Merge pull request #9241 from lhuang04/official_development_psk_null2
Set psk to NULL in ssl_psk_remove
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 3be6db7..8ac6579 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1484,9 +1484,11 @@
ssl->total_early_data_size)) {
MBEDTLS_SSL_DEBUG_MSG(
- 2, ("EarlyData: Too much early data received, %u + %" MBEDTLS_PRINTF_SIZET " > %u",
- ssl->total_early_data_size, early_data_len,
- ssl->session_negotiate->max_early_data_size));
+ 2, ("EarlyData: Too much early data received, "
+ "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu",
+ (unsigned long) ssl->total_early_data_size,
+ early_data_len,
+ (unsigned long) ssl->session_negotiate->max_early_data_size));
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 6fe8cae..f5ef920 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -92,8 +92,9 @@
return;
}
- MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%x",
- (unsigned) psk_ciphersuite_id, psk_hash_alg));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
+ (unsigned) psk_ciphersuite_id,
+ (unsigned long) psk_hash_alg));
}
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
diff --git a/tests/compat.sh b/tests/compat.sh
index 20f2dbd..073258e 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -96,6 +96,7 @@
EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
VERBOSE=""
MEMCHECK=0
+MIN_TESTS=1
PRESERVE_LOGS=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@@ -116,6 +117,7 @@
printf " -M|--memcheck\tCheck memory leaks and errors.\n"
printf " -v|--verbose\tSet verbose output.\n"
printf " --list-test-cases\tList all potential test cases (No Execution)\n"
+ printf " --min \tMinimum number of non-skipped tests (default 1)\n"
printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
@@ -190,6 +192,9 @@
list_test_cases
exit $?
;;
+ --min)
+ shift; MIN_TESTS=$1
+ ;;
--outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;;
@@ -1238,6 +1243,16 @@
PASSED=$(( $TESTS - $FAILED ))
echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))"
+if [ $((TESTS - SKIPPED)) -lt $MIN_TESTS ]; then
+ cat <<EOF
+Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPPED)).
+Maybe a bad filter ('$FILTER' excluding '$EXCLUDE') or a bad configuration?
+EOF
+ if [ $FAILED -eq 0 ]; then
+ FAILED=1
+ fi
+fi
+
FAILED=$(( $FAILED + $SRVMEM ))
if [ $FAILED -gt 255 ]; then
# Clamp at 255 as caller gets exit code & 0xFF
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index e3d8401..35b3ff9 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1903,43 +1903,26 @@
}
component_test_tls1_2_default_stream_cipher_only () {
- msg "build: default with only stream cipher"
-
- # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- #Disable TLS 1.3 (as no AEAD)
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
- # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
- scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
- # Modules that depend on AEAD
- scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
- scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
- make
-
- msg "test: default with only stream cipher"
- make test
-
- # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
-}
-
-component_test_tls1_2_default_stream_cipher_only_use_psa () {
msg "build: default with only stream cipher use psa"
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ # Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
+ # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ # Note: The unset below is to be removed for 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -1958,45 +1941,23 @@
}
component_test_tls1_2_default_cbc_legacy_cipher_only () {
- msg "build: default with only CBC-legacy cipher"
-
- # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- #Disable TLS 1.3 (as no AEAD)
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
- # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
- # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
- scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
- # Modules that depend on AEAD
- scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
- scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
- make
-
- msg "test: default with only CBC-legacy cipher"
- make test
-
- msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f "TLS 1.2"
-}
-
-component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
msg "build: default with only CBC-legacy cipher use psa"
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ # Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -2015,45 +1976,23 @@
}
component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
- msg "build: default with only CBC-legacy and CBC-EtM ciphers"
-
- # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
- scripts/config.py unset MBEDTLS_GCM_C
- scripts/config.py unset MBEDTLS_CCM_C
- scripts/config.py unset MBEDTLS_CHACHAPOLY_C
- #Disable TLS 1.3 (as no AEAD)
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
- # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
- # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
- scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
- # Modules that depend on AEAD
- scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
- scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
- make
-
- msg "test: default with only CBC-legacy and CBC-EtM ciphers"
- make test
-
- msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f "TLS 1.2"
-}
-
-component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+ # Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
- scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+ scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -2126,14 +2065,21 @@
component_test_everest_curve25519_only () {
msg "build: Everest ECDH context, only Curve25519" # ~ 6 min
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
scripts/config.py unset MBEDTLS_ECDSA_C
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
+ scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_ECJPAKE_C
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
+
# Disable all curves
scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
- scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$"
+ scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
diff --git a/tests/scripts/check-python-files.sh b/tests/scripts/check-python-files.sh
index 32b5baf..77102ba 100755
--- a/tests/scripts/check-python-files.sh
+++ b/tests/scripts/check-python-files.sh
@@ -55,14 +55,14 @@
fi
echo 'Running pylint ...'
-$PYTHON -m pylint framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py || {
+$PYTHON -m pylint framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py || {
echo >&2 "pylint reported errors"
ret=1
}
echo
echo 'Running mypy ...'
-$PYTHON -m mypy framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py ||
+$PYTHON -m mypy framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py ||
ret=1
exit $ret
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f4c7f6d..646daad 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -141,6 +141,7 @@
RUN_TEST_NUMBER=''
RUN_TEST_SUITE=''
+MIN_TESTS=1
PRESERVE_LOGS=0
# Pick a "unique" server port in the range 10000-19999, and a proxy
@@ -159,6 +160,7 @@
printf " -s|--show-numbers\tShow test numbers in front of test names\n"
printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
printf " --list-test-cases\tList all potential test cases (No Execution)\n"
+ printf " --min \tMinimum number of non-skipped tests (default 1)\n"
printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --port \tTCP/UDP port (default: randomish 1xxxx)\n"
@@ -192,6 +194,9 @@
-p|--preserve-logs)
PRESERVE_LOGS=1
;;
+ --min)
+ shift; MIN_TESTS=$1
+ ;;
--outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;;
@@ -14152,6 +14157,15 @@
PASSES=$(( $TESTS - $FAILS ))
echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
+ if [ $((TESTS - SKIPS)) -lt $MIN_TESTS ]; then
+ cat <<EOF
+Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPS)).
+Maybe a bad filter ('$FILTER') or a bad configuration?
+EOF
+ if [ $FAILS -eq 0 ]; then
+ FAILS=1
+ fi
+ fi
fi
if [ $FAILS -gt 255 ]; then