Merge pull request #3010 from hanno-arm/tls_msg_split
Introduce separate source file for SSL messaging layer
diff --git a/ChangeLog b/ChangeLog
index 2f6480e..aadc9e9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,13 +6,16 @@
* Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing
SSLv2 ClientHello messages.
* Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
+ * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
+ library which allows TLS authentication to use keys stored in a
+ PKCS#11 token such as a smartcard.
Bugfix
- * Allow loading symlinked certificates. Fixes #3005. Reported and fixed
- by Jonathan Bennett <JBennett@incomsystems.biz> via #3008.
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by
Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
+ * Fix some false-positive uninitialized variable warnings in X.509. Fix
+ contributed by apple-ihack-geek in #2663.
= mbed TLS 2.20.0 branch released 2020-01-15
@@ -85,8 +88,6 @@
* mbedtls_ctr_drbg_set_entropy_len() and
mbedtls_hmac_drbg_set_entropy_len() now work if you call them before
mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed().
- * Fix some false-positive uninitialized variable warnings. Fix contributed
- by apple-ihack-geek in #2663.
Changes
* Remove the technical possibility to define custom mbedtls_md_info
@@ -118,6 +119,10 @@
mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
from modifying the client/server hello.
+Bugfix
+ * Fix some false-positive uninitialized variable warnings in crypto. Fix
+ contributed by apple-ihack-geek in #2663.
+
= mbed TLS 2.19.0 branch released 2019-09-06
Security
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index d95b71e..ec11426 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -342,6 +342,14 @@
#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_PKCS11_C)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_PKCS11_C */
+
#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
#endif
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index a11a4f3..7abdaa5 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2818,7 +2818,10 @@
/**
* \def MBEDTLS_PKCS11_C
*
- * Enable wrapper for PKCS#11 smartcard support.
+ * Enable wrapper for PKCS#11 smartcard support via the pkcs11-helper library.
+ *
+ * \deprecated This option is deprecated and will be removed in a future
+ * version of Mbed TLS.
*
* Module: library/pkcs11.c
* Caller: library/pk.c
diff --git a/include/mbedtls/pkcs11.h b/include/mbedtls/pkcs11.h
index d9f45db..cf8d8c4 100644
--- a/include/mbedtls/pkcs11.h
+++ b/include/mbedtls/pkcs11.h
@@ -47,6 +47,8 @@
extern "C" {
#endif
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+
/**
* Context for PKCS #11 private keys.
*/
@@ -56,47 +58,71 @@
int len;
} mbedtls_pkcs11_context;
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
/**
* Initialize a mbedtls_pkcs11_context.
* (Just making memory references valid.)
+ *
+ * \deprecated This function is deprecated and will be removed in a
+ * future version of the library.
*/
-void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
+MBEDTLS_DEPRECATED void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
/**
* Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
*
+ * \deprecated This function is deprecated and will be removed in a
+ * future version of the library.
+ *
* \param cert X.509 certificate to fill
* \param pkcs11h_cert PKCS #11 helper certificate
*
* \return 0 on success.
*/
-int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert,
+ pkcs11h_certificate_t pkcs11h_cert );
/**
* Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
* mbedtls_pkcs11_context will take over control of the certificate, freeing it when
* done.
*
+ * \deprecated This function is deprecated and will be removed in a
+ * future version of the library.
+ *
* \param priv_key Private key structure to fill.
* \param pkcs11_cert PKCS #11 helper certificate
*
* \return 0 on success
*/
-int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
- pkcs11h_certificate_t pkcs11_cert );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
+ mbedtls_pkcs11_context *priv_key,
+ pkcs11h_certificate_t pkcs11_cert );
/**
* Free the contents of the given private key context. Note that the structure
* itself is not freed.
*
+ * \deprecated This function is deprecated and will be removed in a
+ * future version of the library.
+ *
* \param priv_key Private key structure to cleanup
*/
-void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
+MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
+ mbedtls_pkcs11_context *priv_key );
/**
* \brief Do an RSA private key decrypt, then remove the message
* padding
*
+ * \deprecated This function is deprecated and will be removed in a future
+ * version of the library.
+ *
* \param ctx PKCS #11 context
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
* \param input buffer holding the encrypted data
@@ -110,15 +136,18 @@
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
* an error is thrown.
*/
-int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
- int mode, size_t *olen,
- const unsigned char *input,
- unsigned char *output,
- size_t output_max_len );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+ int mode, size_t *olen,
+ const unsigned char *input,
+ unsigned char *output,
+ size_t output_max_len );
/**
* \brief Do a private RSA to sign a message digest
*
+ * \deprecated This function is deprecated and will be removed in a future
+ * version of the library.
+ *
* \param ctx PKCS #11 context
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
* \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
@@ -132,28 +161,58 @@
* \note The "sig" buffer must be as large as the size
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
*/
-int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
- int mode,
- mbedtls_md_type_t md_alg,
- unsigned int hashlen,
- const unsigned char *hash,
- unsigned char *sig );
+MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+ int mode,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig );
/**
* SSL/TLS wrappers for PKCS#11 functions
+ *
+ * \deprecated This function is deprecated and will be removed in a future
+ * version of the library.
*/
-static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
- const unsigned char *input, unsigned char *output,
- size_t output_max_len )
+MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx,
+ int mode, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len )
{
return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
output_max_len );
}
-static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
- const unsigned char *hash, unsigned char *sig )
+/**
+ * \brief This function signs a message digest using RSA.
+ *
+ * \deprecated This function is deprecated and will be removed in a future
+ * version of the library.
+ *
+ * \param ctx The PKCS #11 context.
+ * \param f_rng The RNG function. This parameter is unused.
+ * \param p_rng The RNG context. This parameter is unused.
+ * \param mode The operation to run. This must be set to
+ * MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
+ * signature.
+ * \param md_alg The message digest algorithm. One of the MBEDTLS_MD_XXX
+ * must be passed to this function and MBEDTLS_MD_NONE can be
+ * used for signing raw data.
+ * \param hashlen The message digest length (for MBEDTLS_MD_NONE only).
+ * \param hash The buffer holding the message digest.
+ * \param sig The buffer that will hold the ciphertext.
+ *
+ * \return \c 0 if the signing operation was successful.
+ * \return A non-zero error code on failure.
+ *
+ * \note The \p sig buffer must be as large as the size of
+ * <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
+ * used.
+ */
+MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig )
{
((void) f_rng);
((void) p_rng);
@@ -161,11 +220,25 @@
hashlen, hash, sig );
}
-static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
+/**
+ * This function gets the length of the private key.
+ *
+ * \deprecated This function is deprecated and will be removed in a future
+ * version of the library.
+ *
+ * \param ctx The PKCS #11 context.
+ *
+ * \return The length of the private key.
+ */
+MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
{
return ( (mbedtls_pkcs11_context *) ctx )->len;
}
+#undef MBEDTLS_DEPRECATED
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
#ifdef __cplusplus
}
#endif
diff --git a/library/x509_crl.c b/library/x509_crl.c
index d1176fc..371c446 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -541,7 +541,7 @@
{
#if defined(MBEDTLS_PEM_PARSE_C)
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t use_len;
+ size_t use_len = 0;
mbedtls_pem_context pem;
int is_pem = 0;
diff --git a/library/x509_crt.c b/library/x509_crt.c
index ca60011..1e47230 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1613,7 +1613,7 @@
goto cleanup;
}
- if( !( S_ISREG( sb.st_mode ) || S_ISLNK( sb.st_mode ) ) )
+ if( !S_ISREG( sb.st_mode ) )
continue;
// Ignore parse errors
@@ -2538,7 +2538,7 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *parent, *fallback_parent;
- int signature_is_good, fallback_signature_is_good;
+ int signature_is_good = 0, fallback_signature_is_good;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/* did we have something in progress? */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 27f2312..d23a700 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1820,7 +1820,7 @@
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
unsigned char *context_buf = NULL;
- size_t context_buf_len;
+ size_t context_buf_len = 0;
#endif
int i;
diff --git a/scripts/config.py b/scripts/config.py
index e3ecfc6..b4edb65 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -232,6 +232,35 @@
return True
return include_in_full(name) and keep_in_baremetal(name)
+def include_in_crypto(name):
+ """Rules for symbols in a crypto configuration."""
+ if name.startswith('MBEDTLS_X509_') or \
+ name.startswith('MBEDTLS_SSL_') or \
+ name.startswith('MBEDTLS_KEY_EXCHANGE_'):
+ return False
+ if name in [
+ 'MBEDTLS_CERTS_C',
+ 'MBEDTLS_DEBUG_C',
+ 'MBEDTLS_NET_C',
+ 'MBEDTLS_PKCS11_C',
+ ]:
+ return False
+ return True
+
+def crypto_adapter(adapter):
+ """Modify an adapter to disable non-crypto symbols.
+
+ ``crypto_adapter(adapter)(name, active, section)`` is like
+ ``adapter(name, active, section)``, but unsets all X.509 and TLS symbols.
+ """
+ def continuation(name, active, section):
+ if not include_in_crypto(name):
+ return False
+ if adapter is None:
+ return active
+ return adapter(name, active, section)
+ return continuation
+
class ConfigFile(Config):
"""Representation of the Mbed TLS configuration read for a file.
@@ -396,6 +425,14 @@
add_adapter('realfull', realfull_adapter,
"""Uncomment all boolean #defines.
Suitable for generating documentation, but not for building.""")
+ add_adapter('crypto', crypto_adapter(None),
+ """Only include crypto features. Exclude X.509 and TLS.""")
+ add_adapter('crypto_baremetal', crypto_adapter(baremetal_adapter),
+ """Like baremetal, but with only crypto features,
+ excluding X.509 and TLS.""")
+ add_adapter('crypto_full', crypto_adapter(full_adapter),
+ """Like full, but with only crypto features,
+ excluding X.509 and TLS.""")
args = parser.parse_args()
config = ConfigFile(args.file)
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index d21f1ce..cc19ab2 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -899,6 +899,33 @@
make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
}
+# Check that the specified libraries exist and are empty.
+are_empty_libraries () {
+ nm "$@" >/dev/null 2>/dev/null
+ ! nm "$@" 2>/dev/null | grep -v ':$' | grep .
+}
+
+component_build_crypto_default () {
+ msg "build: make, crypto only"
+ scripts/config.py crypto
+ make CFLAGS='-O1 -Werror'
+ if_build_succeeded are_empty_libraries library/libmbedx509.* library/libmbedtls.*
+}
+
+component_build_crypto_full () {
+ msg "build: make, crypto only, full config"
+ scripts/config.py crypto_full
+ make CFLAGS='-O1 -Werror'
+ if_build_succeeded are_empty_libraries library/libmbedx509.* library/libmbedtls.*
+}
+
+component_build_crypto_baremetal () {
+ msg "build: make, crypto only, baremetal config"
+ scripts/config.py crypto_baremetal
+ make CFLAGS='-O1 -Werror'
+ if_build_succeeded are_empty_libraries library/libmbedx509.* library/libmbedtls.*
+}
+
component_test_depends_curves () {
msg "test/build: curves.pl (gcc)" # ~ 4 min
record_status tests/scripts/curves.pl
@@ -1011,8 +1038,8 @@
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
# to re-enable platform integration features otherwise disabled in C99 builds
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' test
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test
}
component_build_no_std_function () {
@@ -1021,21 +1048,21 @@
scripts/config.py full
scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
}
component_build_no_ssl_srv () {
msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_SRV_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
}
component_build_no_ssl_cli () {
msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_CLI_C
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
}
component_build_no_sockets () {
@@ -1045,7 +1072,7 @@
scripts/config.py full
scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
+ make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
}
component_test_memory_buffer_allocator_backtrace () {
@@ -1170,6 +1197,30 @@
make test
}
+test_build_opt () {
+ info=$1 cc=$2; shift 2
+ for opt in "$@"; do
+ msg "build/test: $cc $opt, $info" # ~ 30s
+ make CC="$cc" CFLAGS="$opt -Wall -Wextra -Werror"
+ # We're confident enough in compilers to not run _all_ the tests,
+ # but at least run the unit tests. In particular, runs with
+ # optimizations use inline assembly whereas runs with -O0
+ # skip inline assembly.
+ make test # ~30s
+ make clean
+ done
+}
+
+component_test_clang_opt () {
+ scripts/config.pl full
+ test_build_opt 'full config' clang -O0 -Os -O2
+}
+
+component_test_gcc_opt () {
+ scripts/config.pl full
+ test_build_opt 'full config' gcc -O0 -Os -O2
+}
+
component_build_mbedtls_config_file () {
msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
# Use the full config so as to catch a maximum of places where
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 5f4dc67..abc61b5 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -199,6 +199,84 @@
Negative test moving servers ssl to state: NEW_SESSION_TICKET
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:0
+Handshake, SSL3
+depends_on:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+handshake:"":MBEDTLS_SSL_MINOR_VERSION_0:MBEDTLS_PK_RSA:""
+
+Handshake, tls1
+depends_on:MBEDTLS_SSL_PROTO_TLS1:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CIPHER_MODE_CBC
+handshake:"":MBEDTLS_SSL_MINOR_VERSION_1:MBEDTLS_PK_RSA:""
+
+Handshake, tls1_1
+depends_on:MBEDTLS_SSL_PROTO_TLS1_1:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CIPHER_MODE_CBC
+handshake:"":MBEDTLS_SSL_MINOR_VERSION_2:MBEDTLS_PK_RSA:""
+
+Handshake, tls1_2
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+handshake:"":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA:""
+
+Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+handshake:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA:""
+
+Handshake, RSA-WITH-AES-128-CCM
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+handshake:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA:""
+
+Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256
+depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+handshake:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA:""
+
+Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
+depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+handshake:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_ECDSA:""
+
+Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C
+handshake:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_ECDSA:""
+
+Handshake, PSK-WITH-AES-128-CBC-SHA
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+handshake:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA:"abc123"
+
+Test sending app data MFL=512 without fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_512:400:512:1:1
+
+Test sending app data MFL=512 with fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_512:513:1536:2:3
+
+Test sending app data MFL=1024 without fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_1024:1000:1024:1:1
+
+Test sending app data MFL=1024 with fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_1024:1025:5120:2:5
+
+Test sending app data MFL=2048 without fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_2048:2000:2048:1:1
+
+Test sending app data MFL=2048 with fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_2048:2049:8192:2:4
+
+Test sending app data MFL=4096 without fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_4096:4000:4096:1:1
+
+Test sending app data MFL=4096 with fragmentation
+depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_4096:4097:12288:2:3
+
+Test sending app data without MFL and without fragmentation
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_NONE:16001:16384:1:1
+
+Test sending app data without MFL and with fragmentation
+send_application_data:MBEDTLS_SSL_MAX_FRAG_LEN_NONE:16385:100000:2:7
+
SSL DTLS replay: initial state, seqnum 0
ssl_dtls_replay:"":"000000000000":0
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 4fba1f1..1a62078 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -453,7 +453,7 @@
if( socket == NULL || socket->status != MBEDTLS_MOCK_SOCKET_CONNECTED )
return -1;
- if( socket->input->content_length == 0)
+ if( socket->input->content_length == 0 )
{
return MBEDTLS_ERR_SSL_WANT_READ;
}
@@ -629,9 +629,7 @@
{
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt cert;
- mbedtls_x509_crt cert2;
mbedtls_pk_context pkey;
- mbedtls_pk_context pkey2;
} mbedtls_endpoint_certificate;
/*
@@ -654,7 +652,7 @@
*
* \retval 0 on success, otherwise error code.
*/
-int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep )
+int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg )
{
int i = 0;
int ret = -1;
@@ -668,20 +666,10 @@
cert = &( ep->cert );
mbedtls_x509_crt_init( &( cert->ca_cert ) );
mbedtls_x509_crt_init( &( cert->cert ) );
- mbedtls_x509_crt_init( &( cert->cert2 ) );
mbedtls_pk_init( &( cert->pkey ) );
- mbedtls_pk_init( &( cert->pkey2 ) );
/* Load the trusted CA */
- for( i = 0; mbedtls_test_cas[i] != NULL; i++ )
- {
- ret = mbedtls_x509_crt_parse( &( cert->ca_cert ),
- (const unsigned char *) mbedtls_test_cas[i],
- mbedtls_test_cas_len[i] );
- TEST_ASSERT( ret == 0 );
- }
-
for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ )
{
ret = mbedtls_x509_crt_parse_der( &( cert->ca_cert ),
@@ -694,58 +682,71 @@
if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
{
- ret = mbedtls_x509_crt_parse( &( cert->cert ),
- (const unsigned char *) mbedtls_test_srv_crt_rsa,
- mbedtls_test_srv_crt_rsa_len );
- TEST_ASSERT( ret == 0 );
+ if( pk_alg == MBEDTLS_PK_RSA )
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->cert ),
+ (const unsigned char*) mbedtls_test_srv_crt_rsa_sha256_der,
+ mbedtls_test_srv_crt_rsa_sha256_der_len );
+ TEST_ASSERT( ret == 0 );
- ret = mbedtls_pk_parse_key( &( cert->pkey ),
- (const unsigned char *) mbedtls_test_srv_key_rsa,
- mbedtls_test_srv_key_rsa_len, NULL, 0 );
- TEST_ASSERT( ret == 0 );
+ ret = mbedtls_pk_parse_key( &( cert->pkey ),
+ (const unsigned char*) mbedtls_test_srv_key_rsa_der,
+ mbedtls_test_srv_key_rsa_der_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+ }
+ else
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->cert ),
+ (const unsigned char*) mbedtls_test_srv_crt_ec_der,
+ mbedtls_test_srv_crt_ec_der_len );
+ TEST_ASSERT( ret == 0 );
- ret = mbedtls_x509_crt_parse( &( cert->cert2 ),
- (const unsigned char *) mbedtls_test_srv_crt_ec,
- mbedtls_test_srv_crt_ec_len );
- TEST_ASSERT( ret == 0 );
-
- ret = mbedtls_pk_parse_key( &( cert->pkey2 ),
- (const unsigned char *) mbedtls_test_srv_key_ec,
- mbedtls_test_srv_key_ec_len, NULL, 0 );
- TEST_ASSERT( ret == 0 );
+ ret = mbedtls_pk_parse_key( &( cert->pkey ),
+ (const unsigned char*) mbedtls_test_srv_key_ec_der,
+ mbedtls_test_srv_key_ec_der_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+ }
}
else
{
- ret = mbedtls_x509_crt_parse( &( cert->cert ),
- (const unsigned char *) mbedtls_test_cli_crt,
- mbedtls_test_cli_crt_len );
- TEST_ASSERT( ret == 0 );
+ if( pk_alg == MBEDTLS_PK_RSA )
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->cert ),
+ (const unsigned char *) mbedtls_test_cli_crt_rsa_der,
+ mbedtls_test_cli_crt_rsa_der_len );
+ TEST_ASSERT( ret == 0 );
- ret = mbedtls_pk_parse_key( &( cert->pkey ),
- (const unsigned char *) mbedtls_test_cli_key,
- mbedtls_test_cli_key_len, NULL, 0 );
- TEST_ASSERT( ret == 0 );
+ ret = mbedtls_pk_parse_key( &( cert->pkey ),
+ (const unsigned char *) mbedtls_test_cli_key_rsa_der,
+ mbedtls_test_cli_key_rsa_der_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+ }
+ else
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->cert ),
+ (const unsigned char *) mbedtls_test_cli_crt_ec_der,
+ mbedtls_test_cli_crt_ec_len );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_pk_parse_key( &( cert->pkey ),
+ (const unsigned char *) mbedtls_test_cli_key_ec_der,
+ mbedtls_test_cli_key_ec_der_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+ }
}
mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL );
- ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), &( cert->pkey ) );
+ ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ),
+ &( cert->pkey ) );
TEST_ASSERT( ret == 0 );
- if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
- {
- ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert2 ), &( cert->pkey2 ) );
- TEST_ASSERT( ret == 0 );
- }
-
exit:
if( ret != 0 )
{
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
- mbedtls_x509_crt_free( &( cert->cert2 ) );
mbedtls_pk_free( &( cert->pkey ) );
- mbedtls_pk_free( &( cert->pkey2 ) );
}
return ret;
@@ -760,7 +761,7 @@
*
* \retval 0 on success, otherwise error code.
*/
-int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type )
+int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type, int pk_alg )
{
int ret = -1;
@@ -801,7 +802,7 @@
MBEDTLS_SSL_PRESET_DEFAULT );
TEST_ASSERT( ret == 0 );
- ret = mbedtls_endpoint_certificate_init( ep );
+ ret = mbedtls_endpoint_certificate_init( ep, pk_alg );
TEST_ASSERT( ret == 0 );
exit:
@@ -816,9 +817,7 @@
mbedtls_endpoint_certificate *cert = &( ep->cert );
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
- mbedtls_x509_crt_free( &( cert->cert2 ) );
mbedtls_pk_free( &( cert->pkey ) );
- mbedtls_pk_free( &( cert->pkey2 ) );
}
/*
@@ -886,6 +885,34 @@
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
+ * Write application data. Then increase write and fragments counter
+ */
+int mbedtls_ssl_write_fragment( mbedtls_ssl_context *ssl, unsigned char *buf,
+ int ln, int *writen, int *fragments )
+{
+ int ret = mbedtls_ssl_write( ssl, buf + *writen, ln - *writen );
+ if( ret >= 0 )
+ {
+ (*fragments)++;
+ *writen += ret;
+ }
+ return ret;
+}
+
+/*
+ * Read application data and increase read counter
+ */
+int mbedtls_ssl_read_fragment( mbedtls_ssl_context *ssl, unsigned char *buf, int ln, int *read )
+{
+ int ret = mbedtls_ssl_read( ssl, buf + *read, ln - *read );
+ if( ret >= 0 )
+ {
+ *read += ret;
+ }
+ return ret;
+}
+
+/*
* Helper function setting up inverse record transformations
* using given cipher, hash, EtM mode, authentication tag length,
* and version.
@@ -901,6 +928,46 @@
} \
} while( 0 )
+void set_ciphersuite( mbedtls_ssl_config *conf, const char *cipher,
+ int* forced_ciphersuite )
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ forced_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( cipher );
+ forced_ciphersuite[1] = 0;
+
+ ciphersuite_info =
+ mbedtls_ssl_ciphersuite_from_id( forced_ciphersuite[0] );
+
+ TEST_ASSERT( ciphersuite_info != NULL );
+ TEST_ASSERT( ciphersuite_info->min_minor_ver <= conf->max_minor_ver );
+ TEST_ASSERT( ciphersuite_info->max_minor_ver >= conf->min_minor_ver );
+
+ if( conf->max_minor_ver > ciphersuite_info->max_minor_ver )
+ {
+ conf->max_minor_ver = ciphersuite_info->max_minor_ver;
+ }
+ if( conf->min_minor_ver < ciphersuite_info->min_minor_ver )
+ {
+ conf->min_minor_ver = ciphersuite_info->min_minor_ver;
+ }
+
+ mbedtls_ssl_conf_ciphersuites( conf, forced_ciphersuite );
+
+exit:
+ return;
+}
+
+int psk_dummy_callback( void *p_info, mbedtls_ssl_context *ssl,
+ const unsigned char *name, size_t name_len )
+{
+ (void) p_info;
+ (void) ssl;
+ (void) name;
+ (void) name_len;
+
+ return ( 0 );
+}
+
#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
#else
@@ -2916,20 +2983,20 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15 */
void mbedtls_endpoint_sanity( int endpoint_type )
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint ep;
int ret = -1;
- ret = mbedtls_endpoint_init( NULL, endpoint_type );
+ ret = mbedtls_endpoint_init( NULL, endpoint_type, MBEDTLS_PK_RSA );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
- ret = mbedtls_endpoint_certificate_init( NULL );
+ ret = mbedtls_endpoint_certificate_init( NULL, MBEDTLS_PK_RSA );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
- ret = mbedtls_endpoint_init( &ep, endpoint_type );
+ ret = mbedtls_endpoint_init( &ep, endpoint_type, MBEDTLS_PK_RSA );
TEST_ASSERT( ret == 0 );
exit:
@@ -2937,19 +3004,20 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15 */
void move_handshake_to_state(int endpoint_type, int state, int need_pass)
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint base_ep, second_ep;
int ret = -1;
- ret = mbedtls_endpoint_init( &base_ep, endpoint_type );
+ ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA );
TEST_ASSERT( ret == 0 );
ret = mbedtls_endpoint_init( &second_ep,
( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ?
- MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER );
+ MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_PK_RSA );
TEST_ASSERT( ret == 0 );
ret = mbedtls_mock_socket_connect( &(base_ep.socket),
@@ -2976,3 +3044,189 @@
mbedtls_endpoint_free( &second_ep );
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15 */
+void handshake( const char *cipher, int version, int pk_alg,
+ data_t *psk_str )
+{
+ /* forced_ciphersuite needs to last until the end of the handshake */
+ int forced_ciphersuite[2];
+ enum { BUFFSIZE = 1024 };
+ mbedtls_endpoint client, server;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+ const char *psk_identity = "foo";
+#else
+ (void) psk_str;
+#endif
+ /* Client side */
+ TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
+ pk_alg ) == 0 );
+
+ mbedtls_ssl_conf_min_version( &client.conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ version );
+ mbedtls_ssl_conf_max_version( &client.conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ version );
+
+ if( strlen( cipher ) > 0 )
+ {
+ set_ciphersuite( &client.conf, cipher, forced_ciphersuite );
+ }
+ /* Server side */
+ TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
+ pk_alg ) == 0 );
+
+ mbedtls_ssl_conf_min_version( &server.conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ version );
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+ if( psk_str->len > 0 )
+ {
+ TEST_ASSERT( mbedtls_ssl_conf_psk( &client.conf, psk_str->x,
+ psk_str->len,
+ (const unsigned char *) psk_identity,
+ strlen( psk_identity ) ) == 0 );
+
+ TEST_ASSERT( mbedtls_ssl_conf_psk( &server.conf, psk_str->x,
+ psk_str->len,
+ (const unsigned char *) psk_identity,
+ strlen( psk_identity ) ) == 0 );
+
+ mbedtls_ssl_conf_psk_cb( &server.conf, psk_dummy_callback, NULL );
+ }
+#endif
+ TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
+ &(server.socket),
+ BUFFSIZE ) == 0 );
+
+ TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
+ &(server.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER )
+ == 0 );
+ TEST_ASSERT( client.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
+ TEST_ASSERT( server.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
+
+exit:
+ mbedtls_endpoint_free( &client );
+ mbedtls_endpoint_free( &server );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15 */
+void send_application_data( int mfl, int cli_msg_len, int srv_msg_len,
+ const int expected_cli_frames,
+ const int expected_srv_frames )
+{
+ enum { BUFFSIZE = 2048 };
+ mbedtls_endpoint server, client;
+ unsigned char *cli_msg_buf = malloc( cli_msg_len );
+ unsigned char *cli_in_buf = malloc( srv_msg_len );
+ unsigned char *srv_msg_buf = malloc( srv_msg_len );
+ unsigned char *srv_in_buf = malloc( cli_msg_len );
+ int ret = -1;
+
+ ret = mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER, MBEDTLS_PK_RSA );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_PK_RSA );
+ TEST_ASSERT( ret == 0 );
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ ret = mbedtls_ssl_conf_max_frag_len( &(server.conf), (unsigned char) mfl );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_ssl_conf_max_frag_len( &(client.conf), (unsigned char) mfl );
+ TEST_ASSERT( ret == 0 );
+#else
+ TEST_ASSERT( MBEDTLS_SSL_MAX_FRAG_LEN_NONE == mfl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+ ret = mbedtls_mock_socket_connect( &(server.socket), &(client.socket),
+ BUFFSIZE );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_move_handshake_to_state( &(client.ssl),
+ &(server.ssl),
+ MBEDTLS_SSL_HANDSHAKE_OVER );
+ TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( client.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
+ TEST_ASSERT( server.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
+
+ /* Perform this test with two message types. At first use a message
+ * consisting of only 0x00 for the client and only 0xFF for the server.
+ * At the second time use message with generated data */
+ for( int msg_type = 0; msg_type < 2; msg_type++ )
+ {
+ int cli_writen = 0;
+ int srv_writen = 0;
+ int cli_read = 0;
+ int srv_read = 0;
+ int cli_fragments = 0;
+ int srv_fragments = 0;
+
+ if( msg_type == 0 )
+ {
+ memset( cli_msg_buf, 0x00, cli_msg_len );
+ memset( srv_msg_buf, 0xff, srv_msg_len );
+ }
+ else
+ {
+ int j = 0;
+ for( int i = 0; i < cli_msg_len; i++ )
+ cli_msg_buf[i] = j++ & 0xFF;
+ for( int i = 0; i < srv_msg_len; i++ )
+ srv_msg_buf[i] = ( j -= 5 ) & 0xFF;
+ }
+
+ while( cli_read < srv_msg_len || srv_read < cli_msg_len )
+ {
+ /* Client sending */
+ if( cli_msg_len > cli_writen )
+ {
+ ret = mbedtls_ssl_write_fragment( &(client.ssl), cli_msg_buf,
+ cli_msg_len, &cli_writen, &cli_fragments );
+ TEST_ASSERT( ( ret >= 0 && ret <= cli_msg_len ) ||
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+ }
+
+ /* Server sending */
+ if( srv_msg_len > srv_writen )
+ {
+ ret = mbedtls_ssl_write_fragment( &(server.ssl), srv_msg_buf,
+ srv_msg_len, &srv_writen, &srv_fragments );
+ TEST_ASSERT( ( ret >= 0 && ret <= srv_msg_len ) ||
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+ }
+
+ /* Client reading */
+ if( cli_read < srv_msg_len )
+ {
+ ret = mbedtls_ssl_read_fragment( &(client.ssl), cli_in_buf,
+ srv_msg_len, &cli_read );
+ TEST_ASSERT( ( ret >= 0 && ret <= srv_msg_len ) ||
+ ret == MBEDTLS_ERR_SSL_WANT_READ );
+ }
+
+ /* Server reading */
+ if( srv_read < cli_msg_len )
+ {
+ ret = mbedtls_ssl_read_fragment( &(server.ssl), srv_in_buf,
+ cli_msg_len, &srv_read );
+ TEST_ASSERT( ( ret >= 0 && ret <= cli_msg_len ) ||
+ ret == MBEDTLS_ERR_SSL_WANT_READ );
+ }
+ }
+
+ TEST_ASSERT( 0 == memcmp( cli_msg_buf, srv_in_buf, cli_msg_len ) );
+ TEST_ASSERT( 0 == memcmp( srv_msg_buf, cli_in_buf, srv_msg_len ) );
+ TEST_ASSERT( cli_fragments == expected_cli_frames );
+ TEST_ASSERT( srv_fragments == expected_srv_frames );
+ }
+
+exit:
+ mbedtls_endpoint_free( &client );
+ mbedtls_endpoint_free( &server );
+ free( cli_msg_buf );
+ free( cli_in_buf );
+ free( srv_msg_buf );
+ free( srv_in_buf );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 7b369bb..0db2b0e 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -33,7 +33,8 @@
}
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen )
{
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
@@ -70,7 +71,7 @@
mbedtls_x509_csr_free( &csr );
return( ret );
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
/* END_HEADER */