl *crl_list,
@@ -1613,12 +1618,6 @@
if( ca == NULL )
return( flags );
- /*
- * TODO: What happens if no CRL is present?
- * Suggestion: Revocation state should be unknown if no CRL is present.
- * For backwards compatibility this is not yet implemented.
- */
-
while( crl_list != NULL )
{
if( crl_list->version == 0 ||
@@ -1940,6 +1939,16 @@
continue;
}
+ if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+ {
+ continue;
+ }
+
+ if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+ {
+ continue;
+ }
+
if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) != 0 )
@@ -1975,12 +1984,6 @@
((void) ca_crl);
#endif
- if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
- ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
- if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
- ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
if( NULL != f_vrfy )
{
if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
@@ -2253,18 +2256,8 @@
{
/* Look for a parent upwards the chain */
for( parent = crt->next; parent != NULL; parent = parent->next )
- {
- /* +2 because the current step is not yet accounted for
- * and because max_pathlen is one higher than it should be */
- if( parent->max_pathlen > 0 &&
- parent->max_pathlen < 2 + pathlen )
- {
- continue;
- }
-
if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
break;
- }
/* Are we part of the chain or at the top? */
if( parent != NULL )
diff --git a/library/x509_csr.c b/library/x509_csr.c
index dbf659b..603d06b 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -104,7 +104,7 @@
/*
* Check for valid input
*/
- if( csr == NULL || buf == NULL )
+ if( csr == NULL || buf == NULL || buflen == 0 )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
mbedtls_x509_csr_init( csr );
@@ -207,6 +207,13 @@
/*
* attributes [0] Attributes
+ *
+ * The list of possible attributes is open-ended, though RFC 2985
+ * (PKCS#9) defines a few in section 5.4. We currently don't support any,
+ * so we just ignore them. This is a safe thing to do as the worst thing
+ * that could happen is that we issue a certificate that does not match
+ * the requester's expectations - this cannot cause a violation of our
+ * signature policies.
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
@@ -214,7 +221,6 @@
mbedtls_x509_csr_free( csr );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
- // TODO Parse Attributes / extension requests
p += len;
@@ -268,14 +274,14 @@
/*
* Check for valid input
*/
- if( csr == NULL || buf == NULL )
+ if( csr == NULL || buf == NULL || buflen == 0 )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
#if defined(MBEDTLS_PEM_PARSE_C)
mbedtls_pem_init( &pem );
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
- if( buflen == 0 || buf[buflen - 1] != '\0' )
+ if( buf[buflen - 1] != '\0' )
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
else
ret = mbedtls_pem_read_buffer( &pem,
diff --git a/programs/hash/generic_sum.c b/programs/hash/generic_sum.c
index f071d31..7805a79 100644
--- a/programs/hash/generic_sum.c
+++ b/programs/hash/generic_sum.c
@@ -83,7 +83,7 @@
int nb_err1, nb_err2;
int nb_tot1, nb_tot2;
unsigned char sum[MBEDTLS_MD_MAX_SIZE];
- char buf[MBEDTLS_MD_MAX_SIZE * 2 + 1], line[1024];
+ char buf[MBEDTLS_MD_MAX_SIZE * 2 + 1] = { }, line[1024];
char diff;
if( ( f = fopen( filename, "rb" ) ) == NULL )
diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c
index d613124..d3954c5 100644
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@@ -36,19 +36,21 @@
* This is not a good example for general use. This programs has the specific
* goal of minimizing use of the libc functions on full-blown OSes.
*/
-#if defined(unix) || defined(__unix__) || defined(__unix)
+#if defined(unix) || defined(__unix__) || defined(__unix) || defined(__APPLE__)
#define UNIX
#endif
#if !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(UNIX)
+
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif
+
int main( void )
{
mbedtls_printf( "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_ENTROPY_C and/or "
@@ -58,6 +60,15 @@
}
#else
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_time_t time_t
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif
+
#include <string.h>
#include "mbedtls/net.h"
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 1aeddf7..3516e15 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -29,6 +29,9 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
#endif
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 559e502..78f9e00 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -29,6 +29,9 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_printf printf
#define mbedtls_fprintf fprintf
#define mbedtls_snprintf snprintf
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 13ce5dd..545e2fb 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -127,7 +127,7 @@
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
+ mbedtls_printf( " failed! mbedtls_ctr_drbg_seed returned %d\n\n", ret );
goto exit;
}
@@ -148,7 +148,7 @@
mbedtls_test_srv_crt_len );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_x509_crt_parse returned %d\n\n", ret );
goto exit;
}
@@ -156,7 +156,7 @@
mbedtls_test_cas_pem_len );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_x509_crt_parse returned %d\n\n", ret );
goto exit;
}
@@ -164,7 +164,7 @@
mbedtls_test_srv_key_len, NULL, 0 );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_pk_parse_key returned %d\n\n", ret );
goto exit;
}
@@ -181,7 +181,7 @@
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}
@@ -191,7 +191,7 @@
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
@@ -205,7 +205,7 @@
if( ( ret = mbedtls_net_bind( &listen_fd, NULL, "4433", MBEDTLS_NET_PROTO_TCP ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_net_bind returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_net_bind returned %d\n\n", ret );
goto exit;
}
@@ -219,96 +219,101 @@
mbedtls_net_init( &client_fd );
mbedtls_ssl_init( &ssl );
- mbedtls_printf( " . Waiting for a remote connection ..." );
+ mbedtls_printf( " . Waiting for a remote connection ...\n" );
fflush( stdout );
if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd,
NULL, 0, NULL ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_net_accept returned %d\n\n", ret );
+ mbedtls_printf( " failed! mbedtls_net_accept returned %d\n\n", ret );
goto exit;
}
- mbedtls_printf( " ok\n" );
-
/*
* 3.5. Forking server thread
*/
- pid = fork();
-
mbedtls_printf( " . Forking to handle connection ..." );
fflush( stdout );
+ pid = fork();
+
if( pid < 0 )
{
- mbedtls_printf(" failed\n ! fork returned %d\n\n", pid );
+ mbedtls_printf(" failed! fork returned %d\n\n", pid );
goto exit;
}
- mbedtls_printf( " ok\n" );
-
if( pid != 0 )
{
+ mbedtls_printf( " ok\n" );
+
if( ( ret = mbedtls_ctr_drbg_reseed( &ctr_drbg,
(const unsigned char *) "parent",
6 ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_reseed returned %d\n", ret );
+ mbedtls_printf( " failed! mbedtls_ctr_drbg_reseed returned %d\n\n", ret );
goto exit;
}
- mbedtls_net_free( &client_fd );
continue;
}
- mbedtls_net_free( &listen_fd );
+ mbedtls_net_init( &listen_fd );
+
+ pid = getpid();
/*
* 4. Setup stuff
*/
- mbedtls_printf( " . Setting up the SSL data...." );
+ mbedtls_printf( "pid %d: Setting up the SSL data.\n", pid );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_reseed( &ctr_drbg,
(const unsigned char *) "child",
5 ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_reseed returned %d\n", ret );
+ mbedtls_printf(
+ "pid %d: SSL setup failed! mbedtls_ctr_drbg_reseed returned %d\n\n",
+ pid, ret );
goto exit;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
+ mbedtls_printf(
+ "pid %d: SSL setup failed! mbedtls_ssl_setup returned %d\n\n",
+ pid, ret );
goto exit;
}
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
- mbedtls_printf( " ok\n" );
+ mbedtls_printf( "pid %d: SSL setup ok\n", pid );
/*
* 5. Handshake
*/
- mbedtls_printf( " . Performing the SSL/TLS handshake..." );
+ mbedtls_printf( "pid %d: Performing the SSL/TLS handshake.\n", pid );
fflush( stdout );
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret );
+ mbedtls_printf(
+ "pid %d: SSL handshake failed! mbedtls_ssl_handshake returned %d\n\n",
+ pid, ret );
goto exit;
}
}
- mbedtls_printf( " ok\n" );
+ mbedtls_printf( "pid %d: SSL handshake ok\n", pid );
/*
* 6. Read the HTTP Request
*/
- mbedtls_printf( " < Read from client:" );
+ mbedtls_printf( "pid %d: Start reading from client.\n", pid );
fflush( stdout );
do
@@ -325,15 +330,15 @@
switch( ret )
{
case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
- mbedtls_printf( " connection was closed gracefully\n" );
+ mbedtls_printf( "pid %d: connection was closed gracefully\n", pid );
break;
case MBEDTLS_ERR_NET_CONN_RESET:
- mbedtls_printf( " connection was reset by peer\n" );
+ mbedtls_printf( "pid %d: connection was reset by peer\n", pid );
break;
default:
- mbedtls_printf( " mbedtls_ssl_read returned %d\n", ret );
+ mbedtls_printf( "pid %d: mbedtls_ssl_read returned %d\n", pid, ret );
break;
}
@@ -341,7 +346,7 @@
}
len = ret;
- mbedtls_printf( " %d bytes read\n\n%s", len, (char *) buf );
+ mbedtls_printf( "pid %d: %d bytes read\n\n%s", pid, len, (char *) buf );
if( ret > 0 )
break;
@@ -351,7 +356,7 @@
/*
* 7. Write the 200 Response
*/
- mbedtls_printf( " > Write to client:" );
+ mbedtls_printf( "pid %d: Start writing to client.\n", pid );
fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE,
@@ -363,18 +368,21 @@
{
if( ret == MBEDTLS_ERR_NET_CONN_RESET )
{
- mbedtls_printf( " failed\n ! peer closed the connection\n\n" );
+ mbedtls_printf(
+ "pid %d: Write failed! peer closed the connection\n\n", pid );
goto exit;
}
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
+ mbedtls_printf(
+ "pid %d: Write failed! mbedtls_ssl_write returned %d\n\n",
+ pid, ret );
goto exit;
}
}
len = ret;
- mbedtls_printf( " %d bytes written\n\n%s\n", len, (char *) buf );
+ mbedtls_printf( "pid %d: %d bytes written\n\n%s\n", pid, len, (char *) buf );
mbedtls_net_usleep( 1000000 );
}
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 974c170..c807eb5 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -29,6 +29,9 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
#endif
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 70efba9..c7f5267 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -29,6 +29,9 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
#endif
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b586a70..6d4e916 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -29,7 +29,10 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_free free
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_calloc calloc
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index fe5d514..6ca07bb 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -52,15 +52,18 @@
#include "mbedtls/ecjpake.h"
#include "mbedtls/timing.h"
-#include <stdio.h>
#include <string.h>
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_printf printf
#define mbedtls_snprintf snprintf
+#define mbedtls_exit exit
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
@@ -99,7 +102,7 @@
int main( int argc, char *argv[] )
{
- int ret = 0, v;
+ int v, suites_tested = 0, suites_failed = 0;
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
unsigned char buf[1000000];
#endif
@@ -114,7 +117,7 @@
if( pointer != NULL )
{
mbedtls_printf( "all-bits-zero is not a NULL pointer\n" );
- return( 1 );
+ mbedtls_exit( MBEDTLS_EXIT_FAILURE );
}
/*
@@ -123,11 +126,14 @@
if( run_test_snprintf() != 0 )
{
mbedtls_printf( "the snprintf implementation is broken\n" );
- return( 0 );
+ mbedtls_exit( MBEDTLS_EXIT_FAILURE );
}
- if( argc == 2 && strcmp( argv[1], "-quiet" ) == 0 )
+ if( argc == 2 && ( strcmp( argv[1], "--quiet" ) == 0 ||
+ strcmp( argv[1], "-q" ) == 0 ) )
+ {
v = 0;
+ }
else
{
v = 1;
@@ -141,135 +147,213 @@
#endif
#if defined(MBEDTLS_MD2_C)
- if( ( ret = mbedtls_md2_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_md2_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_MD4_C)
- if( ( ret = mbedtls_md4_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_md4_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_MD5_C)
- if( ( ret = mbedtls_md5_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_md5_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_RIPEMD160_C)
- if( ( ret = mbedtls_ripemd160_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_ripemd160_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_SHA1_C)
- if( ( ret = mbedtls_sha1_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_sha1_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_SHA256_C)
- if( ( ret = mbedtls_sha256_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_sha256_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_SHA512_C)
- if( ( ret = mbedtls_sha512_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_sha512_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_ARC4_C)
- if( ( ret = mbedtls_arc4_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_arc4_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_DES_C)
- if( ( ret = mbedtls_des_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_des_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_AES_C)
- if( ( ret = mbedtls_aes_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_aes_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C)
- if( ( ret = mbedtls_gcm_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_gcm_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)
- if( ( ret = mbedtls_ccm_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_ccm_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_BASE64_C)
- if( ( ret = mbedtls_base64_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_base64_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_BIGNUM_C)
- if( ( ret = mbedtls_mpi_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_mpi_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_RSA_C)
- if( ( ret = mbedtls_rsa_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_rsa_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_X509_USE_C)
- if( ( ret = mbedtls_x509_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_x509_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_XTEA_C)
- if( ( ret = mbedtls_xtea_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_xtea_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_CAMELLIA_C)
- if( ( ret = mbedtls_camellia_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_camellia_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_CTR_DRBG_C)
- if( ( ret = mbedtls_ctr_drbg_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_ctr_drbg_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_HMAC_DRBG_C)
- if( ( ret = mbedtls_hmac_drbg_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_hmac_drbg_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_ECP_C)
- if( ( ret = mbedtls_ecp_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_ecp_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_ECJPAKE_C)
- if( ( ret = mbedtls_ecjpake_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_ecjpake_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_DHM_C)
- if( ( ret = mbedtls_dhm_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_dhm_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_ENTROPY_C)
- if( ( ret = mbedtls_entropy_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_entropy_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#if defined(MBEDTLS_PKCS5_C)
- if( ( ret = mbedtls_pkcs5_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_pkcs5_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
/* Slow tests last */
#if defined(MBEDTLS_TIMING_C)
- if( ( ret = mbedtls_timing_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_timing_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
#else
@@ -285,19 +369,34 @@
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_free();
-
- if( ( ret = mbedtls_memory_buffer_alloc_self_test( v ) ) != 0 )
- return( ret );
+ if( mbedtls_memory_buffer_alloc_self_test( v ) != 0 )
+ {
+ suites_failed++;
+ }
+ suites_tested++;
#endif
if( v != 0 )
{
- mbedtls_printf( " [ All tests passed ]\n\n" );
+ mbedtls_printf( " Executed %d test suites\n\n", suites_tested );
+
+ if( suites_failed > 0)
+ {
+ mbedtls_printf( " [ %d tests FAIL ]\n\n", suites_failed );
+ }
+ else
+ {
+ mbedtls_printf( " [ All tests PASS ]\n\n" );
+ }
#if defined(_WIN32)
mbedtls_printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
}
- return( ret );
+ if( suites_failed > 0)
+ mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+
+ mbedtls_exit( MBEDTLS_EXIT_SUCCESS );
}
+
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index eb8d29e..b698c78 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -34,11 +34,15 @@
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_printf printf
#endif
#if !defined(MBEDTLS_NET_C)
-#include <stdio.h>
int main( void )
{
mbedtls_printf( "MBEDTLS_NET_C not defined.\n" );
@@ -50,10 +54,7 @@
#include "mbedtls/error.h"
#include "mbedtls/ssl.h"
-#include <stdio.h>
-#include <stdlib.h>
#include <string.h>
-#include <time.h>
/* For select() */
#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 84f67e6..3f50a7a 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -29,6 +29,9 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
#endif
diff --git a/scripts/apidoc_full.sh b/scripts/apidoc_full.sh
new file mode 100755
index 0000000..bebab10
--- /dev/null
+++ b/scripts/apidoc_full.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Generate doxygen documentation with a full config.h (this ensures that every
+# available flag is documented, and avoids warnings about documentation
+# without a corresponding #define).
+#
+# /!\ This must not be a Makefile target, as it would create a race condition
+# when multiple targets are invoked in the same parallel build.
+
+set -eu
+
+CONFIG_H='include/mbedtls/config.h'
+
+if [ -r $CONFIG_H ]; then :; else
+ echo "$CONFIG_H not found" >&2
+ exit 1
+fi
+
+CONFIG_BAK=${CONFIG_H}.bak
+cp -p $CONFIG_H $CONFIG_BAK
+
+scripts/config.pl realfull
+make apidoc
+
+mv $CONFIG_BAK $CONFIG_H
diff --git a/scripts/config.pl b/scripts/config.pl
index f673c2a..a6dcfe7 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -1,22 +1,73 @@
#!/usr/bin/perl
-
-# Tune the configuration file
+#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2014-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Comments and uncomments #define lines in the given header file and optionally
+# sets their value. This is to provide scripting control of what preprocessor
+# symbols, and therefore what build time configuration flags are set in the
+# 'config.h' file.
+#
+# Usage: config.pl [-f <file> | --file <file>] [-o | --force]
+# [set <symbol> <value> | unset <symbol> | full | realfull]
+#
+# Full usage description provided below.
+#
+# Things that shouldn't be enabled with "full".
+#
+# MBEDTLS_DEPRECATED_REMOVED
+# MBEDTLS_HAVE_SSE2
+# MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+# MBEDTLS_ECP_DP_M221_ENABLED
+# MBEDTLS_ECP_DP_M383_ENABLED
+# MBEDTLS_ECP_DP_M511_ENABLED
+# MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+# MBEDTLS_NO_PLATFORM_ENTROPY
+# MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+# MBEDTLS_SSL_HW_RECORD_ACCEL
+# MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+# - this could be enabled if the respective tests were adapted
+# MBEDTLS_ZLIB_SUPPORT
+# MBEDTLS_PKCS11_C
+# and any symbol beginning _ALT
+#
use warnings;
use strict;
+my $config_file = "include/mbedtls/config.h";
my $usage = <<EOU;
-$0 [-f <file>] unset <name>
-$0 [-f <file>] set <name> [<value>]
-EOU
-# for our eyes only:
-# $0 [-f <file>] full
+$0 [-f <file> | --file <file>] [-o | --force]
+ [set <symbol> <value> | unset <symbol> | full | realfull]
-# Things that shouldn't be enabled with "full".
-# Notes:
-# - MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 and
-# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION could be enabled if the
-# respective tests were adapted
+Commands
+ set <symbol> [<value] - Uncomments or adds a #define for the <symnol> to
+ the configuration file, and optionally making it
+ of <value>.
+ If the symbol isn't present in the file an error
+ is returned.
+ unset <symbol> - Comments out any #define present in the
+ configuration file.
+ full - Uncomments all #define's in the configuration file
+ excluding some reserved symbols, until the
+ 'Module configuration options' section
+ realfull - Uncomments all #define's with no exclusions
+
+Options
+ -f | --file <filename> - The file or file path for the configuration file
+ to edit. When omitted, the following default is
+ used:
+ $config_file
+ -o | --force - If the symbol isn't present in the configuration
+ file when setting it's value, a #define is
+ appended to the end of the file.
+
+EOU
+
my @excluded = qw(
MBEDTLS_DEPRECATED_REMOVED
MBEDTLS_HAVE_SSE2
@@ -40,53 +91,84 @@
PLATFORM_[A-Z0-9]+_ALT
);
-my $config_file = "include/mbedtls/config.h";
+# Process the command line arguments
-# get -f option
-if (@ARGV >= 2 && $ARGV[0] eq "-f") {
- shift; # -f
- $config_file = shift;
+my $force_option = 0;
- -f $config_file or die "No such file: $config_file\n";
-} else {
- if (! -f $config_file) {
- chdir '..' or die;
- -f $config_file
- or die "Without -f, must be run from root or scripts\n"
+my ($arg, $name, $value, $action);
+
+while ($arg = shift) {
+
+ # Check if the argument is an option
+ if ($arg eq "-f" || $arg eq "--file") {
+ $config_file = shift;
+
+ -f $config_file or die "No such file: $config_file\n";
+
+ }
+ elsif ($arg eq "-o" || $arg eq "--force") {
+ $force_option = 1;
+
+ }
+ else
+ {
+ # ...else assume it's a command
+ $action = $arg;
+
+ if ($action eq "full" || $action eq "realfull") {
+ # No additional parameters
+ die $usage if @ARGV;
+
+ }
+ elsif ($action eq "unset") {
+ die $usage unless @ARGV;
+ $name = shift;
+
+ }
+ elsif ($action eq "set") {
+ die $usage unless @ARGV;
+ $name = shift;
+ $value = shift if @ARGV;
+
+ }
+ else {
+ die "Command '$action' not recognised.\n\n".$usage;
+ }
}
}
-# get action
-die $usage unless @ARGV;
-my $action = shift;
+# Check the config file is present
+if (! -f $config_file) {
-my ($name, $value);
-if ($action eq "full") {
- # nothing to do
-} elsif ($action eq "unset") {
- die $usage unless @ARGV;
- $name = shift;
-} elsif ($action eq "set") {
- die $usage unless @ARGV;
- $name = shift;
- $value = shift if @ARGV;
-} else {
- die $usage;
+ chdir '..' or die;
+
+ # Confirm this is the project root directory and try again
+ if ( !(-d 'scripts' && -d 'include' && -d 'library' && -f $config_file) ) {
+ die "If no file specified, must be run from the project root or scripts directory.\n";
+ }
}
-die $usage if @ARGV;
+
+
+# Now read the file and process the contents
open my $config_read, '<', $config_file or die "read $config_file: $!\n";
my @config_lines = <$config_read>;
close $config_read;
-my $exclude_re = join '|', @excluded;
-my $no_exclude_re = join '|', @non_excluded;
+my ($exclude_re, $no_exclude_re);
+if ($action eq "realfull") {
+ $exclude_re = qr/^$/;
+ $no_exclude_re = qr/./;
+} else {
+ $exclude_re = join '|', @excluded;
+ $no_exclude_re = join '|', @non_excluded;
+}
open my $config_write, '>', $config_file or die "write $config_file: $!\n";
my $done;
for my $line (@config_lines) {
- if ($action eq "full") {
+ if ($action eq "full" || $action eq "realfull") {
if ($line =~ /name SECTION: Module configuration options/) {
$done = 1;
}
@@ -116,9 +198,27 @@
print $config_write $line;
}
+# Did the set command work?
+if ($action eq "set"&& $force_option && !$done) {
+
+ # If the force option was set, append the symbol to the end of the file
+ my $line = "#define $name";
+ $line .= " $value" if defined $value && $value ne "";
+ $line .= "\n";
+ $done = 1;
+
+ print $config_write $line;
+}
+
close $config_write;
-die "configuration section not found" if ($action eq "full" && !$done);
-die "$name not found" if ($action ne "full" && !$done);
+if ($action eq "full" && !$done) {
+ die "Configuration section was not found in $config_file\n";
+
+}
+
+if ($action ne "full" && $action ne "unset" && !$done) {
+ die "A #define for the symbol $name was not found in $config_file\n";
+}
__END__
diff --git a/scripts/footprint.sh b/scripts/footprint.sh
index 87d62df..026e7a8 100755
--- a/scripts/footprint.sh
+++ b/scripts/footprint.sh
@@ -1,5 +1,23 @@
#!/bin/sh
-
+#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# This script determines ROM size (or code size) for the standard mbed TLS
+# configurations, when built for a Cortex M3/M4 target.
+#
+# Configurations included:
+# default include/mbedtls/config.h
+# yotta yotta/module/mbedtls/config.h
+# thread configs/config-thread.h
+# suite-b configs/config-suite-b.h
+# psk configs/config-ccm-psk-tls1_2.h
+#
+# Usage: footprint.sh
+#
set -eu
CONFIG_H='include/mbedtls/config.h'
@@ -48,6 +66,7 @@
scripts/config.pl unset MBEDTLS_NET_C || true
scripts/config.pl unset MBEDTLS_TIMING_C || true
scripts/config.pl unset MBEDTLS_FS_IO || true
+ scripts/config.pl --force set MBEDTLS_NO_PLATFORM_ENTROPY || true
} >/dev/null 2>&1
CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld \
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 1cca818..23eb2a4 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -10,6 +10,11 @@
set(libs ${libs} ${ZLIB_LIBRARIES})
endif(ENABLE_ZLIB_SUPPORT)
+find_package(Perl)
+if(NOT PERL_FOUND)
+ message(FATAL_ERROR "Cannot build test suites without Perl")
+endif()
+
function(add_test_suite suite_name)
if(ARGV1)
set(data_name ${ARGV1})
@@ -19,7 +24,7 @@
add_custom_command(
OUTPUT test_suite_${data_name}.c
- COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_code.pl ${CMAKE_CURRENT_SOURCE_DIR}/suites test_suite_${suite_name} test_suite_${data_name}
+ COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_code.pl ${CMAKE_CURRENT_SOURCE_DIR}/suites test_suite_${suite_name} test_suite_${data_name}
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_code.pl mbedtls suites/helpers.function suites/main_test.function suites/test_suite_${suite_name}.function suites/test_suite_${data_name}.data
)
diff --git a/tests/compat.sh b/tests/compat.sh
index 4b43e33..a333a19 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -45,7 +45,7 @@
fi
# default values for options
-MODES="ssl3 tls1 tls1_1 tls1_2 dtls1 dtls1_2"
+MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2"
VERIFIES="NO YES"
TYPES="ECDSA RSA PSK"
FILTER=""
diff --git a/tests/data_files/dir4/Readme b/tests/data_files/dir4/Readme
index 5732a64..3f1f610 100644
--- a/tests/data_files/dir4/Readme
+++ b/tests/data_files/dir4/Readme
@@ -36,3 +36,12 @@
cert71.crt (max_pathlen=1) -> cert72.crt -> cert73.crt (self signed) -> cert74.crt -> cert74.crt
```
+8. zero pathlen constraint on first intermediate CA (valid)
+```
+cert81.crt -> cert82.crt (max_pathlen=0) -> cert83.crt
+```
+
+9. zero pathlen constraint on trusted root (valid)
+```
+cert91.crt (max_pathlen=0) -> cert92.crt
+```
diff --git a/tests/data_files/dir4/cert81.crt b/tests/data_files/dir4/cert81.crt
new file mode 100644
index 0000000..26b2bd5
--- /dev/null
+++ b/tests/data_files/dir4/cert81.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpTCCAUmgAwIBAgIBUTAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA4MREwDwYDVQQKEwht
+YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT1
+GuTQ9vgf2l3oLM25r78cvIAQqE02GzQGjp/WWw3CysEwTwNEuZGhRiD5lDmkbUGW
+UNxv/7uJjy7k3K3fDNdko1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTHFA2h
+Au0tPnzeYnLcmlTQj4FAajAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQj4FA
+ajAMBggqhkjOPQQDAgUAA0gAMEUCIH7Z/HNb/Pwbs40iNll1a9gmgAbYOgdlVPWo
+nSdcb7cZAiEAlhVb6CdBXsjOfAWWEET/QP74z608PKFccCIFPCDLkxo=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert82.crt b/tests/data_files/dir4/cert82.crt
new file mode 100644
index 0000000..d49ecc9
--- /dev/null
+++ b/tests/data_files/dir4/cert82.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCAUygAwIBAgIBUjAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+ODERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGSW50IDgyMREwDwYDVQQKEwht
+YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2
+giYQt4HVfQ2t8eTS0bvISwp7ol2x17umbllBxwzGDFEUQ00JL1/SStezecK0lNhE
+0AvY8Ez2soQEtdSeQGkCo1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBS3
++nsv3nQknSg4aDjlTiRpCPo7XzAfBgNVHSMEGDAWgBTHFA2hAu0tPnzeYnLcmlTQ
+j4FAajAMBggqhkjOPQQDAgUAA0gAMEUCIQDus2Lvx3yyvaViY1s334uMm6ge484X
+oktMyxLVjkAMiAIgehTHiJJaT9PnlVa+hUpxsIfVAuMexrm5fw/bDF5Nxzw=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert83.crt b/tests/data_files/dir4/cert83.crt
new file mode 100644
index 0000000..21a748e
--- /dev/null
+++ b/tests/data_files/dir4/cert83.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoDCCAUWgAwIBAgIBUzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBkludCA4
+MjERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgODMxETAPBgNVBAoTCG1i
+ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMSy
+6X5iBYrdxxOMfdcA23pLBoJCeyEjiWfALxTm80MJGBdRNVdnT50xNU3SDDwHWPda
+/EQqHq+itsqkUeyAGAyjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFGsFH/KsvM4n
+r+i1gI2iCVXi3KtFMB8GA1UdIwQYMBaAFLf6ey/edCSdKDhoOOVOJGkI+jtfMAwG
+CCqGSM49BAMCBQADRwAwRAIgQURH8DHWFHVK38+znWc85G1P+g4ocdkA5Gt0LbOg
+SJMCIBsacOLFywxZYF8atizw6zMRw+QeHR2514JIhJUck2kd
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert91.crt b/tests/data_files/dir4/cert91.crt
new file mode 100644
index 0000000..6d4605a
--- /dev/null
+++ b/tests/data_files/dir4/cert91.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqTCCAUygAwIBAgIBWzAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMTEPMA0GA1UEAxMGUm9vdCA5MREwDwYDVQQKEwht
+YmVkIFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATh
+D2SmdS6D7cYi2vGMyuCdol/OOUN2di2pS2wfSI/MsY/Z4O9iNHqbXQP6l+hcT5ap
+daycs7r6ZPNqmWM7b16go1MwUTAPBgNVHRMECDAGAQH/AgEAMB0GA1UdDgQWBBRb
+zVrcAxddj0i0DEqvTGT8F37bizAfBgNVHSMEGDAWgBRbzVrcAxddj0i0DEqvTGT8
+F37bizAMBggqhkjOPQQDAgUAA0kAMEYCIQDbrSV4ndH0vAR3HqJfBn8NT8zdvMjB
+qSJes6Qwa42b2wIhAKyoH0H+b1Svw8pMkvUYF4ElH5Cnn7gxb7Wl3arc0+hQ
+-----END CERTIFICATE-----
diff --git a/tests/data_files/dir4/cert92.crt b/tests/data_files/dir4/cert92.crt
new file mode 100644
index 0000000..49b53a5
--- /dev/null
+++ b/tests/data_files/dir4/cert92.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoTCCAUWgAwIBAgIBXDAMBggqhkjOPQQDAgUAMDExDzANBgNVBAMTBlJvb3Qg
+OTERMA8GA1UEChMIbWJlZCBUTFMxCzAJBgNVBAYTAlVLMB4XDTAxMDEwMTAwMDAw
+MFoXDTMwMTIzMTIzNTk1OVowMDEOMAwGA1UEAxMFRUUgOTIxETAPBgNVBAoTCG1i
+ZWQgVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC9E
+tK1pE8Ei8vgScunyjx50C+qDsQS8D2RhGHC4VkE2yyiFxJA/ynhoeXTKZsHuEWI9
+CfOSvk0RrTWf9nr0pTGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLqsN52tAf1k
+XlzxQmdD5qG6Sy6PMB8GA1UdIwQYMBaAFFvNWtwDF12PSLQMSq9MZPwXftuLMAwG
+CCqGSM49BAMCBQADSAAwRQIgXlfKqhkhXgK112Eycl+Z5NHM+6aqXE7i9j7IyGfk
+ikICIQDBYNGbpSx82XG+IS/h4AWNTa4Hs6rmWvQDWJum7NrzMQ==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5-der0.crt b/tests/data_files/server5-der0.crt
new file mode 100644
index 0000000..08d8dd3
--- /dev/null
+++ b/tests/data_files/server5-der0.crt
Binary files differ
diff --git a/tests/data_files/server5-der1a.crt b/tests/data_files/server5-der1a.crt
new file mode 100644
index 0000000..015017b
--- /dev/null
+++ b/tests/data_files/server5-der1a.crt
Binary files differ
diff --git a/tests/data_files/server5-der1b.crt b/tests/data_files/server5-der1b.crt
new file mode 100644
index 0000000..6340d9e
--- /dev/null
+++ b/tests/data_files/server5-der1b.crt
Binary files differ
diff --git a/tests/data_files/server5-der2.crt b/tests/data_files/server5-der2.crt
new file mode 100644
index 0000000..c6e320a
--- /dev/null
+++ b/tests/data_files/server5-der2.crt
Binary files differ
diff --git a/tests/data_files/server5-der4.crt b/tests/data_files/server5-der4.crt
new file mode 100644
index 0000000..4af05cc
--- /dev/null
+++ b/tests/data_files/server5-der4.crt
Binary files differ
diff --git a/tests/data_files/server5-der8.crt b/tests/data_files/server5-der8.crt
new file mode 100644
index 0000000..65be7dc
--- /dev/null
+++ b/tests/data_files/server5-der8.crt
Binary files differ
diff --git a/tests/data_files/server5-der9.crt b/tests/data_files/server5-der9.crt
new file mode 100644
index 0000000..4947f1f
--- /dev/null
+++ b/tests/data_files/server5-der9.crt
Binary files differ
diff --git a/tests/data_files/test-ca2_cat-future-present.crt b/tests/data_files/test-ca2_cat-future-present.crt
new file mode 100644
index 0000000..776e725
--- /dev/null
+++ b/tests/data_files/test-ca2_cat-future-present.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
+Fw0yMzA5MjIxNTQ5NDlaFw0zMDEyMzEyMzU5NTlaMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
+MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
+WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
+w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
+FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
+vH4kydv7NnwwDAYIKoZIzj0EAwIFAANnADBkAjB1ZNdOM7KRJiPo45hP17A1sJSH
+qHFPEJbml6KdNevoVZ1HqvP8AoFGcPJRpQVtzC0CMDa7JEqn0dOss8EmW9pVF/N2
++XvzNczj89mWMgPhJJlT+MONQx3LFQO+TMSI9hLdkw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
+ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
+aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
+JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
+AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
+t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
+uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-past-present.crt b/tests/data_files/test-ca2_cat-past-present.crt
new file mode 100644
index 0000000..bc1ba9a
--- /dev/null
+++ b/tests/data_files/test-ca2_cat-past-present.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
+Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
+MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
+WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
+w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
+FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
+vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
+tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
+l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
+ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
+aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
+JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
+AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
+t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
+uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-present-future.crt b/tests/data_files/test-ca2_cat-present-future.crt
new file mode 100644
index 0000000..d62ed09
--- /dev/null
+++ b/tests/data_files/test-ca2_cat-present-future.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
+ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
+aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
+JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
+AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
+t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
+uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB+zCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
+Fw0yMzA5MjIxNTQ5NDlaFw0zMDEyMzEyMzU5NTlaMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
+MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
+WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
+w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
+FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
+vH4kydv7NnwwDAYIKoZIzj0EAwIFAANnADBkAjB1ZNdOM7KRJiPo45hP17A1sJSH
+qHFPEJbml6KdNevoVZ1HqvP8AoFGcPJRpQVtzC0CMDa7JEqn0dOss8EmW9pVF/N2
++XvzNczj89mWMgPhJJlT+MONQx3LFQO+TMSI9hLdkw==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/test-ca2_cat-present-past.crt b/tests/data_files/test-ca2_cat-present-past.crt
new file mode 100644
index 0000000..a321d5d
--- /dev/null
+++ b/tests/data_files/test-ca2_cat-present-past.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT
+Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
+QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
+ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
+aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g
+JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7
+NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE
+AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
+t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
+uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
+Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
+DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
+MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
+WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
+w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
+FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
+vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
+tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
+l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
+-----END CERTIFICATE-----
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index d96615b..5ecf868 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1,15 +1,25 @@
#!/bin/sh
-# Run all available tests (mostly).
+# all.sh
#
-# Warning: includes various build modes, so it will mess with the current
-# CMake configuration. After this script is run, the CMake cache is lost and
-# CMake is not initialised any more!
+# This file is part of mbed TLS (https://tls.mbed.org)
#
-# Assumes gcc and clang (recent enough for using ASan with gcc and MemSan with
-# clang, or valgrind) are available, as well as cmake and a "good" find.
+# Copyright (c) 2014-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# To run all tests possible or available on the platform.
+#
+# Warning: the test is destructive. It includes various build modes and
+# configurations, and can and will arbitrarily change the current CMake
+# configuration. After this script has been run, the CMake cache will be lost
+# and CMake will no longer be initialised.
+#
+# The script assumes the presence of gcc and clang (recent enough for using
+# ASan with gcc and MemSan with clang, or valgrind) are available, as well as
+# cmake and a "good" find.
-# Abort on errors (and uninitiliased variables)
+# Abort on errors (and uninitialised variables)
set -eu
if [ -d library -a -d include -a -d tests ]; then :; else
@@ -21,20 +31,17 @@
CONFIG_BAK="$CONFIG_H.bak"
MEMORY=0
+SHORT=0
+FORCE=0
-while [ $# -gt 0 ]; do
- case "$1" in
- -m*)
- MEMORY=${1#-m}
- ;;
- *)
- echo "Unknown argument: '$1'" >&2
- echo "Use the source, Luke!" >&2
- exit 1
- ;;
- esac
- shift
-done
+usage()
+{
+ echo "Usage: $0"
+ echo -e " -h|--help\t\tPrint this help."
+ echo -e " -m|--memory\t\tAdditional optional memory tests."
+ echo -e " -s|--short\t\tSubset of tests."
+ echo -e " -f|--force\t\tForce the tests to overwrite any modified files."
+}
# remove built files as well as the cmake cache/config
cleanup()
@@ -62,6 +69,50 @@
echo "******************************************************************"
}
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --memory|-m*)
+ MEMORY=${1#-m}
+ ;;
+ --short|-s)
+ SHORT=1
+ ;;
+ --force|-f)
+ FORCE=1
+ ;;
+ --help|-h|*)
+ usage()
+ exit 1
+ ;;
+ esac
+ shift
+done
+
+if [ $FORCE -eq 1 ]; then
+ rm -rf yotta/module
+ git checkout-index -f -q $CONFIG_H
+ cleanup
+else
+
+ if [ -d yotta/module ]; then
+ echo "Warning - there is an existing yotta module in the directory 'yotta/module'" >&2
+ echo "You can either delete your work and retry, or force the test to overwrite the"
+ echo "test by rerunning the script as: $0 --force"
+ exit 1
+ fi
+
+ if ! git diff-files --quiet include/mbedtls/config.h; then
+ echo $?
+ echo "Warning - the configuration file 'include/mbedtls/config.h' has been edited. " >&2
+ echo "You can either delete or preserve your work, or force the test by rerunning the"
+ echo "script as: $0 --force"
+ exit 1
+ fi
+fi
+
+#
+# Test Suites to be executed
+#
# The test ordering tries to optimize for the following criteria:
# 1. Catch possible problems early, by running first tests that run quickly
# and/or are more likely to fail than others (eg I use Clang most of the
@@ -83,6 +134,12 @@
cleanup
tests/scripts/check-names.sh
+if which doxygen >/dev/null; then
+ msg "test: doxygen warnings" # ~ 3s
+ cleanup
+ tests/scripts/doxygen.sh
+fi
+
msg "build: create and build yotta module" # ~ 30s
cleanup
tests/scripts/yotta-build.sh
@@ -103,6 +160,11 @@
tests/scripts/test-ref-configs.pl
# Most frequent issues are likely to be caught at this point
+if [ $SHORT -eq 1 ]; then
+ msg "Done, cleaning up"
+ cleanup
+ exit 0
+fi
msg "build: with ASan (rebuild after ref-configs)" # ~ 1 min
make
@@ -110,9 +172,25 @@
msg "test: compat.sh (ASan build)" # ~ 6 min
tests/compat.sh
-msg "build: cmake, full config, clang" # ~ 50s
+msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+make
+
+msg "test: SSLv3 - main suites and selftest (ASan build)" # ~ 50s
+make test
+programs/test/selftest
+
+msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
+tests/compat.sh -m 'ssl3 tls1 tls1_1 tls1_2 dtls1 dtls1_2'
+
+msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
+tests/ssl-opt.sh
+
+msg "build: cmake, full config, clang" # ~ 50s
+cleanup
scripts/config.pl full
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check .
@@ -207,6 +285,7 @@
scripts/config.pl unset MBEDTLS_NET_C
scripts/config.pl unset MBEDTLS_TIMING_C
scripts/config.pl unset MBEDTLS_FS_IO
+scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
# following things are not in the default config
scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
@@ -226,6 +305,7 @@
scripts/config.pl unset MBEDTLS_FS_IO
scripts/config.pl unset MBEDTLS_HAVE_TIME
scripts/config.pl unset MBEDTLS_HAVE_TIME_DATE
+scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
# following things are not in the default config
scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
@@ -233,7 +313,7 @@
scripts/config.pl unset MBEDTLS_THREADING_C
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-CC=armcc WARNING_CFLAGS= make lib 2> armcc.stderr
+CC=armcc AR=armar WARNING_CFLAGS= make lib 2> armcc.stderr
if [ -s armcc.stderr ]; then
cat armcc.stderr
exit 1;
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
new file mode 100755
index 0000000..d961230
--- /dev/null
+++ b/tests/scripts/basic-build-test.sh
@@ -0,0 +1,204 @@
+#!/bin/sh
+
+# basic-build-tests.sh
+#
+# Copyright (c) 2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Executes the basic test suites, captures the results, and generates a simple
+# test report and code coverage report.
+#
+# The tests include:
+# * Self-tests - executed using program/test/selftest
+# * Unit tests - executed using tests/scripts/run-test-suite.pl
+# * System tests - executed using tests/ssl-opt.sh
+# * Interoperability tests - executed using tests/compat.sh
+#
+# The tests focus on functionality and do not consider performance.
+#
+# Note the tests self-adapt due to configurations in include/mbedtls/config.h
+# which can lead to some tests being skipped, and can cause the number of
+# available self-tests to fluctuate.
+#
+# This script has been written to be generic and should work on any shell.
+#
+# Usage: basic-build-tests.sh
+#
+
+# Abort on errors (and uninitiliased variables)
+set -eu
+
+if [ -d library -a -d include -a -d tests ]; then :; else
+ echo "Must be run from mbed TLS root" >&2
+ exit 1
+fi
+
+
+# Step 1 - Make and instrumented build for code coverage
+export CFLAGS=' --coverage -g3 -O0 '
+make clean
+scripts/config.pl full
+scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE
+make
+
+
+# Step 2 - Execute the tests
+TEST_OUTPUT=out_${PPID}
+cd tests
+
+# Step 2a - Self-tests
+../programs/test/selftest |tee self-test-$TEST_OUTPUT
+echo
+
+# Step 2b - Unit Tests
+perl scripts/run-test-suites.pl -v |tee unit-test-$TEST_OUTPUT
+echo
+
+# Step 2c - System Tests
+sh ssl-opt.sh |tee sys-test-$TEST_OUTPUT
+echo
+
+# Step 2d - Compatibility tests
+sh compat.sh |tee compat-test-$TEST_OUTPUT
+echo
+
+# Step 3 - Process the coverage report
+cd ..
+make lcov |tee tests/cov-$TEST_OUTPUT
+
+
+# Step 4 - Summarise the test report
+echo
+echo "========================================================================="
+echo "Test Report Summary"
+echo
+
+cd tests
+
+# Step 4a - Self-tests
+echo "Self tests - ./programs/test/selftest"
+
+PASSED_TESTS=$(grep 'passed' self-test-$TEST_OUTPUT |wc -l)
+FAILED_TESTS=$(grep 'failed' self-test-$TEST_OUTPUT |wc -l)
+AVAIL_TESTS=$(($PASSED_TESTS + $FAILED_TESTS))
+EXED_TESTS=$(($PASSED_TESTS + $FAILED_TESTS))
+
+echo "Passed : $PASSED_TESTS"
+echo "Failed : $FAILED_TESTS"
+echo "Skipped : n/a"
+echo "Total tests : $AVAIL_TESTS"
+echo
+
+TOTAL_PASS=$PASSED_TESTS
+TOTAL_FAIL=$FAILED_TESTS
+TOTAL_SKIP=0
+TOTAL_AVAIL=$(($PASSED_TESTS + $FAILED_TESTS))
+TOTAL_EXED=$(($PASSED_TESTS + $FAILED_TESTS))
+
+
+# Step 4b - Unit tests
+echo "Unit tests - tests/scripts/run-test-suites.pl"
+
+PASSED_TESTS=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/test cases passed :[\t]*\([0-9]*\)/\1/p'| tr -d ' ')
+SKIPPED_TESTS=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/skipped :[ \t]*\([0-9]*\)/\1/p'| tr -d ' ')
+TOTAL_SUITES=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) .*, [0-9]* tests run)/\1/p'| tr -d ' ')
+FAILED_TESTS=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/failed :[\t]*\([0-9]*\)/\1/p' |tr -d ' ')
+
+echo "No test suites : $TOTAL_SUITES"
+echo "Passed : $PASSED_TESTS"
+echo "Failed : $FAILED_TESTS"
+echo "Skipped : $SKIPPED_TESTS"
+echo "Total exec'd tests : $(($PASSED_TESTS + $FAILED_TESTS))"
+echo "Total avail tests : $(($PASSED_TESTS + $FAILED_TESTS + $SKIPPED_TESTS))"
+echo
+
+TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS))
+TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS))
+TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS))
+TOTAL_AVAIL=$(($TOTAL_AVAIL + $PASSED_TESTS + $FAILED_TESTS + $SKIPPED_TESTS))
+TOTAL_EXED=$(($TOTAL_EXED + $PASSED_TESTS + $FAILED_TESTS))
+
+
+# Step 4c - TLS Options tests
+echo "TLS Options tests - tests/ssl-opt.sh"
+
+PASSED_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) \/ [0-9]* tests ([0-9]* skipped))$/\1/p')
+SKIPPED_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ [0-9]* tests (\([0-9]*\) skipped))$/\1/p')
+TOTAL_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ \([0-9]*\) tests ([0-9]* skipped))$/\1/p')
+FAILED_TESTS=$(($TOTAL_TESTS - $PASSED_TESTS))
+
+echo "Passed : $PASSED_TESTS"
+echo "Failed : $FAILED_TESTS"
+echo "Skipped : $SKIPPED_TESTS"
+echo "Total exec'd tests : $TOTAL_TESTS"
+echo "Total avail tests : $(($TOTAL_TESTS + $SKIPPED_TESTS))"
+echo
+
+TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS))
+TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS))
+TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS))
+TOTAL_AVAIL=$(($TOTAL_AVAIL + $TOTAL_TESTS + $SKIPPED_TESTS))
+TOTAL_EXED=$(($TOTAL_EXED + $TOTAL_TESTS))
+
+
+# Step 4d - System Compatibility tests
+echo "System/Compatibility tests - tests/compat.sh"
+
+PASSED_TESTS=$(tail -n5 compat-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) \/ [0-9]* tests ([0-9]* skipped))$/\1/p')
+SKIPPED_TESTS=$(tail -n5 compat-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ [0-9]* tests (\([0-9]*\) skipped))$/\1/p')
+EXED_TESTS=$(tail -n5 compat-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ \([0-9]*\) tests ([0-9]* skipped))$/\1/p')
+FAILED_TESTS=$(($EXED_TESTS - $PASSED_TESTS))
+
+echo "Passed : $PASSED_TESTS"
+echo "Failed : $FAILED_TESTS"
+echo "Skipped : $SKIPPED_TESTS"
+echo "Total exec'd tests : $EXED_TESTS"
+echo "Total avail tests : $(($EXED_TESTS + $SKIPPED_TESTS))"
+echo
+
+TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS))
+TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS))
+TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS))
+TOTAL_AVAIL=$(($TOTAL_AVAIL + $EXED_TESTS + $SKIPPED_TESTS))
+TOTAL_EXED=$(($TOTAL_EXED + $EXED_TESTS))
+
+
+# Step 4e - Grand totals
+echo "-------------------------------------------------------------------------"
+echo "Total tests"
+
+echo "Total Passed : $TOTAL_PASS"
+echo "Total Failed : $TOTAL_FAIL"
+echo "Total Skipped : $TOTAL_SKIP"
+echo "Total exec'd tests : $TOTAL_EXED"
+echo "Total avail tests : $TOTAL_AVAIL"
+echo
+
+
+# Step 4f - Coverage
+echo "Coverage"
+
+LINES_TESTED=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ lines......: [0-9]*.[0-9]% (\([0-9]*\) of [0-9]* lines)/\1/p')
+LINES_TOTAL=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ lines......: [0-9]*.[0-9]% ([0-9]* of \([0-9]*\) lines)/\1/p')
+FUNCS_TESTED=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ functions..: [0-9]*.[0-9]% (\([0-9]*\) of [0-9]* functions)$/\1/p')
+FUNCS_TOTAL=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ functions..: [0-9]*.[0-9]% ([0-9]* of \([0-9]*\) functions)$/\1/p')
+
+LINES_PERCENT=$((1000*$LINES_TESTED/$LINES_TOTAL))
+LINES_PERCENT="$(($LINES_PERCENT/10)).$(($LINES_PERCENT-($LINES_PERCENT/10)*10))"
+
+FUNCS_PERCENT=$((1000*$FUNCS_TESTED/$FUNCS_TOTAL))
+FUNCS_PERCENT="$(($FUNCS_PERCENT/10)).$(($FUNCS_PERCENT-($FUNCS_PERCENT/10)*10))"
+
+echo "Lines Tested : $LINES_TESTED of $LINES_TOTAL $LINES_PERCENT%"
+echo "Functions Tested : $FUNCS_TESTED of $FUNCS_TOTAL $FUNCS_PERCENT%"
+echo
+
+
+rm self-test-$TEST_OUTPUT
+rm unit-test-$TEST_OUTPUT
+rm sys-test-$TEST_OUTPUT
+rm compat-test-$TEST_OUTPUT
+rm cov-$TEST_OUTPUT
+
+cd ..
diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl
index 654bc5c..85eb7e6 100755
--- a/tests/scripts/curves.pl
+++ b/tests/scripts/curves.pl
@@ -1,10 +1,25 @@
#!/usr/bin/perl
-# test dependencies on individual curves in tests
-# - build
-# - run test suite
+# curves.pl
#
-# Usage: tests/scripts/curves.pl
+# Copyright (c) 2014-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# To test the code dependencies on individual curves in each test suite. This
+# is a verification step to ensure we don't ship test suites that do not work
+# for some build options.
+#
+# The process is:
+# for each possible curve
+# build the library and test suites with the curve disabled
+# execute the test suites
+#
+# And any test suite with the wrong dependencies will fail.
+#
+# Usage: curves.pl
+#
+# This script should be executed from the root of the project directory.
use warnings;
use strict;
diff --git a/tests/scripts/doxygen.sh b/tests/scripts/doxygen.sh
new file mode 100755
index 0000000..e7758c9
--- /dev/null
+++ b/tests/scripts/doxygen.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Make sure the doxygen documentation builds without warnings
+
+# Abort on errors (and uninitiliased variables)
+set -eu
+
+if [ -d library -a -d include -a -d tests ]; then :; else
+ echo "Must be run from mbed TLS root" >&2
+ exit 1
+fi
+
+if scripts/apidoc_full.sh > doc.out 2>doc.err; then :; else
+ cat doc.err
+ echo "FAIL" >&2
+ exit 1;
+fi
+
+cat doc.out doc.err | \
+ grep -v "warning: ignoring unsupported tag" \
+ > doc.filtered
+
+if egrep "(warning|error):" doc.filtered; then
+ echo "FAIL" >&2
+ exit 1;
+fi
+
+make apidoc_clean
+rm -f doc.out doc.err doc.filtered
diff --git a/tests/scripts/generate-afl-tests.sh b/tests/scripts/generate-afl-tests.sh
new file mode 100755
index 0000000..cbc2f59
--- /dev/null
+++ b/tests/scripts/generate-afl-tests.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# This script splits the data test files containing the test cases into
+# individual files (one test case per file) suitable for use with afl
+# (American Fuzzy Lop). http://lcamtuf.coredump.cx/afl/
+#
+# Usage: generate-afl-tests.sh <test data file path>
+# <test data file path> - should be the path to one of the test suite files
+# such as 'test_suite_mpi.data'
+
+# Abort on errors
+set -e
+
+if [ -z $1 ]
+then
+ echo " [!] No test file specified" >&2
+ echo "Usage: $0 <test data file>" >&2
+ exit 1
+fi
+
+SRC_FILEPATH=$(dirname $1)/$(basename $1)
+TESTSUITE=$(basename $1 .data)
+
+THIS_DIR=$(basename $PWD)
+
+if [ -d ../library -a -d ../include -a -d ../tests -a $THIS_DIR == "tests" ];
+then :;
+else
+ echo " [!] Must be run from mbed TLS tests directory" >&2
+ exit 1
+fi
+
+DEST_TESTCASE_DIR=$TESTSUITE-afl-tests
+DEST_OUTPUT_DIR=$TESTSUITE-afl-out
+
+echo " [+] Creating output directories" >&2
+
+if [ -e $DEST_OUTPUT_DIR/* ];
+then :
+ echo " [!] Test output files already exist." >&2
+ exit 1
+else
+ mkdir -p $DEST_OUTPUT_DIR
+fi
+
+if [ -e $DEST_TESTCASE_DIR/* ];
+then :
+ echo " [!] Test output files already exist." >&2
+else
+ mkdir -p $DEST_TESTCASE_DIR
+fi
+
+echo " [+] Creating test cases" >&2
+cd $DEST_TESTCASE_DIR
+
+split -p '^\s*$' ../$SRC_FILEPATH
+
+for f in *;
+do
+ # Strip out any blank lines (no trim on OS X)
+ sed '/^\s*$/d' $f >testcase_$f
+ rm $f
+done
+
+cd ..
+
+echo " [+] Test cases in $DEST_TESTCASE_DIR" >&2
+
diff --git a/tests/scripts/generate_code.pl b/tests/scripts/generate_code.pl
index 1c7a281..49af2db 100755
--- a/tests/scripts/generate_code.pl
+++ b/tests/scripts/generate_code.pl
@@ -1,4 +1,53 @@
#!/usr/bin/env perl
+
+# generate_code.pl
+#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2009-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Generates the test suite code given inputs of the test suite directory that
+# contain the test suites, and the test suite file names for the test code and
+# test data.
+#
+# Usage: generate_code.pl <suite dir> <code file> <data file> [main code file]
+#
+# Structure of files
+#
+# - main code file - 'main_test.function'
+# Template file that contains the main() function for the test suite,
+# test dispatch code as well as support functions. It contains the
+# following symbols which are substituted by this script during
+# processing:
+# TESTCASE_FILENAME
+# TESTCODE_FILENAME
+# SUITE_PRE_DEP
+# MAPPING_CODE
+# FUNCTION CODE
+# SUITE_POST_DEP
+# DEP_CHECK_CODE
+# DISPATCH_FUNCTION
+# !LINE_NO!
+#
+# - common helper code file - 'helpers.function'
+# Common helper functions
+#
+# - test suite code file - file name in the form 'test_suite_xxx.function'
+# Code file that contains the actual test cases. The file contains a
+# series of code sequences delimited by the following:
+# BEGIN_HEADER / END_HEADER - list of headers files
+# BEGIN_SUITE_HELPERS / END_SUITE_HELPERS - helper functions common to
+# the test suite
+# BEGIN_CASE / END_CASE - the test cases in the test suite. Each test
+# case contains at least one function that is used to create the
+# dispatch code.
+#
+# - test data file - file name in the form 'test_suite_xxxx.data'
+# The test case parameters to to be used in execution of the test. The
+# file name is used to replace the symbol 'TESTCASE_FILENAME' in the main
+# code file above.
#
use strict;
@@ -8,31 +57,69 @@
my $data_name = shift or die "Missing data name";
my $test_main_file = do { my $arg = shift; defined($arg) ? $arg : $suite_dir."/main_test.function" };
my $test_file = $data_name.".c";
-my $test_helper_file = $suite_dir."/helpers.function";
+my $test_common_helper_file = $suite_dir."/helpers.function";
my $test_case_file = $suite_dir."/".$suite_name.".function";
my $test_case_data = $suite_dir."/".$data_name.".data";
my $line_separator = $/;
undef $/;
-open(TEST_HELPERS, "$test_helper_file") or die "Opening test helpers '$test_helper_file': $!";
-my $test_helpers = <TEST_HELPERS>;
+
+#
+# Open and read in the input files
+#
+
+open(TEST_HELPERS, "$test_common_helper_file") or die "Opening test helpers
+'$test_common_helper_file': $!";
+my $test_common_helpers = <TEST_HELPERS>;
close(TEST_HELPERS);
open(TEST_MAIN, "$test_main_file") or die "Opening test main '$test_main_file': $!";
-my $test_main = <TEST_MAIN>;
+my @test_main_lines = split/^/, <TEST_MAIN>;
+my $test_main;
+my $index = 2;
+for my $line (@test_main_lines) {
+ $line =~ s/!LINE_NO!/$index/;
+ $test_main = $test_main.$line;
+ $index++;
+}
close(TEST_MAIN);
open(TEST_CASES, "$test_case_file") or die "Opening test cases '$test_case_file': $!";
-my $test_cases = <TEST_CASES>;
+my @test_cases_lines = split/^/, <TEST_CASES>;
+my $test_cases;
+my $index = 2;
+for my $line (@test_cases_lines) {
+ if ($line =~ /^\/\* BEGIN_SUITE_HELPERS .*\*\//)
+ {
+ $line = $line."#line $index \"$test_case_file\"\n";
+ }
+
+ if ($line =~ /^\/\* BEGIN_CASE .*\*\//)
+ {
+ $line = $line."#line $index \"$test_case_file\"\n";
+ }
+
+ $line =~ s/!LINE_NO!/$index/;
+
+ $test_cases = $test_cases.$line;
+ $index++;
+}
+
close(TEST_CASES);
open(TEST_DATA, "$test_case_data") or die "Opening test data '$test_case_data': $!";
my $test_data = <TEST_DATA>;
close(TEST_DATA);
+
+#
+# Find the headers, dependencies, and suites in the test cases file
+#
+
my ( $suite_header ) = $test_cases =~ /\/\* BEGIN_HEADER \*\/\n(.*?)\n\/\* END_HEADER \*\//s;
my ( $suite_defines ) = $test_cases =~ /\/\* BEGIN_DEPENDENCIES\n \* (.*?)\n \* END_DEPENDENCIES/s;
+my ( $suite_helpers ) = $test_cases =~ /\/\* BEGIN_SUITE_HELPERS \*\/\n(.*?)\n\/\* END_SUITE_HELPERS \*\//s;
my $requirements;
if ($suite_defines =~ /^depends_on:/)
@@ -60,16 +147,43 @@
open(TEST_FILE, ">$test_file") or die "Opening destination file '$test_file': $!";
print TEST_FILE << "END";
+/*
+ * *** THIS FILE HAS BEEN MACHINE GENERATED ***
+ *
+ * This file has been machine generated using the script: $0
+ *
+ * Test file : $test_file
+ *
+ * The following files were used to create this file.
+ *
+ * Main code file : $test_main_file
+ * Helper file : $test_common_helper_file
+ * Test suite file : $test_case_file
+ * Test suite data : $test_case_data
+ *
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include <mbedtls/config.h>
#else
#include MBEDTLS_CONFIG_FILE
#endif
-$test_helpers
+
+/*----------------------------------------------------------------------------*/
+/* Common helper code */
+
+$test_common_helpers
+
+
+/*----------------------------------------------------------------------------*/
+/* Test Suite Code */
$suite_pre_code
$suite_header
+$suite_helpers
$suite_post_code
END
@@ -83,16 +197,19 @@
my $function_decl = $2;
# Sanity checks of function
- if ($function_decl !~ /^void /)
+ if ($function_decl !~ /^#line\s*.*\nvoid /)
{
- die "Test function does not have 'void' as return type\n";
+ die "Test function does not have 'void' as return type.\n" .
+ "Function declaration:\n" .
+ $function_decl;
}
- if ($function_decl !~ /^void (\w+)\(\s*(.*?)\s*\)\s*{(.*)}/ms)
+ if ($function_decl !~ /^(#line\s*.*)\nvoid (\w+)\(\s*(.*?)\s*\)\s*{(.*)}/ms)
{
die "Function declaration not in expected format\n";
}
- my $function_name = $1;
- my $function_params = $2;
+ my $line_directive = $1;
+ my $function_name = $2;
+ my $function_params = $3;
my $function_pre_code;
my $function_post_code;
my $param_defs;
@@ -103,7 +220,7 @@
my $mapping_regex = "".$function_name;
my $mapping_count = 0;
- $function_decl =~ s/^void /void test_suite_/;
+ $function_decl =~ s/(^#line\s*.*)\nvoid /$1\nvoid test_suite_/;
# Add exit label if not present
if ($function_decl !~ /^exit:$/m)
@@ -128,7 +245,7 @@
if( substr($def, 0, 4) eq "int " )
{
$param_defs .= " int param$i;\n";
- $param_checks .= " if( verify_int( params[$i], ¶m$i ) != 0 ) return( 2 );\n";
+ $param_checks .= " if( verify_int( params[$i], ¶m$i ) != 0 ) return( DISPATCH_INVALID_TEST_DATA );\n";
push @dispatch_params, "param$i";
$mapping_regex .= ":([\\d\\w |\\+\\-\\(\\)]+)";
@@ -137,7 +254,7 @@
elsif( substr($def, 0, 6) eq "char *" )
{
$param_defs .= " char *param$i = params[$i];\n";
- $param_checks .= " if( verify_string( ¶m$i ) != 0 ) return( 2 );\n";
+ $param_checks .= " if( verify_string( ¶m$i ) != 0 ) return( DISPATCH_INVALID_TEST_DATA );\n";
push @dispatch_params, "param$i";
$mapping_regex .= ":[^:\n]+";
}
@@ -174,19 +291,20 @@
if( cnt != $param_count )
{
mbedtls_fprintf( stderr, "\\nIncorrect argument count (%d != %d)\\n", cnt, $param_count );
- return( 2 );
+ return( DISPATCH_INVALID_TEST_DATA );
}
$param_checks
test_suite_$function_name( $call_params );
- return ( 0 );
+ return ( DISPATCH_TEST_SUCCESS );
$function_post_code
- return ( 3 );
+ return ( DISPATCH_UNSUPPORTED_SUITE );
}
else
END
- my $function_code = $function_pre_code . $function_decl . "\n" . $function_post_code;
+ my $function_code = $function_pre_code . $function_decl . "\n" .
+ $function_post_code;
$test_main =~ s/FUNCTION_CODE/$function_code\nFUNCTION_CODE/;
}
@@ -209,9 +327,9 @@
if( strcmp( str, "$key" ) == 0 )
{
#if defined($key)
- return( 0 );
+ return( DEPENDENCY_SUPPORTED );
#else
- return( 1 );
+ return( DEPENDENCY_NOT_SUPPORTED );
#endif
}
END
@@ -224,7 +342,7 @@
if( strcmp( str, "$key" ) == 0 )
{
*value = ( $key );
- return( 0 );
+ return( KEY_VALUE_MAPPING_FOUND );
}
END
@@ -241,7 +359,8 @@
$dispatch_code =~ s/^(.+)/ $1/mg;
-$test_main =~ s/TEST_FILENAME/$test_case_data/;
+$test_main =~ s/TESTCASE_FILENAME/$test_case_data/g;
+$test_main =~ s/TESTCODE_FILENAME/$test_case_file/g;
$test_main =~ s/FUNCTION_CODE//;
$test_main =~ s/DEP_CHECK_CODE/$dep_check_code/;
$test_main =~ s/DISPATCH_FUNCTION/$dispatch_code/;
diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
old mode 100644
new mode 100755
index b91355d..58f827c
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -1,12 +1,39 @@
#!/usr/bin/perl
+# run-test-suites.pl
+#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Executes all the available test suites, and provides a basic summary of the
+# results.
+#
+# Usage: run-test-suites.pl [-v]
+#
+# Options :
+# -v|--verbose - Provide a pass/fail/skip breakdown per test suite and
+# in total
+#
+
use warnings;
use strict;
use utf8;
use open qw(:std utf8);
-my @suites = grep { ! /\.(?:c|gcno)$/ } glob 'test_suite_*';
+use constant FALSE => 0;
+use constant TRUE => 1;
+
+my $verbose;
+my $switch = shift;
+if ( defined($switch) && ( $switch eq "-v" || $switch eq "--verbose" ) ) {
+ $verbose = TRUE;
+}
+
+my @suites = grep { ! /\.(?:c|gcno|gcda|dSYM)$/ } glob 'test_suite_*';
die "$0: no test suite found\n" unless @suites;
# in case test suites are linked dynamically
@@ -14,22 +41,57 @@
my $prefix = $^O eq "MSWin32" ? '' : './';
-my ($failed_suites, $total_tests_run);
+my ($failed_suites, $total_tests_run, $failed, $suite_cases_passed,
+ $suite_cases_failed, $suite_cases_skipped, $total_cases_passed,
+ $total_cases_failed, $total_cases_skipped );
+
for my $suite (@suites)
{
print "$suite ", "." x ( 72 - length($suite) - 2 - 4 ), " ";
my $result = `$prefix$suite`;
+
+ $suite_cases_passed = () = $result =~ /.. PASS/g;
+ $suite_cases_failed = () = $result =~ /.. FAILED/g;
+ $suite_cases_skipped = () = $result =~ /.. ----/g;
+
if( $result =~ /PASSED/ ) {
print "PASS\n";
- my ($tests, $skipped) = $result =~ /([0-9]*) tests.*?([0-9]*) skipped/;
- $total_tests_run += $tests - $skipped;
} else {
$failed_suites++;
print "FAIL\n";
}
+
+ my ($passed, $tests, $skipped) = $result =~ /([0-9]*) \/ ([0-9]*) tests.*?([0-9]*) skipped/;
+ $total_tests_run += $tests - $skipped;
+
+ if ( $verbose ) {
+ print "(test cases passed:", $suite_cases_passed,
+ " failed:", $suite_cases_failed,
+ " skipped:", $suite_cases_skipped,
+ " of total:", ($suite_cases_passed + $suite_cases_failed +
+ $suite_cases_skipped),
+ ")\n"
+ }
+
+ $total_cases_passed += $suite_cases_passed;
+ $total_cases_failed += $suite_cases_failed;
+ $total_cases_skipped += $suite_cases_skipped;
}
print "-" x 72, "\n";
print $failed_suites ? "FAILED" : "PASSED";
printf " (%d suites, %d tests run)\n", scalar @suites, $total_tests_run;
+
+if ( $verbose ) {
+ print " test cases passed :", $total_cases_passed, "\n";
+ print " failed :", $total_cases_failed, "\n";
+ print " skipped :", $total_cases_skipped, "\n";
+ print " of tests executed :", ( $total_cases_passed + $total_cases_failed ),
+ "\n";
+ print " of available tests :",
+ ( $total_cases_passed + $total_cases_failed + $total_cases_skipped ),
+ "\n"
+ }
+
exit( $failed_suites ? 1 : 0 );
+
diff --git a/tests/scripts/travis-log-failure.sh b/tests/scripts/travis-log-failure.sh
new file mode 100755
index 0000000..9866ca7
--- /dev/null
+++ b/tests/scripts/travis-log-failure.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# travis-log-failure.sh
+#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# List the server and client logs on failed ssl-opt.sh and compat.sh tests.
+# This script is used to make the logs show up in the Travis test results.
+#
+# Some of the logs can be very long: this means usually a couple of megabytes
+# but it can be much more. For example, the client log of test 273 in ssl-opt.sh
+# is more than 630 Megabytes long.
+
+if [ -d include/mbedtls ]; then :; else
+ echo "$0: must be run from root" >&2
+ exit 1
+fi
+
+FILES="o-srv-*.log o-cli-*.log c-srv-*.log c-cli-*.log o-pxy-*.log"
+MAX_LOG_SIZE=1048576
+
+for PATTERN in $FILES; do
+ for LOG in $( ls tests/$PATTERN 2>/dev/null ); do
+ echo
+ echo "****** BEGIN file: $LOG ******"
+ echo
+ tail -c $MAX_LOG_SIZE $LOG
+ echo "****** END file: $LOG ******"
+ echo
+ rm $LOG
+ done
+done
diff --git a/tests/scripts/yotta-build.sh b/tests/scripts/yotta-build.sh
index 0651bae..19cc576 100755
--- a/tests/scripts/yotta-build.sh
+++ b/tests/scripts/yotta-build.sh
@@ -11,8 +11,12 @@
yotta_build()
{
TARGET=$1
- echo; echo "*** $TARGET ***"
+
+ echo; echo "*** $TARGET (release) ***"
yt -t $TARGET build
+
+ echo; echo "*** $TARGET (debug) ***"
+ yt -t $TARGET build -d
}
if uname -a | grep 'Linux.*x86' >/dev/null; then
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c0b6f94..c08af7b 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -695,6 +695,7 @@
-C "using encrypt then mac" \
-S "using encrypt then mac"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Encrypt then MAC: client SSLv3, server enabled" \
"$P_SRV debug_level=3 min_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
@@ -707,6 +708,7 @@
-C "using encrypt then mac" \
-S "using encrypt then mac"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Encrypt then MAC: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
@@ -754,6 +756,7 @@
-C "using extended master secret" \
-S "using extended master secret"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Extended Master Secret: client SSLv3, server enabled" \
"$P_SRV debug_level=3 min_version=ssl3" \
"$P_CLI debug_level=3 force_version=ssl3" \
@@ -765,6 +768,7 @@
-C "using extended master secret" \
-S "using extended master secret"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Extended Master Secret: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3" \
"$P_CLI debug_level=3 min_version=ssl3" \
@@ -883,6 +887,7 @@
-s "Read from client: 1 bytes read" \
-s "122 bytes read"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "CBC Record splitting: SSLv3, splitting" \
"$P_SRV min_version=ssl3" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
@@ -1554,6 +1559,64 @@
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
+# Tests for silently dropping trailing extra bytes in .der certificates
+
+requires_gnutls
+run_test "DER format: no trailing bytes" \
+ "$P_SRV crt_file=data_files/server5-der0.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
+requires_gnutls
+run_test "DER format: with a trailing zero byte" \
+ "$P_SRV crt_file=data_files/server5-der1a.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
+requires_gnutls
+run_test "DER format: with a trailing random byte" \
+ "$P_SRV crt_file=data_files/server5-der1b.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
+requires_gnutls
+run_test "DER format: with 2 trailing random bytes" \
+ "$P_SRV crt_file=data_files/server5-der2.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
+requires_gnutls
+run_test "DER format: with 4 trailing random bytes" \
+ "$P_SRV crt_file=data_files/server5-der4.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
+requires_gnutls
+run_test "DER format: with 8 trailing random bytes" \
+ "$P_SRV crt_file=data_files/server5-der8.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
+requires_gnutls
+run_test "DER format: with 9 trailing random bytes" \
+ "$P_SRV crt_file=data_files/server5-der9.crt \
+ key_file=data_files/server5.key" \
+ "$G_CLI " \
+ 0 \
+ -c "Handshake was completed" \
+
# Tests for auth_mode
run_test "Authentication: server badcert, client required" \
@@ -1674,6 +1737,7 @@
-c "skip write certificate verify" \
-C "! mbedtls_ssl_handshake returned"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Authentication: client no cert, ssl3" \
"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
"$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
@@ -2593,6 +2657,7 @@
# Tests for ciphersuites per version
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Per-version suites: SSL3" \
"$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=ssl3" \
@@ -2642,6 +2707,7 @@
# Tests for small packets
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Small packet SSLv3 BlockCipher" \
"$P_SRV min_version=ssl3" \
"$P_CLI request_size=1 force_version=ssl3 \
@@ -2649,6 +2715,7 @@
0 \
-s "Read from client: 1 bytes read"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Small packet SSLv3 StreamCipher" \
"$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=1 force_version=ssl3 \
@@ -2783,6 +2850,7 @@
# Test for large packets
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Large packet SSLv3 BlockCipher" \
"$P_SRV min_version=ssl3" \
"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
@@ -2790,6 +2858,7 @@
0 \
-s "Read from client: 16384 bytes read"
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Large packet SSLv3 StreamCipher" \
"$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=ssl3 \
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 8f681db..edf1d12 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -1,28 +1,69 @@
+#line 1 "helpers.function"
+/*----------------------------------------------------------------------------*/
+/* Headers */
+
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
+#include <stdlib.h>
#define mbedtls_printf printf
#define mbedtls_fprintf fprintf
#define mbedtls_calloc calloc
#define mbedtls_free free
#define mbedtls_exit exit
+#define mbedtls_time time
+#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
#define mbedtls_snprintf snprintf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
#endif
#ifdef _MSC_VER
#include <basetsd.h>
typedef UINT32 uint32_t;
+#define strncasecmp _strnicmp
+#define strcasecmp _stricmp
#else
#include <stdint.h>
#endif
-#include <stdio.h>
-#include <stdlib.h>
#include <string.h>
+
+/*----------------------------------------------------------------------------*/
+/* Constants */
+
+#define DEPENDENCY_SUPPORTED 0
+#define DEPENDENCY_NOT_SUPPORTED 1
+
+#define KEY_VALUE_MAPPING_FOUND 0
+#define KEY_VALUE_MAPPING_NOT_FOUND -1
+
+#define DISPATCH_TEST_SUCCESS 0
+#define DISPATCH_TEST_FN_NOT_FOUND 1
+#define DISPATCH_INVALID_TEST_DATA 2
+#define DISPATCH_UNSUPPORTED_SUITE 3
+
+
+/*----------------------------------------------------------------------------*/
+/* Macros */
+
+#define TEST_ASSERT( TEST ) \
+ do { \
+ if( ! (TEST) ) \
+ { \
+ test_fail( #TEST, __LINE__, __FILE__ ); \
+ goto exit; \
+ } \
+ } while( 0 )
+
#define assert(a) if( !( a ) ) \
{ \
mbedtls_fprintf( stderr, "Assertion Failed at %s:%d - %s\n", \
@@ -53,11 +94,21 @@
}
#endif
+
+/*----------------------------------------------------------------------------*/
+/* Global variables */
+
+static int test_errors = 0;
+
+
+/*----------------------------------------------------------------------------*/
+/* Helper Functions */
+
static int unhexify( unsigned char *obuf, const char *ibuf )
{
unsigned char c, c2;
int len = strlen( ibuf ) / 2;
- assert( strlen( ibuf ) % 2 == 0 ); // must be even number of bytes
+ assert( strlen( ibuf ) % 2 == 0 ); /* must be even number of bytes */
while( *ibuf != 0 )
{
@@ -298,3 +349,12 @@
return( 0 );
}
+
+static void test_fail( const char *test, int line_no, const char* filename )
+{
+ test_errors++;
+ if( test_errors == 1 )
+ mbedtls_printf( "FAILED\n" );
+ mbedtls_printf( " %s\n at line %d, %s\n", test, line_no, filename );
+}
+
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index 420ee76..c5d6cd8 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -1,44 +1,7 @@
-#include <string.h>
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_exit exit
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#endif
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
-#endif
-
-static int test_errors = 0;
-
+#line 1 "main_test.function"
SUITE_PRE_DEP
#define TEST_SUITE_ACTIVE
-static void test_fail( const char *test )
-{
- test_errors++;
- if( test_errors == 1 )
- mbedtls_printf( "FAILED\n" );
- mbedtls_printf( " %s\n", test );
-}
-
-#define TEST_ASSERT( TEST ) \
- do { \
- if( ! (TEST) ) \
- { \
- test_fail( #TEST ); \
- goto exit; \
- } \
- } while( 0 )
-
int verify_string( char **str )
{
if( (*str)[0] != '"' ||
@@ -98,12 +61,22 @@
MAPPING_CODE
mbedtls_printf( "Expected integer for parameter and got: %s\n", str );
- return( -1 );
+ return( KEY_VALUE_MAPPING_NOT_FOUND );
}
+
+/*----------------------------------------------------------------------------*/
+/* Test Case code */
+
FUNCTION_CODE
SUITE_POST_DEP
+#line !LINE_NO! "main_test.function"
+
+
+/*----------------------------------------------------------------------------*/
+/* Test dispatch code */
+
int dep_check( char *str )
{
if( str == NULL )
@@ -111,7 +84,7 @@
DEP_CHECK_CODE
- return( 1 );
+ return( DEPENDENCY_NOT_SUPPORTED );
}
int dispatch_test(int cnt, char *params[50])
@@ -121,18 +94,41 @@
((void) params);
#if defined(TEST_SUITE_ACTIVE)
+ ret = DISPATCH_TEST_SUCCESS;
+
DISPATCH_FUNCTION
{
- mbedtls_fprintf( stdout, "FAILED\nSkipping unknown test function '%s'\n", params[0] );
+ mbedtls_fprintf( stdout,
+ "FAILED\nSkipping unknown test function '%s'\n",
+ params[0] );
fflush( stdout );
- return( 1 );
+ ret = DISPATCH_TEST_FN_NOT_FOUND;
}
#else
- return( 3 );
+ ret = DISPATCH_UNSUPPORTED_SUITE;
#endif
return( ret );
}
+
+/*----------------------------------------------------------------------------*/
+/* Main Test code */
+
+#line !LINE_NO! "main_test.function"
+
+#define USAGE \
+ "Usage: %s [OPTIONS] files...\n\n" \
+ " Command line arguments:\n" \
+ " files... One or more test data file. If no file is specified\n" \
+ " the followimg default test case is used:\n" \
+ " %s\n\n" \
+ " Options:\n" \
+ " -v | --verbose Display full information about each test\n" \
+ " -h | --help Display this information\n\n", \
+ argv[0], \
+ "TESTCASE_FILENAME"
+
+
int get_line( FILE *f, char *buf, size_t len )
{
char *ret;
@@ -178,7 +174,7 @@
p++;
}
- // Replace newlines, question marks and colons in strings
+ /* Replace newlines, question marks and colons in strings */
for( i = 0; i < cnt; i++ )
{
p = params[i];
@@ -240,10 +236,20 @@
test_snprintf( 5, "123", 3 ) != 0 );
}
-int main()
+int main(int argc, const char *argv[])
{
- int ret, i, cnt, total_errors = 0, total_tests = 0, total_skipped = 0;
- const char *filename = "TEST_FILENAME";
+ /* Local Configurations and options */
+ const char *default_filename = "TESTCASE_FILENAME";
+ const char *test_filename = NULL;
+ const char **test_files = NULL;
+ int testfile_count = 0;
+ int option_verbose = 0;
+
+ /* Other Local variables */
+ int arg_index = 1;
+ const char *next_arg;
+ int testfile_index, ret, i, cnt;
+ int total_errors = 0, total_tests = 0, total_skipped = 0;
FILE *file;
char buf[5000];
char *params[50];
@@ -276,78 +282,152 @@
return( 0 );
}
- file = fopen( filename, "r" );
- if( file == NULL )
+ while( arg_index < argc)
{
- mbedtls_fprintf( stderr, "Failed to open\n" );
- return( 1 );
+ next_arg = argv[ arg_index ];
+
+ if( strcmp(next_arg, "--verbose" ) == 0 ||
+ strcmp(next_arg, "-v" ) == 0 )
+ {
+ option_verbose = 1;
+ }
+ else if( strcmp(next_arg, "--help" ) == 0 ||
+ strcmp(next_arg, "-h" ) == 0 )
+ {
+ mbedtls_fprintf( stdout, USAGE );
+ mbedtls_exit( EXIT_SUCCESS );
+ }
+ else
+ {
+ /* Not an option, therefore treat all further arguments as the file
+ * list.
+ */
+ test_files = &argv[ arg_index ];
+ testfile_count = argc - arg_index;
+ }
+
+ arg_index++;
}
- while( !feof( file ) )
+ /* If no files were specified, assume a default */
+ if ( test_files == NULL || testfile_count == 0 )
{
- int skip = 0;
+ test_files = &default_filename;
+ testfile_count = 1;
+ }
- if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
- break;
- mbedtls_fprintf( stdout, "%s%.66s", test_errors ? "\n" : "", buf );
- mbedtls_fprintf( stdout, " " );
- for( i = strlen( buf ) + 1; i < 67; i++ )
- mbedtls_fprintf( stdout, "." );
- mbedtls_fprintf( stdout, " " );
- fflush( stdout );
+ /* Now begin to execute the tests in the testfiles */
+ for ( testfile_index = 0;
+ testfile_index < testfile_count;
+ testfile_index++ )
+ {
+ test_filename = test_files[ testfile_index ];
- total_tests++;
-
- if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
- break;
- cnt = parse_arguments( buf, strlen(buf), params );
-
- if( strcmp( params[0], "depends_on" ) == 0 )
+ file = fopen( test_filename, "r" );
+ if( file == NULL )
{
- for( i = 1; i < cnt; i++ )
- if( dep_check( params[i] ) != 0 )
- skip = 1;
+ mbedtls_fprintf( stderr, "Failed to open test file: %s\n",
+ test_filename );
+ return( 1 );
+ }
+
+ while( !feof( file ) )
+ {
+ int unmet_dep_count = 0;
+ char *unmet_dependencies[20];
+
+ if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
+ break;
+ mbedtls_fprintf( stdout, "%s%.66s", test_errors ? "\n" : "", buf );
+ mbedtls_fprintf( stdout, " " );
+ for( i = strlen( buf ) + 1; i < 67; i++ )
+ mbedtls_fprintf( stdout, "." );
+ mbedtls_fprintf( stdout, " " );
+ fflush( stdout );
+
+ total_tests++;
if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
break;
cnt = parse_arguments( buf, strlen(buf), params );
- }
- if( skip == 0 )
- {
- test_errors = 0;
- ret = dispatch_test( cnt, params );
- }
+ if( strcmp( params[0], "depends_on" ) == 0 )
+ {
+ for( i = 1; i < cnt; i++ )
+ {
+ if( dep_check( params[i] ) != DEPENDENCY_SUPPORTED )
+ {
+ unmet_dependencies[ i-1 ] = strdup(params[i]);
+ if( unmet_dependencies[ i-1 ] == NULL )
+ {
+ mbedtls_printf("FATAL: Out of memory\n");
+ mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+ }
+ unmet_dep_count++;
+ }
+ }
- if( skip == 1 || ret == 3 )
- {
- total_skipped++;
- mbedtls_fprintf( stdout, "----\n" );
- fflush( stdout );
- }
- else if( ret == 0 && test_errors == 0 )
- {
- mbedtls_fprintf( stdout, "PASS\n" );
- fflush( stdout );
- }
- else if( ret == 2 )
- {
- mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" );
- fclose(file);
- mbedtls_exit( 2 );
- }
- else
- total_errors++;
+ if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
+ break;
+ cnt = parse_arguments( buf, strlen(buf), params );
+ }
+
+ // If there are no unmet dependencies execute the test
+ if( unmet_dep_count == 0 )
+ {
+ test_errors = 0;
+ ret = dispatch_test( cnt, params );
+ }
- if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
- break;
- if( strlen(buf) != 0 )
- {
- mbedtls_fprintf( stderr, "Should be empty %d\n", (int) strlen(buf) );
- return( 1 );
+ if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE )
+ {
+ total_skipped++;
+ mbedtls_fprintf( stdout, "----\n" );
+
+ if( 1 == option_verbose && ret == DISPATCH_UNSUPPORTED_SUITE )
+ {
+ mbedtls_fprintf( stdout, " Test Suite not enabled" );
+ }
+
+ if( 1 == option_verbose && unmet_dep_count > 0 )
+ {
+ mbedtls_fprintf( stdout, " Unmet dependencies: " );
+ while( unmet_dep_count > 0)
+ {
+ mbedtls_fprintf(stdout, "%s ",
+ unmet_dependencies[unmet_dep_count - 1]);
+ free(unmet_dependencies[unmet_dep_count - 1]);
+ unmet_dep_count--;
+ }
+ mbedtls_fprintf( stdout, "\n" );
+ }
+ fflush( stdout );
+ }
+ else if( ret == DISPATCH_TEST_SUCCESS && test_errors == 0 )
+ {
+ mbedtls_fprintf( stdout, "PASS\n" );
+ fflush( stdout );
+ }
+ else if( ret == DISPATCH_INVALID_TEST_DATA )
+ {
+ mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" );
+ fclose(file);
+ mbedtls_exit( 2 );
+ }
+ else
+ total_errors++;
+
+ if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
+ break;
+ if( strlen(buf) != 0 )
+ {
+ mbedtls_fprintf( stderr, "Should be empty %d\n",
+ (int) strlen(buf) );
+ return( 1 );
+ }
}
+ fclose(file);
}
- fclose(file);
mbedtls_fprintf( stdout, "\n----------------------------------------------------------------------------\n\n");
if( total_errors == 0 )
diff --git a/tests/suites/test_suite_memory_buffer_alloc.data b/tests/suites/test_suite_memory_buffer_alloc.data
index a0b0460..8d3813a 100644
--- a/tests/suites/test_suite_memory_buffer_alloc.data
+++ b/tests/suites/test_suite_memory_buffer_alloc.data
@@ -1,2 +1,18 @@
Memory buffer alloc self test
mbedtls_memory_buffer_alloc_self_test:
+
+Memory buffer alloc - free in middle, alloc at end
+memory_buffer_alloc_free_alloc:100:100:100:0:0:1:0:0:200:0
+
+Memory buffer alloc - free in middle, realloc
+memory_buffer_alloc_free_alloc:100:100:100:0:0:1:0:0:100:0
+
+Memory buffer alloc - free in middle, merge, realloc
+memory_buffer_alloc_free_alloc:100:100:100:100:0:1:1:0:201:0
+
+Memory buffer alloc - free at end, merge, realloc
+memory_buffer_alloc_free_alloc:100:64:100:100:0:0:0:1:200:0
+
+Memory buffer alloc - Out of Memory test
+memory_buffer_alloc_oom_test:
+
diff --git a/tests/suites/test_suite_memory_buffer_alloc.function b/tests/suites/test_suite_memory_buffer_alloc.function
index 59b0643..04dd68b 100644
--- a/tests/suites/test_suite_memory_buffer_alloc.function
+++ b/tests/suites/test_suite_memory_buffer_alloc.function
@@ -1,6 +1,7 @@
/* BEGIN_HEADER */
#include "mbedtls/memory_buffer_alloc.h"
#define TEST_SUITE_MEMORY_BUFFER_ALLOC
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -8,9 +9,226 @@
* END_DEPENDENCIES
*/
+/* BEGIN_SUITE_HELPERS */
+static int check_pointer( void *p )
+{
+ if( p == NULL )
+ return( -1 );
+
+ if( (size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0 )
+ return( -1 );
+
+ return( 0 );
+}
+/* END_SUITE_HELPERS */
+
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void mbedtls_memory_buffer_alloc_self_test( )
{
TEST_ASSERT( mbedtls_memory_buffer_alloc_self_test( 0 ) == 0 );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */
+void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes,
+ int d_bytes,
+ int free_a, int free_b, int free_c,
+ int free_d,
+ int e_bytes, int f_bytes )
+{
+ unsigned char buf[1024];
+ unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL, *ptr_d = NULL,
+ *ptr_e = NULL, *ptr_f = NULL;
+
+ size_t reported_blocks;
+ size_t allocated_bytes = 0, reported_bytes;
+
+ mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+ mbedtls_memory_buffer_set_verify( MBEDTLS_MEMORY_VERIFY_ALWAYS );
+
+ if( a_bytes > 0 )
+ {
+ ptr_a = mbedtls_calloc( a_bytes, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_a ) == 0 );
+
+ allocated_bytes += a_bytes * sizeof(char);
+ }
+
+ if( b_bytes > 0 )
+ {
+ ptr_b = mbedtls_calloc( b_bytes, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_b ) == 0 );
+
+ allocated_bytes += b_bytes * sizeof(char);
+ }
+
+ if( c_bytes > 0 )
+ {
+ ptr_c = mbedtls_calloc( c_bytes, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_c ) == 0 );
+
+ allocated_bytes += c_bytes * sizeof(char);
+ }
+
+ if( d_bytes > 0 )
+ {
+ ptr_d = mbedtls_calloc( d_bytes, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_d ) == 0 );
+
+ allocated_bytes += d_bytes * sizeof(char);
+ }
+
+ mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks );
+ TEST_ASSERT( reported_bytes == allocated_bytes );
+
+ if( free_a )
+ {
+ mbedtls_free( ptr_a );
+ ptr_a = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+ allocated_bytes -= a_bytes * sizeof(char);
+ }
+
+ if( free_b )
+ {
+ mbedtls_free( ptr_b );
+ ptr_b = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+ allocated_bytes -= b_bytes * sizeof(char);
+ }
+
+ if( free_c )
+ {
+ mbedtls_free( ptr_c );
+ ptr_c = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+ allocated_bytes -= c_bytes * sizeof(char);
+ }
+
+ if( free_d )
+ {
+ mbedtls_free( ptr_d );
+ ptr_d = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+ allocated_bytes -= d_bytes * sizeof(char);
+ }
+
+ mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks );
+ TEST_ASSERT( reported_bytes == allocated_bytes );
+
+ if( e_bytes > 0 )
+ {
+ ptr_e = mbedtls_calloc( e_bytes, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_e ) == 0 );
+ }
+
+ if( f_bytes > 0 )
+ {
+ ptr_f = mbedtls_calloc( f_bytes, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_f ) == 0 );
+ }
+
+ /* Once blocks are reallocated, the block allocated to the memory request
+ * may be bigger than the request itself, which is indicated by the reported
+ * bytes, and makes it hard to know what the reported size will be, so
+ * we don't check the size after blocks have been reallocated. */
+
+ if( ptr_a != NULL )
+ {
+ mbedtls_free( ptr_a );
+ ptr_a = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+ }
+
+ if( ptr_b != NULL )
+ {
+ mbedtls_free( ptr_b );
+ ptr_b = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+ }
+
+ if( ptr_c != NULL )
+ {
+ mbedtls_free( ptr_c );
+ ptr_c = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+ }
+
+ if( ptr_d != NULL )
+ {
+ mbedtls_free( ptr_d );
+ ptr_d = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+ }
+
+ if( ptr_e != NULL )
+ {
+ mbedtls_free( ptr_e );
+ ptr_e = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+ }
+
+ if( ptr_f != NULL )
+ {
+ mbedtls_free( ptr_f );
+ ptr_f = NULL;
+ }
+
+ mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks );
+ TEST_ASSERT( reported_bytes == 0 );
+
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+exit:
+ mbedtls_memory_buffer_alloc_free( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */
+void memory_buffer_alloc_oom_test()
+{
+ unsigned char buf[1024];
+ unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL;
+ size_t reported_blocks, reported_bytes;
+
+ (void)ptr_c;
+
+ mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+ mbedtls_memory_buffer_set_verify( MBEDTLS_MEMORY_VERIFY_ALWAYS );
+
+ ptr_a = mbedtls_calloc( 432, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_a ) == 0 );
+
+ ptr_b = mbedtls_calloc( 432, sizeof(char) );
+ TEST_ASSERT( check_pointer( ptr_b ) == 0 );
+
+ ptr_c = mbedtls_calloc( 431, sizeof(char) );
+ TEST_ASSERT( ptr_c == NULL );
+
+ mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks );
+ TEST_ASSERT( reported_bytes >= 864 && reported_bytes <= sizeof(buf) );
+
+ mbedtls_free( ptr_a );
+ ptr_a = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+ mbedtls_free( ptr_b );
+ ptr_b = NULL;
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+ mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks );
+ TEST_ASSERT( reported_bytes == 0 );
+
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+
+exit:
+ mbedtls_memory_buffer_alloc_free( );
+}
+/* END_CASE */
+
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index f838f3b..3fd7f2d 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -295,6 +295,15 @@
Test mbedtls_mpi_add_mpi #2
mbedtls_mpi_add_mpi:10:"643808006803554439230129854961492699151386107534013432918073439524138264842370630061369715394739134090922937332590384720397133335969549256322620979036686633213903952966175107096769180017646161851573147596390153":10:"56125680981752282333498088313568935051383833838594899821664631784577337171193624243181360054669678410455329112434552942717084003541384594864129940145043086760031292483340068923506115878221189886491132772739661669044958531131327771":10:"56125680981752282334141896320372489490613963693556392520816017892111350604111697682705498319512049040516698827829292076808006940873974979584527073481012636016353913462376755556720019831187364993587901952757307830896531678727717924"
+Base test mbedtls_mpi_add_mpi inplace #1
+mbedtls_mpi_add_mpi_inplace:10:"12345678":10:"24691356"
+
+Test mbedtls_mpi_add_mpi inplace #2
+mbedtls_mpi_add_mpi_inplace:10:"643808006803554439230129854961492699151386107534013432918073439524138264842370630061369715394739134090922937332590384720397133335969549256322620979036686633213903952966175107096769180017646161851573147596390153":10:"1287616013607108878460259709922985398302772215068026865836146879048276529684741260122739430789478268181845874665180769440794266671939098512645241958073373266427807905932350214193538360035292323703146295192780306"
+
+Test mbedtls_mpi_add_mpi inplace #3
+mbedtls_mpi_add_mpi_inplace:16:"ffffffffffffffffffffffffffffffff":16:"01fffffffffffffffffffffffffffffffe"
+
Test mbedtls_mpi_add_int #1
mbedtls_mpi_add_int:10:"2039568783564019774057658669290345772801939933143482630947726464532830627227012776329":9871232:10:"2039568783564019774057658669290345772801939933143482630947726464532830627227022647561"
diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function
index 5dd6f0d..c41ca69 100644
--- a/tests/suites/test_suite_mpi.function
+++ b/tests/suites/test_suite_mpi.function
@@ -443,6 +443,32 @@
/* END_CASE */
/* BEGIN_CASE */
+void mbedtls_mpi_add_mpi_inplace( int radix_X, char *input_X, int radix_A, char *input_A )
+{
+ mbedtls_mpi X, A;
+ mbedtls_mpi_init( &X ); mbedtls_mpi_init( &A );
+
+ TEST_ASSERT( mbedtls_mpi_read_string( &A, radix_A, input_A ) == 0 );
+
+ TEST_ASSERT( mbedtls_mpi_read_string( &X, radix_X, input_X ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_sub_abs( &X, &X, &X ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_cmp_int( &X, 0 ) == 0 );
+
+ TEST_ASSERT( mbedtls_mpi_read_string( &X, radix_X, input_X ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_add_abs( &X, &X, &X ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_cmp_mpi( &X, &A ) == 0 );
+
+ TEST_ASSERT( mbedtls_mpi_read_string( &X, radix_X, input_X ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_add_mpi( &X, &X, &X ) == 0 );
+ TEST_ASSERT( mbedtls_mpi_cmp_mpi( &X, &A ) == 0 );
+
+exit:
+ mbedtls_mpi_free( &X ); mbedtls_mpi_free( &A );
+}
+/* END_CASE */
+
+
+/* BEGIN_CASE */
void mbedtls_mpi_add_abs( int radix_X, char *input_X, int radix_Y, char *input_Y,
int radix_A, char *input_A )
{
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index c43d6ae..d522332 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -345,7 +345,7 @@
RSA Public (Data larger than N)
mbedtls_rsa_public:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_PUBLIC_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-RSA Generate Key
+RSA Generate Key - 128bit key
mbedtls_rsa_gen_key:128:3:0
RSA Generate Key (Number of bits too small)
@@ -354,9 +354,15 @@
RSA Generate Key (Exponent too small)
mbedtls_rsa_gen_key:128:2:MBEDTLS_ERR_RSA_BAD_INPUT_DATA
-RSA Generate Key
+RSA Generate Key - 1024 bit key
mbedtls_rsa_gen_key:1024:3:0
+RSA Generate Key - 2048 bit key
+mbedtls_rsa_gen_key:2048:3:0
+
+RSA Generate Key - 1025 bit key
+mbedtls_rsa_gen_key:1025:3:0
+
RSA PKCS1 Encrypt Bad RNG
depends_on:MBEDTLS_PKCS1_V15
rsa_pkcs1_encrypt_bad_rng:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_RSA_PKCS_V15:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":MBEDTLS_ERR_RSA_RNG_FAILED
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 48f08cc..ac13f11 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.2.0"
+check_compiletime_version:"2.2.1"
Check runtime library version
-check_runtime_version:"2.2.0"
+check_runtime_version:"2.2.1"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 156f151..5c68872 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -699,6 +699,22 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"NULL"
+X509 Certificate verification #82 (Not yet valid CA and valid CA)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+
+X509 Certificate verification #83 (valid CA and Not yet valid CA)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+
+X509 Certificate verification #84 (valid CA and Not yet valid CA)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+
+X509 Certificate verification #85 (Not yet valid CA and valid CA)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
+
X509 Certificate verification callback: trusted EE cert
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL\n"
@@ -755,7 +771,7 @@
x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT
X509 Certificate ASN1 (Correct first tag, data length does not match)
-x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 Certificate ASN1 (Correct first tag, no more data)
x509parse_crt:"3000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
@@ -1160,6 +1176,14 @@
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
mbedtls_x509_crt_verify_chain:"data_files/dir4/cert61.crt data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0
+X509 CRT verify chain #9 (zero pathlen first intermediate, valid)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_chain:"data_files/dir4/cert83.crt data_files/dir4/cert82.crt":"data_files/dir4/cert81.crt":0
+
+X509 CRT verify chain #10 (zero pathlen root, valid)
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":0
+
X509 OID description #1
x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication"
diff --git a/yotta/data/adjust-config.sh b/yotta/data/adjust-config.sh
index 9088fd5..170d307 100755
--- a/yotta/data/adjust-config.sh
+++ b/yotta/data/adjust-config.sh
@@ -68,7 +68,6 @@
conf unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
conf unset MBEDTLS_SSL_FALLBACK_SCSV
conf unset MBEDTLS_SSL_CBC_RECORD_SPLITTING
-conf unset MBEDTLS_SSL_PROTO_SSL3
conf unset MBEDTLS_SSL_PROTO_TLS1
conf unset MBEDTLS_SSL_PROTO_TLS1_1
conf unset MBEDTLS_SSL_TRUNCATED_HMAC
diff --git a/yotta/data/entropy_hardware_poll.c b/yotta/data/entropy_hardware_poll.c
index 1924302..3a61e22 100644
--- a/yotta/data/entropy_hardware_poll.c
+++ b/yotta/data/entropy_hardware_poll.c
@@ -1,5 +1,5 @@
/*
- * Temporary "entropy" collector for Cortex-M4
+ * Hardware entropy collector for the K64F, using Freescale's RNGA
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
@@ -20,46 +20,69 @@
*/
/*
- * WARNING: this is a temporary hack!
- * 1. Currently does not provide strong entropy, should be replaced to use the
- * on-board hardware RNG (see IOTSSL-303)
- * 2. This should be in a separete yotta module which would be a target
+ * WARNING: this is temporary!
+ * This should be in a separate yotta module which would be a target
* dependency of mbedtls (see IOTSSL-313)
*/
-#if defined(TARGET_LIKE_CORTEX_M4)
+#if defined(TARGET_LIKE_K64F)
-#include "MK64F12.h"
-#include "core_cm4.h"
-#include <string.h>
+/*
+ * Reference: "K64 Sub-Family Reference Manual, Rev. 2", chapter 34
+ */
-unsigned long hardclock( void )
+#include "fsl_clock_manager.h"
+
+/*
+ * Get one byte of entropy from the RNG, assuming it is up and running.
+ * As recommended (34.1.1), get only one bit of each output.
+ */
+static void rng_get_byte( unsigned char *byte )
{
- static int dwt_started = 0;
+ size_t bit;
- if( dwt_started == 0 )
+ /* 34.5 Steps 3-4-5: poll SR and read from OR when ready */
+ for( bit = 0; bit < 8; bit++ )
{
- CoreDebug->DEMCR |= CoreDebug_DEMCR_TRCENA_Msk;
- DWT->CTRL |= DWT_CTRL_CYCCNTENA_Msk;
+ while( ( RNG->SR & RNG_SR_OREG_LVL_MASK ) == 0 );
+ *byte |= ( RNG->OR & 1 ) << bit;
}
-
- return( DWT->CYCCNT );
}
+/*
+ * Get len bytes of entropy from the hardware RNG.
+ */
int mbedtls_hardware_poll( void *data,
unsigned char *output, size_t len, size_t *olen )
{
- unsigned long timer = hardclock();
+ size_t i;
+ int ret;
((void) data);
- *olen = 0;
- if( len < sizeof(unsigned long) )
- return( 0 );
+ CLOCK_SYS_EnableRngaClock( 0 );
- memcpy( output, &timer, sizeof(unsigned long) );
- *olen = sizeof(unsigned long);
+ /* Set "Interrupt Mask", "High Assurance" and "Go",
+ * unset "Clear interrupt" and "Sleep" */
+ RNG->CR = RNG_CR_INTM_MASK | RNG_CR_HA_MASK | RNG_CR_GO_MASK;
- return( 0 );
+ for( i = 0; i < len; i++ )
+ rng_get_byte( output + i );
+
+ /* Just be extra sure that we didn't do it wrong */
+ if( ( RNG->SR & RNG_SR_SECV_MASK ) != 0 )
+ {
+ ret = -1;
+ goto cleanup;
+ }
+
+ *olen = len;
+ ret = 0;
+
+cleanup:
+ /* Disable clock to save power - assume we're the only users of RNG */
+ CLOCK_SYS_DisableRngaClock( 0 );
+
+ return( ret );
}
#endif
diff --git a/yotta/data/example-authcrypt/main.cpp b/yotta/data/example-authcrypt/main.cpp
index 83d5566..23fad27 100644
--- a/yotta/data/example-authcrypt/main.cpp
+++ b/yotta/data/example-authcrypt/main.cpp
@@ -175,10 +175,6 @@
#include "minar/minar.h"
static void run() {
- /* Use 115200 bps for consistency with other examples */
- Serial pc(USBTX, USBRX);
- pc.baud(115200);
-
MBED_HOSTTEST_TIMEOUT(10);
MBED_HOSTTEST_SELECT(default);
MBED_HOSTTEST_DESCRIPTION(mbed TLS example authcrypt);
@@ -187,6 +183,8 @@
}
void app_start(int, char*[]) {
+ /* Use 115200 bps for consistency with other examples */
+ get_stdio_serial().baud(115200);
minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
}
diff --git a/yotta/data/example-benchmark/README.md b/yotta/data/example-benchmark/README.md
index 1a534a2..8589e7b 100644
--- a/yotta/data/example-benchmark/README.md
+++ b/yotta/data/example-benchmark/README.md
@@ -92,3 +92,9 @@
{{success}}
{{end}}
```
+
+Any performance data generated by this example application are indicative only of the performance of the mbed TLS module on the platform it's executed on.
+
+Differences in the integration of mbed TLS into the platform, such as whether all available hardware accelerators have been used or not, can lead to significant differences in performance, and so results from the program are not intended to be used to meaningfully compare platforms.
+
+The figures may also slightly change from execution to execution due to variations in the timing functions.
diff --git a/yotta/data/example-benchmark/main.cpp b/yotta/data/example-benchmark/main.cpp
index 77c7005..ef38c44 100644
--- a/yotta/data/example-benchmark/main.cpp
+++ b/yotta/data/example-benchmark/main.cpp
@@ -935,10 +935,6 @@
#include "minar/minar.h"
static void run() {
- /* Use 115200 bps for consistency with other examples */
- Serial pc(USBTX, USBRX);
- pc.baud(115200);
-
MBED_HOSTTEST_TIMEOUT(150);
MBED_HOSTTEST_SELECT(default);
MBED_HOSTTEST_DESCRIPTION(mbed TLS benchmark program);
@@ -947,6 +943,8 @@
}
void app_start(int, char*[]) {
+ /* Use 115200 bps for consistency with other examples */
+ get_stdio_serial().baud(115200);
minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
}
diff --git a/yotta/data/example-hashing/main.cpp b/yotta/data/example-hashing/main.cpp
index 27c469b..574152a 100644
--- a/yotta/data/example-hashing/main.cpp
+++ b/yotta/data/example-hashing/main.cpp
@@ -155,10 +155,6 @@
#include "minar/minar.h"
static void run() {
- /* Use 115200 bps for consistency with other examples */
- Serial pc(USBTX, USBRX);
- pc.baud(115200);
-
MBED_HOSTTEST_TIMEOUT(10);
MBED_HOSTTEST_SELECT(default);
MBED_HOSTTEST_DESCRIPTION(mbed TLS example on hashing);
@@ -167,6 +163,8 @@
}
void app_start(int, char*[]) {
+ /* Use 115200 bps for consistency with other examples */
+ get_stdio_serial().baud(115200);
minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
}
diff --git a/yotta/data/example-selftest/main.cpp b/yotta/data/example-selftest/main.cpp
index b1b15f1..0ff5b04 100644
--- a/yotta/data/example-selftest/main.cpp
+++ b/yotta/data/example-selftest/main.cpp
@@ -246,10 +246,6 @@
#include "minar/minar.h"
static void run() {
- /* Use 115200 bps for consistency with other examples */
- Serial pc(USBTX, USBRX);
- pc.baud(115200);
-
MBED_HOSTTEST_TIMEOUT(40);
MBED_HOSTTEST_SELECT(default);
MBED_HOSTTEST_DESCRIPTION(mbed TLS selftest program);
@@ -258,6 +254,8 @@
}
void app_start(int, char*[]) {
+ /* Use 115200 bps for consistency with other examples */
+ get_stdio_serial().baud(115200);
minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
}
diff --git a/yotta/data/module.json b/yotta/data/module.json
index 602b707..f303783 100644
--- a/yotta/data/module.json
+++ b/yotta/data/module.json
@@ -1,6 +1,6 @@
{
"name": "mbedtls",
- "version": "2.2.0",
+ "version": "2.3.0",
"description": "The mbed TLS crypto/SSL/TLS library",
"licenses": [
{
@@ -13,6 +13,6 @@
"mbed": { "cmsis-core": "^1.0.0" }
},
"testTargetDependencies": {
- "mbed": { "mbed-drivers": "~0.11.0" }
+ "mbed": { "mbed-drivers": "^1.0.0" }
}
}
diff --git a/yotta/data/target_config.h b/yotta/data/target_config.h
index df1a208..f350ce3 100644
--- a/yotta/data/target_config.h
+++ b/yotta/data/target_config.h
@@ -26,10 +26,10 @@
#endif
/*
- * WARNING: this is a temporary hack!
- * 2. This should be in a separete yotta module which would be a target
+ * WARNING: this is temporary!
+ * This should be in a separate yotta module which would be a target
* dependency of mbedtls (see IOTSSL-313)
*/
-#if defined(TARGET_LIKE_CORTEX_M4)
+#if defined(TARGET_LIKE_K64F)
#define MBEDTLS_ENTROPY_HARDWARE_ALT
#endif