Merge pull request #9720 from mpg/all.sh-tf-psa-crypto-dev
All.sh add support for tf-psa-crypto components
diff --git a/.gitignore b/.gitignore
index 6068cbc..2917cfb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,6 +35,7 @@
# Unix-like build artifacts:
*.o
+*.s
# MSVC build artifacts:
*.exe
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 561498c..b3a84b3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -65,7 +65,6 @@
option(ENABLE_PROGRAMS "Build Mbed TLS programs." ON)
-option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
option(MBEDTLS_FATAL_WARNINGS "Compiler warnings treated as errors" ON)
if(CMAKE_HOST_WIN32)
# N.B. The comment on the next line is significant! If you change it,
@@ -150,7 +149,7 @@
find_package(Threads)
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
-if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
+if(NOT MBEDTLS_AS_SUBPROJECT)
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
FORCE)
@@ -213,95 +212,121 @@
set(CMAKE_C_EXTENSIONS OFF)
set(CMAKE_C_STANDARD 99)
-if(CMAKE_COMPILER_IS_GNU)
+function(set_base_compile_options target)
+ if(CMAKE_COMPILER_IS_GNU)
+ set_gnu_base_compile_options(${target})
+ elseif(CMAKE_COMPILER_IS_CLANG)
+ set_clang_base_compile_options(${target})
+ elseif(CMAKE_COMPILER_IS_IAR)
+ set_iar_base_compile_options(${target})
+ elseif(CMAKE_COMPILER_IS_MSVC)
+ set_msvc_base_compile_options(${target})
+ endif()
+endfunction(set_base_compile_options)
+
+function(set_gnu_base_compile_options target)
# some warnings we want are not available with old GCC versions
# note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
OUTPUT_VARIABLE GCC_VERSION)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes")
+ target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes)
if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat=2 -Wno-format-nonliteral")
+ target_compile_options(${target} PRIVATE -Wformat=2 -Wno-format-nonliteral)
endif()
if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wvla")
+ target_compile_options(${target} PRIVATE -Wvla)
endif()
if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
+ target_compile_options(${target} PRIVATE -Wlogical-op)
endif()
if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
+ target_compile_options(${target} PRIVATE -Wshadow)
endif()
if (GCC_VERSION VERSION_GREATER 5.0)
CHECK_C_COMPILER_FLAG("-Wformat-signedness" C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
if(C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-signedness")
+ target_compile_options(${target} PRIVATE -Wformat-signedness)
endif()
endif()
if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2 -Wformat-truncation")
+ target_compile_options(${target} PRIVATE -Wformat-overflow=2 -Wformat-truncation)
endif()
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
- set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
# Old GCC versions hit a performance problem with test_suite_pkwrite
# "Private keey write check EC" tests when building with Asan+UBSan
# and -O3: those tests take more than 100x time than normal, with
# test_suite_pkwrite taking >3h on the CI. Observed with GCC 5.4 on
# Ubuntu 16.04 x86_64 and GCC 6.5 on Ubuntu 18.04 x86_64.
# GCC 7.5 and above on Ubuntu 18.04 appear fine.
- # To avoid the performance problem, we use -O2 here. It doesn't slow
- # down much even with modern compiler versions.
- set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O2")
- set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
- set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_CHECK "-Os")
- set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
-endif(CMAKE_COMPILER_IS_GNU)
+ # To avoid the performance problem, we use -O2 when GCC version is lower than 7.0.
+ # It doesn't slow down much even with modern compiler versions.
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all>)
+ if (GCC_VERSION VERSION_LESS 7.0)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O2>)
+ else()
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O3>)
+ endif()
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:CheckFull>:-Os -Wcast-qual>)
-if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
- set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
- set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_MEMSAN "-fsanitize=memory -O3")
- set(CMAKE_C_FLAGS_MEMSANDBG "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
- set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
- set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_CHECK "-Os")
-endif(CMAKE_COMPILER_IS_CLANG)
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE -Werror)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_gnu_base_compile_options)
-if(CMAKE_COMPILER_IS_IAR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts")
- set(CMAKE_C_FLAGS_RELEASE "-Ohz")
- set(CMAKE_C_FLAGS_DEBUG "--debug -On")
-endif(CMAKE_COMPILER_IS_IAR)
+function(set_clang_base_compile_options target)
+ target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:MemSan>:-fsanitize=memory>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSAN "-fsanitize=memory")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:MemSanDbg>:-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSANDBG "-fsanitize=memory")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
-if(CMAKE_COMPILER_IS_MSVC)
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE -Werror)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_clang_base_compile_options)
+
+function(set_iar_base_compile_options target)
+ target_compile_options(${target} PRIVATE --warn_about_c_style_casts)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-Ohz>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:--debug -On>)
+
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE --warnings_are_errors)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_iar_base_compile_options)
+
+function(set_msvc_base_compile_options target)
# Strictest warnings, UTF-8 source and execution charset
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3 /utf-8")
-endif(CMAKE_COMPILER_IS_MSVC)
+ target_compile_options(${target} PRIVATE /W3 /utf-8)
-if(MBEDTLS_FATAL_WARNINGS)
- if(CMAKE_COMPILER_IS_MSVC)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
- endif(CMAKE_COMPILER_IS_MSVC)
-
- if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
- if(UNSAFE_BUILD)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error=cpp")
- set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error=cpp")
- set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error=cpp")
- endif(UNSAFE_BUILD)
- endif(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
-
- if (CMAKE_COMPILER_IS_IAR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warnings_are_errors")
- endif(CMAKE_COMPILER_IS_IAR)
-endif(MBEDTLS_FATAL_WARNINGS)
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE /WX)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_msvc_base_compile_options)
if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
set(CMAKE_CXX_STANDARD 11)
@@ -312,18 +337,12 @@
endif()
endif()
-if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
- if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
- endif(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
-endif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
-
-if(LIB_INSTALL_DIR)
- set(CMAKE_INSTALL_LIBDIR "${LIB_INSTALL_DIR}")
-endif()
-
if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
- message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
+ if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git/")
+ message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.")
+ else ()
+ message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found (and does not appear to be a git checkout). Please ensure you have downloaded the right archive from the release page on GitHub.")
+ endif()
endif()
add_subdirectory(framework)
@@ -354,6 +373,7 @@
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
+ set_base_compile_options(mbedtls_test)
if(GEN_FILES)
add_custom_command(
OUTPUT
@@ -399,6 +419,7 @@
file(GLOB MBEDTLS_TEST_HELPER_FILES
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_helpers/*.c)
add_library(mbedtls_test_helpers OBJECT ${MBEDTLS_TEST_HELPER_FILES})
+ set_base_compile_options(mbedtls_test_helpers)
target_include_directories(mbedtls_test_helpers
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
diff --git a/ChangeLog.d/9302.txt b/ChangeLog.d/9302.txt
new file mode 100644
index 0000000..d61ba19
--- /dev/null
+++ b/ChangeLog.d/9302.txt
@@ -0,0 +1,6 @@
+Features
+ * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
+ uses static storage for keys, enabling malloc-less use of key slots.
+ The size of each buffer is given by the option
+ MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
+ largest PSA key enabled in the build.
diff --git a/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt b/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt
new file mode 100644
index 0000000..69c00e1
--- /dev/null
+++ b/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt
@@ -0,0 +1,3 @@
+Changes
+ * Improve performance of PSA key generation with ECC keys: it no longer
+ computes the public key (which was immediately discarded). Fixes #9732.
diff --git a/ChangeLog.d/psa-always-on.txt b/ChangeLog.d/psa-always-on.txt
new file mode 100644
index 0000000..49edb3e
--- /dev/null
+++ b/ChangeLog.d/psa-always-on.txt
@@ -0,0 +1,9 @@
+Default behavior changes
+ * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem
+ to perform cryptographic operations, with a few exceptions documented
+ in docs/use-psa-crypto.md. This corresponds to the behavior of
+ Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. In effect,
+ MBEDTLS_USE_PSA_CRYPTO is now always enabled.
+ * psa_crypto_init() must be called before performing any cryptographic
+ operation, including indirect requests such as parsing a key or
+ certificate or starting a TLS handshake.
diff --git a/ChangeLog.d/psa_util-bits-0.txt b/ChangeLog.d/psa_util-bits-0.txt
new file mode 100644
index 0000000..9aa70ad
--- /dev/null
+++ b/ChangeLog.d/psa_util-bits-0.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
+ mbedtls_psa_der_to_raw() is called with bits=0.
diff --git a/Makefile b/Makefile
index 71ef1be..1b480f5 100644
--- a/Makefile
+++ b/Makefile
@@ -6,11 +6,16 @@
ifeq (,$(wildcard framework/exported.make))
# Use the define keyword to get a multi-line message.
# GNU make appends ". Stop.", so tweak the ending of our message accordingly.
- define error_message
-$(MBEDTLS_PATH)/framework/exported.make not found.
-Run `git submodule update --init` to fetch the submodule contents.
+ ifeq (,$(wildcard .git))
+ define error_message
+${MBEDTLS_PATH}/framework/exported.make not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.
This is a fatal error
- endef
+ endef
+ else
+ define error_message
+${MBEDTLS_PATH}/framework/exported.make not found (and does not appear to be a git checkout). Please ensure you have downloaded the right archive from the release page on GitHub.
+ endef
+ endif
$(error $(error_message))
endif
include framework/exported.make
diff --git a/framework b/framework
index d68446c..5560984 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit d68446c9da02e536279a7aaa5a3c9850742ba30c
+Subproject commit 55609845504ce77f3714795785282456444967c8
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 20b0ed6..a710208 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -694,6 +694,11 @@
#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG"
#endif
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && \
+ defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+#error "MBEDTLS_PSA_KEY_STORE_DYNAMIC and MBEDTLS_PSA_STATIC_KEY_SLOTS cannot be defined simultaneously"
+#endif
+
#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
!defined(MBEDTLS_FS_IO)
#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index d669f4c..40ef083 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -48,6 +48,20 @@
#endif
#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
+
+/**
+ * \def MBEDTLS_USE_PSA_CRYPTO
+ *
+ * Make the X.509 and TLS libraries use PSA for cryptographic operations as
+ * much as possible, and enable new APIs for using keys handled by PSA Crypto.
+ *
+ * \note This is a legacy symbol which still exists for backward compatibility.
+ * Up to Mbed TLS 3.x, it was not enabled by default. Now it is always
+ * enabled, and it will eventually disappear from the code base. This
+ * is not part of the public API of TF-PSA-Crypto or of Mbed TLS >=4.0.
+ */
+#define MBEDTLS_USE_PSA_CRYPTO
+
/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
* in PSA. */
#if defined(MBEDTLS_PSA_CRYPTO_C) && \
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
new file mode 100644
index 0000000..8b7c19a
--- /dev/null
+++ b/include/mbedtls/error.h
@@ -0,0 +1,67 @@
+/**
+ * \file error.h
+ *
+ * \brief Error to string translation
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ERROR_H
+#define MBEDTLS_ERROR_H
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/error_common.h"
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Translate an Mbed TLS error code into a string representation.
+ * The result is truncated if necessary and always includes a
+ * terminating null byte.
+ *
+ * \param errnum error code
+ * \param buffer buffer to place representation in
+ * \param buflen length of the buffer
+ */
+void mbedtls_strerror(int errnum, char *buffer, size_t buflen);
+
+/**
+ * \brief Translate the high-level part of an Mbed TLS error code into a string
+ * representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ * code is unknown.
+ */
+const char *mbedtls_high_level_strerr(int error_code);
+
+/**
+ * \brief Translate the low-level part of an Mbed TLS error code into a string
+ * representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ * code is unknown.
+ */
+const char *mbedtls_low_level_strerr(int error_code);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* error.h */
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 80009c0..ba1dd42 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1928,36 +1928,6 @@
//#define MBEDTLS_THREADING_PTHREAD
/**
- * \def MBEDTLS_USE_PSA_CRYPTO
- *
- * Make the X.509 and TLS libraries use PSA for cryptographic operations as
- * much as possible, and enable new APIs for using keys handled by PSA Crypto.
- *
- * \note Development of this option is currently in progress, and parts of Mbed
- * TLS's X.509 and TLS modules are not ported to PSA yet. However, these parts
- * will still continue to work as usual, so enabling this option should not
- * break backwards compatibility.
- *
- * \warning If you enable this option, you need to call `psa_crypto_init()`
- * before calling any function from the SSL/TLS, X.509 or PK modules, except
- * for the various mbedtls_xxx_init() functions which can be called at any time.
- *
- * \note An important and desirable effect of this option is that it allows
- * PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
- * this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in
- * those modules. However, note that even with this option disabled, some code
- * in PK, X.509, TLS or the crypto library might still use PSA drivers, if it
- * can determine it's safe to do so; currently that's the case for hashes.
- *
- * \note See docs/use-psa-crypto.md for a complete description this option.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C.
- *
- * Uncomment this to enable internal use of PSA Crypto and new associated APIs.
- */
-//#define MBEDTLS_USE_PSA_CRYPTO
-
-/**
* \def MBEDTLS_PSA_CRYPTO_CONFIG
*
* This setting allows support for cryptographic mechanisms through the PSA
@@ -3067,6 +3037,26 @@
#define MBEDTLS_PSA_ITS_FILE_C
/**
+ * \def MBEDTLS_PSA_STATIC_KEY_SLOTS
+ *
+ * Statically preallocate memory to store keys' material in PSA instead
+ * of allocating it dynamically when required. This allows builds without a
+ * heap, if none of the enabled cryptographic implementations or other features
+ * require it.
+ * This feature affects both volatile and persistent keys which means that
+ * it's not possible to persistently store a key which is larger than
+ * #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE.
+ *
+ * \note This feature comes with a (potentially) higher RAM usage since:
+ * - All the key slots are allocated no matter if they are used or not.
+ * - Each key buffer's length is #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE bytes.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+//#define MBEDTLS_PSA_STATIC_KEY_SLOTS
+
+/**
* \def MBEDTLS_RIPEMD160_C
*
* Enable the RIPEMD-160 hash algorithm.
@@ -3867,6 +3857,19 @@
*/
//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
+/**
+ * \def MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+ *
+ * Define the size (in bytes) of each static key buffer when
+ * #MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not
+ * explicitly defined then it's automatically guessed from available PSA keys
+ * enabled in the build through PSA_WANT_xxx symbols.
+ * If required by the application this parameter can be set to higher values
+ * in order to store larger objects (ex: raw keys), but please note that this
+ * will increase RAM usage.
+ */
+//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256
+
/* RSA OPTIONS */
//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 /**< Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits) */
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5cb5ec8..1e09d31 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -1,11 +1,5 @@
-# Set the project root directory if it's not already defined, as may happen if
-# the library folder is included directly by a parent project, without
-# including the top level CMakeLists.txt.
-if(NOT DEFINED MBEDTLS_DIR)
- set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
-endif()
-
set(src_x509
+ error.c
pkcs7.c
x509.c
x509_create.c
@@ -41,6 +35,26 @@
)
if(GEN_FILES)
+ find_package(Perl REQUIRED)
+
+ file(GLOB crypto_error_headers ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/*.h)
+ file(GLOB tls_error_headers ${MBEDTLS_DIR}/include/mbedtls/*.h)
+ add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_BINARY_DIR}/error.c
+ COMMAND
+ ${PERL_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/include/mbedtls
+ ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
+ ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
+ DEPENDS
+ ${MBEDTLS_DIR}/scripts/generate_errors.pl
+ ${crypto_error_headers}
+ ${tls_error_headers}
+ ${MBEDTLS_DIR}/scripts/data_files/error.fmt
+ )
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/version_features.c
@@ -69,16 +83,17 @@
${tls_error_headers}
)
else()
+ link_to_source(error.c)
link_to_source(version_features.c)
link_to_source(ssl_debug_helpers_generated.c)
endif()
if(CMAKE_COMPILER_IS_GNUCC)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations")
+ set(LIBS_C_FLAGS -Wmissing-declarations)
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+ set(LIBS_C_FLAGS -Wmissing-declarations -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code)
endif(CMAKE_COMPILER_IS_CLANG)
if(CMAKE_COMPILER_IS_MSVC)
@@ -138,20 +153,28 @@
if(USE_STATIC_MBEDTLS_LIBRARY)
add_library(${mbedx509_static_target} STATIC ${src_x509})
+ set_base_compile_options(${mbedx509_static_target})
+ target_compile_options(${mbedx509_static_target} PRIVATE ${LIBS_C_FLAGS})
set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${mbedcrypto_static_target})
add_library(${mbedtls_static_target} STATIC ${src_tls})
+ set_base_compile_options(${mbedtls_static_target})
+ target_compile_options(${mbedtls_static_target} PRIVATE ${LIBS_C_FLAGS})
set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
target_link_libraries(${mbedtls_static_target} PUBLIC ${libs} ${mbedx509_static_target})
endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(${mbedx509_target} SHARED ${src_x509})
+ set_base_compile_options(${mbedx509_target})
+ target_compile_options(${mbedx509_target} PRIVATE ${LIBS_C_FLAGS})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 4.0.0 SOVERSION 7)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
+ set_base_compile_options(${mbedtls_target})
+ target_compile_options(${mbedtls_target} PRIVATE ${LIBS_C_FLAGS})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 4.0.0 SOVERSION 21)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/Makefile b/library/Makefile
index e9c908e..29fd376 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -6,7 +6,7 @@
TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
GENERATED_FILES := \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c \
+ error.c \
version_features.c \
ssl_debug_helpers_generated.c \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
@@ -148,7 +148,6 @@
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves_new.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy_poll.o \
- $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/gcm.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hkdf.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hmac_drbg.o \
@@ -206,6 +205,7 @@
x509write_crt.o \
x509write_csr.o \
pkcs7.o \
+ error.o \
# This line is intentionally left blank
OBJS_TLS= \
@@ -346,6 +346,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<
+.c.s:
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -S -o $@ -c $<
+
.PHONY: generated_files
generated_files: $(GENERATED_FILES)
@@ -357,10 +361,10 @@
gen_file_dep = |
endif
-$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/generate_errors.pl
-$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
-$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
-$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c:
+error.c: $(gen_file_dep) ../scripts/generate_errors.pl
+error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
+error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
+error.c:
echo " Gen $@"
$(PERL) ../scripts/generate_errors.pl
@@ -396,10 +400,11 @@
clean:
ifndef WINDOWS
- rm -f *.o libmbed*
- rm -f $(OBJS_CRYPTO)
+ rm -f *.o *.s libmbed*
+ rm -f $(OBJS_CRYPTO) $(OBJS_CRYPTO:.o=.s)
else
if exist *.o del /Q /F *.o
+ if exist *.s del /Q /F *.s
if exist libmbed* del /Q /F libmbed*
del /Q /F del_errors_out_if_the_file_list_is_empty_but_not_if_a_file_does_not_exist $(subst /,\,$(OBJS_CRYPTO))
endif
diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt
index 4d4c890..b6dde71 100644
--- a/programs/aes/CMakeLists.txt
+++ b/programs/aes/CMakeLists.txt
@@ -5,6 +5,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt
index effaf8a..7d4e452 100644
--- a/programs/cipher/CMakeLists.txt
+++ b/programs/cipher/CMakeLists.txt
@@ -5,6 +5,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
index f5358ff..44fff9a 100644
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@@ -40,6 +40,7 @@
endif()
add_executable(${exe} ${exe_sources})
+ set_base_compile_options(${exe})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
if (NOT FUZZINGENGINE_LIB)
diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt
index 0ad974d..c27c4e7 100644
--- a/programs/hash/CMakeLists.txt
+++ b/programs/hash/CMakeLists.txt
@@ -7,6 +7,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt
index defbe28..9caec87 100644
--- a/programs/pkey/CMakeLists.txt
+++ b/programs/pkey/CMakeLists.txt
@@ -6,6 +6,7 @@
foreach(exe IN LISTS executables_mbedtls)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
@@ -34,6 +35,7 @@
foreach(exe IN LISTS executables_mbedcrypto)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index 83d7b71..da7d262 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -453,8 +453,9 @@
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
#ifdef MBEDTLS_ERROR_C
- mbedtls_strerror(ret, buf, sizeof(buf));
- mbedtls_printf(" - %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, buf, sizeof(buf));
+ mbedtls_printf(" - %s\n", buf); */
#else
mbedtls_printf("\n");
#endif
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index e3a6966..5ccb063 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -347,8 +347,9 @@
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
- mbedtls_strerror(ret, buf, sizeof(buf));
- mbedtls_printf(" ! Last error was: %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, buf, sizeof(buf));
+ mbedtls_printf(" ! Last error was: %s\n", buf); */
}
#endif
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index 60f992e..a460b18 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -469,8 +469,9 @@
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
#ifdef MBEDTLS_ERROR_C
- mbedtls_strerror(ret, buf, sizeof(buf));
- mbedtls_printf(" - %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, buf, sizeof(buf));
+ mbedtls_printf(" - %s\n", buf); */
#else
mbedtls_printf("\n");
#endif
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index b8f7943..025f69c 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -142,8 +142,9 @@
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
- mbedtls_strerror(ret, (char *) buf, sizeof(buf));
- mbedtls_printf(" ! Last error was: %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, (char *) buf, sizeof(buf));
+ mbedtls_printf(" ! Last error was: %s\n", buf); */
}
#endif
diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c
index a916bc6..9ada67d 100644
--- a/programs/pkey/pk_encrypt.c
+++ b/programs/pkey/pk_encrypt.c
@@ -143,8 +143,9 @@
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
- mbedtls_strerror(ret, (char *) buf, sizeof(buf));
- mbedtls_printf(" ! Last error was: %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, (char *) buf, sizeof(buf));
+ mbedtls_printf(" ! Last error was: %s\n", buf); */
}
#endif
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index d48911c..b8f06c4 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -143,8 +143,9 @@
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
- mbedtls_strerror(ret, (char *) buf, sizeof(buf));
- mbedtls_printf(" ! Last error was: %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, (char *) buf, sizeof(buf));
+ mbedtls_printf(" ! Last error was: %s\n", buf); */
}
#endif
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index b4e84c3..063abd7 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -117,8 +117,9 @@
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {
- mbedtls_strerror(ret, (char *) buf, sizeof(buf));
- mbedtls_printf(" ! Last error was: %s\n", buf);
+ mbedtls_printf("Error code: %d", ret);
+ /* mbedtls_strerror(ret, (char *) buf, sizeof(buf));
+ mbedtls_printf(" ! Last error was: %s\n", buf); */
}
#endif
diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt
index cfc983c..707de43 100644
--- a/programs/psa/CMakeLists.txt
+++ b/programs/psa/CMakeLists.txt
@@ -29,6 +29,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index 2734ceb..0ea434f 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -392,6 +392,7 @@
input_file = NULL;
/* Construct a header. */
+ memset(&header, 0, sizeof(header));
memcpy(&header.magic, WRAPPED_DATA_MAGIC, WRAPPED_DATA_MAGIC_LENGTH);
header.ad_size = sizeof(header);
header.payload_size = input_size;
diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt
index f0c7825..a83bf9e 100644
--- a/programs/random/CMakeLists.txt
+++ b/programs/random/CMakeLists.txt
@@ -6,6 +6,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt
index 02010d8..6919a8e 100644
--- a/programs/ssl/CMakeLists.txt
+++ b/programs/ssl/CMakeLists.txt
@@ -40,6 +40,7 @@
endif()
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
${extra_sources})
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2")
@@ -53,6 +54,7 @@
if(THREADS_FOUND)
add_executable(ssl_pthread_server ssl_pthread_server.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(ssl_pthread_server)
target_include_directories(ssl_pthread_server PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
target_link_libraries(ssl_pthread_server ${libs} ${CMAKE_THREAD_LIBS_INIT})
list(APPEND executables ssl_pthread_server)
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index b0ecfd0..f009a31 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -108,7 +108,7 @@
#define DFL_SRTP_MKI ""
#define DFL_KEY_OPAQUE_ALG "none"
-#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
+#define GET_REQUEST "GET %s HTTP/1.0\r\nHost: %s\r\nExtra-header: "
#define GET_REQUEST_END "\r\n\r\n"
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
@@ -724,7 +724,7 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len, tail_len, request_size;
- ret = mbedtls_snprintf((char *) buf, buf_size, GET_REQUEST, opt.request_page);
+ ret = mbedtls_snprintf((char *) buf, buf_size, GET_REQUEST, opt.request_page, opt.server_name);
if (ret < 0) {
return ret;
}
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 9b36507..1bd18c1 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -357,8 +357,6 @@
goto exit;
}
- exit_code = MBEDTLS_EXIT_SUCCESS;
-
exit:
mbedtls_net_free(&client_fd);
mbedtls_net_free(&listen_fd);
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 928ab49..83bc9bf 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -29,6 +29,7 @@
WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
)
add_executable(cpp_dummy_build "${cpp_dummy_build_cpp}")
+ set_base_compile_options(cpp_dummy_build)
target_include_directories(cpp_dummy_build
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include
@@ -39,6 +40,7 @@
if(USE_SHARED_MBEDTLS_LIBRARY AND
NOT ${CMAKE_SYSTEM_NAME} MATCHES "[Ww][Ii][Nn]")
add_executable(dlopen "dlopen.c")
+ set_base_compile_options(dlopen)
target_include_directories(dlopen
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include
@@ -82,6 +84,7 @@
endif()
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
${extra_sources})
+ set_base_compile_options(${exe})
target_include_directories(${exe}
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
target_include_directories(${exe}
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index 93c1729..36ac022 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -117,8 +117,9 @@
#if defined(MBEDTLS_ERROR_C)
#define PRINT_ERROR \
- mbedtls_strerror(ret, (char *) tmp, sizeof(tmp)); \
- mbedtls_printf("FAILED: %s\n", tmp);
+ mbedtls_printf("Error code: %d", ret);
+/* mbedtls_strerror(ret, (char *) tmp, sizeof(tmp)); \
+ mbedtls_printf("FAILED: %s\n", tmp); */
#else
#define PRINT_ERROR \
mbedtls_printf("FAILED: -0x%04x\n", (unsigned int) -ret);
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index 7213f8a..43d2e8c 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -938,8 +938,6 @@
}
- exit_code = MBEDTLS_EXIT_SUCCESS;
-
exit:
#ifdef MBEDTLS_ERROR_C
diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt
index 264d941..ac713dc 100644
--- a/programs/util/CMakeLists.txt
+++ b/programs/util/CMakeLists.txt
@@ -1,5 +1,6 @@
set(libs
${mbedcrypto_target}
+ ${mbedx509_target}
)
set(executables
@@ -10,6 +11,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt
index a09813c..a31bada 100644
--- a/programs/x509/CMakeLists.txt
+++ b/programs/x509/CMakeLists.txt
@@ -14,6 +14,7 @@
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(${exe})
target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
endforeach()
diff --git a/scripts/config.py b/scripts/config.py
index beeb5e2..69ee3ef 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -110,6 +110,8 @@
'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_X509_REMOVE_INFO', # removes a feature
+ 'MBEDTLS_PSA_STATIC_KEY_SLOTS', # only relevant for embedded devices
+ 'MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE', # only relevant for embedded devices
*PSA_UNSUPPORTED_FEATURE,
*PSA_DEPRECATED_FEATURE,
*PSA_UNSTABLE_FEATURE
@@ -218,6 +220,8 @@
'MBEDTLS_DEBUG_C', # part of libmbedtls
'MBEDTLS_NET_C', # part of libmbedtls
'MBEDTLS_PKCS7_C', # part of libmbedx509
+ 'MBEDTLS_ERROR_C', # part of libmbedx509
+ 'MBEDTLS_ERROR_STRERROR_DUMMY', # part of libmbedx509
]:
return False
if name in EXCLUDE_FROM_CRYPTO:
diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt
index 781e72a..b75a9ab 100644
--- a/scripts/data_files/error.fmt
+++ b/scripts/data_files/error.fmt
@@ -152,8 +152,4 @@
#endif /* MBEDTLS_ERROR_C */
-#if defined(MBEDTLS_TEST_HOOKS)
-void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
-#endif
-
#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index df546d7..c051842 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -24,7 +24,7 @@
$crypto_include_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
$tls_include_dir = 'include/mbedtls';
$data_dir = 'scripts/data_files';
- $error_file = 'tf-psa-crypto/drivers/builtin/src/error.c';
+ $error_file = 'library/error.c';
unless( -d $crypto_include_dir && -d $tls_include_dir && -d $data_dir ) {
chdir '..' or die;
@@ -91,6 +91,7 @@
if ($found) {
my $include_name = $file;
$include_name =~ s!.*/!!;
+ $include_name = "error.h" if ($include_name eq "error_common.h");
push @necessary_include_files, $include_name;
}
}
diff --git a/scripts/lcov.sh b/scripts/lcov.sh
index 2d2f42b..79c5c9f 100755
--- a/scripts/lcov.sh
+++ b/scripts/lcov.sh
@@ -51,8 +51,8 @@
# Ubuntu 16.04 is affected, 18.04 and above are not.
# https://github.com/linux-test-project/lcov/commit/632c25a0d1f5e4d2f4fd5b28ce7c8b86d388c91f
COVTMP=$PWD/Coverage/tmp
- lcov --capture --initial --directory $library_dir -o "$COVTMP/files.info"
- lcov --rc lcov_branch_coverage=1 --capture --directory $library_dir -o "$COVTMP/tests.info"
+ lcov --capture --initial ${lcov_dirs} -o "$COVTMP/files.info"
+ lcov --rc lcov_branch_coverage=1 --capture ${lcov_dirs} -o "$COVTMP/tests.info"
lcov --rc lcov_branch_coverage=1 --add-tracefile "$COVTMP/files.info" --add-tracefile "$COVTMP/tests.info" -o "$COVTMP/all.info"
lcov --rc lcov_branch_coverage=1 --remove "$COVTMP/all.info" -o "$COVTMP/final.info" '*.h'
gendesc tests/Descriptions.txt -o "$COVTMP/descriptions"
@@ -64,9 +64,13 @@
# Reset the traces to 0.
lcov_reset_traces () {
# Location with plain make
- rm -f $library_dir/*.gcda
+ for dir in ${library_dirs}; do
+ rm -f ${dir}/*.gcda
+ done
# Location with CMake
- rm -f $library_dir/CMakeFiles/*.dir/*.gcda
+ for dir in ${library_dirs}; do
+ rm -f ${dir}/CMakeFiles/*.dir/*.gcda
+ done
}
if [ $# -gt 0 ] && [ "$1" = "--help" ]; then
@@ -75,13 +79,18 @@
fi
if in_mbedtls_repo; then
- library_dir='library'
+ library_dirs='library tf-psa-crypto/core tf-psa-crypto/drivers/builtin'
title='Mbed TLS'
else
- library_dir='core'
+ library_dirs='core drivers/builtin'
title='TF-PSA-Crypto'
fi
+lcov_dirs=""
+for dir in ${library_dirs}; do
+ lcov_dirs="${lcov_dirs} --directory ${dir}"
+done
+
main=lcov_library_report
while getopts r OPTLET; do
case $OPTLET in
diff --git a/scripts/output_env.sh b/scripts/output_env.sh
index b056ffd..32f1f86 100755
--- a/scripts/output_env.sh
+++ b/scripts/output_env.sh
@@ -78,10 +78,6 @@
echo
if [ "${RUN_ARMCC:-1}" -ne 0 ]; then
- : "${ARMC5_CC:=armcc}"
- print_version "$ARMC5_CC" "--vsn" "" "head -n 2"
- echo
-
: "${ARMC6_CC:=armclang}"
print_version "$ARMC6_CC" "--vsn" "" "head -n 2"
echo
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4e90bff..8318e8b 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -3,13 +3,6 @@
${CMAKE_THREAD_LIBS_INIT}
)
-# Set the project root directory if it's not already defined, as may happen if
-# the tests folder is included directly by a parent project, without including
-# the top level CMakeLists.txt.
-if(NOT DEFINED MBEDTLS_DIR)
- set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
-endif()
-
if(NOT MBEDTLS_PYTHON_EXECUTABLE)
message(FATAL_ERROR "Cannot build test suites without Python 3")
endif()
@@ -163,6 +156,8 @@
add_executable(test_suite_${data_name} test_suite_${data_name}.c
$<TARGET_OBJECTS:mbedtls_test>
$<TARGET_OBJECTS:mbedtls_test_helpers>)
+ set_base_compile_options(test_suite_${data_name})
+ target_compile_options(test_suite_${data_name} PRIVATE ${TEST_C_FLAGS})
add_dependencies(test_suite_${data_name} ${dependency})
target_link_libraries(test_suite_${data_name} ${libs})
# Include test-specific header files from ./include and private header
@@ -190,13 +185,12 @@
add_definitions("-D_POSIX_C_SOURCE=200809L")
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+ set(TEST_C_FLAGS -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code)
endif(CMAKE_COMPILER_IS_CLANG)
if(MSVC)
# If a warning level has been defined, suppress all warnings for test code
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W0")
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-")
+ set(TEST_C_FLAGS /W0 /WX-)
endif(MSVC)
file(GLOB test_suites RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" suites/*.data)
diff --git a/tests/include/test/psa_crypto_helpers.h b/tests/include/test/psa_crypto_helpers.h
index 30f2e0f..9c83af6 100644
--- a/tests/include/test/psa_crypto_helpers.h
+++ b/tests/include/test/psa_crypto_helpers.h
@@ -11,7 +11,8 @@
#include "test/helpers.h"
-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if (MBEDTLS_VERSION_MAJOR < 4 && defined(MBEDTLS_PSA_CRYPTO_C)) || \
+ (MBEDTLS_VERSION_MAJOR >= 4 && defined(MBEDTLS_PSA_CRYPTO_CLIENT))
#include "test/psa_helpers.h"
#include <psa/crypto.h>
#endif
@@ -40,7 +41,7 @@
mbedtls_psa_crypto_free(); \
} \
while (0)
-#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
+#elif MBEDTLS_VERSION_MAJOR >= 4 && defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#define PSA_INIT() PSA_ASSERT(psa_crypto_init())
#define PSA_DONE() mbedtls_psa_crypto_free();
#else /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
@@ -48,7 +49,8 @@
#define PSA_DONE() ((void) 0)
#endif /* MBEDTLS_PSA_CRYPTO_C */
-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if (MBEDTLS_VERSION_MAJOR < 4 && defined(MBEDTLS_PSA_CRYPTO_C)) || \
+ (MBEDTLS_VERSION_MAJOR >= 4 && defined(MBEDTLS_PSA_CRYPTO_CLIENT))
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
@@ -253,16 +255,18 @@
* \param key_type Key type
* \param key_bits Key length in number of bits.
*/
-#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
-#define MBEDTLS_TEST_HAVE_ALT_AES 1
+#if defined(MBEDTLS_AES_ALT) || \
+ defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \
+ defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
+#define MBEDTLS_TEST_HAVE_ACCEL_AES 1
#else
-#define MBEDTLS_TEST_HAVE_ALT_AES 0
+#define MBEDTLS_TEST_HAVE_ACCEL_AES 0
#endif
#define MBEDTLS_TEST_PSA_SKIP_IF_ALT_AES_192(key_type, key_bits) \
do \
{ \
- if ((MBEDTLS_TEST_HAVE_ALT_AES) && \
+ if ((MBEDTLS_TEST_HAVE_ACCEL_AES) && \
((key_type) == PSA_KEY_TYPE_AES) && \
(key_bits == 192)) \
{ \
@@ -295,7 +299,8 @@
* \param nonce_length The nonce length in number of bytes.
*/
-#if defined(MBEDTLS_PSA_ACCEL_ALG_GCM)
+#if defined(MBEDTLS_GCM_ALT) || \
+ defined(MBEDTLS_PSA_ACCEL_ALG_GCM)
#define MBEDTLS_TEST_HAVE_ACCEL_GCM 1
#else
#define MBEDTLS_TEST_HAVE_ACCEL_GCM 0
@@ -316,7 +321,22 @@
} \
while (0)
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT || MBEDTLS_PSA_CRYPTO_C */
+
+#if MBEDTLS_VERSION_MAJOR >= 4
+/* Legacy PSA_INIT() / PSA_DONE() variants from 3.6 */
+#define USE_PSA_INIT() PSA_INIT()
+#define USE_PSA_DONE() PSA_DONE()
+#define MD_PSA_INIT() PSA_INIT()
+#define MD_PSA_DONE() PSA_DONE()
+#define BLOCK_CIPHER_PSA_INIT() PSA_INIT()
+#define BLOCK_CIPHER_PSA_DONE() PSA_DONE()
+#define MD_OR_USE_PSA_INIT() PSA_INIT()
+#define MD_OR_USE_PSA_DONE() PSA_DONE()
+#define AES_PSA_INIT() PSA_INIT()
+#define AES_PSA_DONE() PSA_DONE()
+
+#else /* MBEDTLS_VERSION_MAJOR < 4 */
/** \def USE_PSA_INIT
*
@@ -335,9 +355,18 @@
* This is like #PSA_DONE except it does nothing under the same conditions as
* #USE_PSA_INIT.
*/
-#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define USE_PSA_INIT() PSA_INIT()
#define USE_PSA_DONE() PSA_DONE()
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* TLS 1.3 must work without having called psa_crypto_init(), for backward
+ * compatibility with Mbed TLS <= 3.5 when connecting with a peer that
+ * supports both TLS 1.2 and TLS 1.3. See mbedtls_ssl_tls13_crypto_init()
+ * and https://github.com/Mbed-TLS/mbedtls/issues/9072 . */
+#define USE_PSA_INIT() ((void) 0)
+/* TLS 1.3 may have initialized the PSA subsystem. Shut it down cleanly,
+ * otherwise Asan and Valgrind would notice a resource leak. */
+#define USE_PSA_DONE() PSA_DONE()
#else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
/* Define empty macros so that we can use them in the preamble and teardown
* of every test function that uses PSA conditionally based on
@@ -409,13 +438,12 @@
* This is like #PSA_DONE except it does nothing under the same conditions as
* #MD_OR_USE_PSA_INIT.
*/
-#if defined(MBEDTLS_MD_SOME_PSA) || \
- defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_MD_SOME_PSA)
#define MD_OR_USE_PSA_INIT() PSA_INIT()
#define MD_OR_USE_PSA_DONE() PSA_DONE()
#else
-#define MD_OR_USE_PSA_INIT() ((void) 0)
-#define MD_OR_USE_PSA_DONE() ((void) 0)
+#define MD_OR_USE_PSA_INIT() USE_PSA_INIT()
+#define MD_OR_USE_PSA_DONE() USE_PSA_DONE()
#endif
/** \def AES_PSA_INIT
@@ -441,6 +469,8 @@
#define AES_PSA_DONE() ((void) 0)
#endif /* MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_VERSION_MAJOR >= 4 */
+
#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
@@ -461,4 +491,43 @@
#define MBEDTLS_TEST_PSA_INTERNAL_KEYS \
MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG
+/* A couple of helper macros to verify if MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE is
+ * large enough to contain an RSA key pair of the given size. This is meant to be
+ * used in test cases where MBEDTLS_PSA_STATIC_KEY_SLOTS is enabled. */
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#if (MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE >= PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(4096))
+#define MBEDTLS_TEST_STATIC_KEY_SLOTS_SUPPORT_RSA_4096
+#endif
+
+#if (MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE >= PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(2048))
+#define MBEDTLS_TEST_STATIC_KEY_SLOTS_SUPPORT_RSA_2048
+#endif
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/* Helper macro to get the size of the each key slot buffer. */
+#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+#define MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+#else
+#define MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE SIZE_MAX
+#endif
+
+/* Helper macro for the PK module to check whether MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+ * is large enough to contain 4096-bit RSA key pairs. Of course this check is only
+ * necessary if PK relies on PSA (i.e. MBEDTLS_USE_PSA_CRYPTO) to store and manage
+ * the key. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+#if !defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) || \
+ defined(MBEDTLS_TEST_STATIC_KEY_SLOTS_SUPPORT_RSA_4096)
+#define MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
+#endif
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+#define MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
#endif /* PSA_CRYPTO_HELPERS_H */
diff --git a/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c b/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c
index b2ed070..a88fc51 100644
--- a/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c
+++ b/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c
@@ -21,6 +21,10 @@
#error "Error: MBEDTLS_PSA_CRYPTO_C must be enabled on server build"
#endif
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
+#endif
+
// Returns 1 for success, 0 for failure
int psa_crypto_init_wrapper(
uint8_t *in_params, size_t in_params_len,
diff --git a/tests/scripts/all-core.sh b/tests/scripts/all-core.sh
index a660a65..5cb1da8 100644
--- a/tests/scripts/all-core.sh
+++ b/tests/scripts/all-core.sh
@@ -51,7 +51,7 @@
# * GCC and Clang (recent enough for using ASan with gcc and MemSan with clang, or valgrind)
# * G++
# * arm-gcc and mingw-gcc
-# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
+# * ArmCC 6 (aka armclang), unless invoked with --no-armcc
# * OpenSSL and GnuTLS command line tools, in suitable versions for the
# interoperability tests. The following are the official versions at the
# time of writing:
@@ -226,10 +226,11 @@
: ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"}
: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
- : ${ARMC5_BIN_DIR:=/usr/bin}
: ${ARMC6_BIN_DIR:=/usr/bin}
: ${ARM_NONE_EABI_GCC_PREFIX:=arm-none-eabi-}
: ${ARM_LINUX_GNUEABI_GCC_PREFIX:=arm-linux-gnueabi-}
+ : ${ARM_LINUX_GNUEABIHF_GCC_PREFIX:=arm-linux-gnueabihf-}
+ : ${AARCH64_LINUX_GNU_GCC_PREFIX:=aarch64-linux-gnu-}
: ${CLANG_LATEST:="clang-latest"}
: ${CLANG_EARLIEST:="clang-earliest"}
: ${GCC_LATEST:="gcc-latest"}
@@ -326,6 +327,12 @@
--arm-linux-gnueabi-gcc-prefix=<string>
Prefix for a cross-compiler for arm-linux-gnueabi
(default: "${ARM_LINUX_GNUEABI_GCC_PREFIX}")
+ --arm-linux-gnueabihf-gcc-prefix=<string>
+ Prefix for a cross-compiler for arm-linux-gnueabihf
+ (default: "${ARM_LINUX_GNUEABIHF_GCC_PREFIX}")
+ --aarch64-linux-gnu-gcc-prefix=<string>
+ Prefix for a cross-compiler for aarch64-linux-gnu
+ (default: "${AARCH64_LINUX_GNU_GCC_PREFIX}")
--armcc Run ARM Compiler builds (on by default).
--restore First clean up the build tree, restoring backed up
files. Do not run any components unless they are
@@ -348,7 +355,6 @@
-s|--seed Integer seed value to use for this test run.
Tool path options:
- --armc5-bin-dir=<ARMC5_bin_dir_path> ARM Compiler 5 bin directory.
--armc6-bin-dir=<ARMC6_bin_dir_path> ARM Compiler 6 bin directory.
--clang-earliest=<Clang_earliest_path> Earliest version of clang available
--clang-latest=<Clang_latest_path> Latest version of clang available
@@ -508,8 +514,9 @@
--append-outcome) append_outcome=1;;
--arm-none-eabi-gcc-prefix) shift; ARM_NONE_EABI_GCC_PREFIX="$1";;
--arm-linux-gnueabi-gcc-prefix) shift; ARM_LINUX_GNUEABI_GCC_PREFIX="$1";;
+ --arm-linux-gnueabihf-gcc-prefix) shift; ARM_LINUX_GNUEABIHF_GCC_PREFIX="$1";;
+ --aarch64-linux-gnu-gcc-prefix) shift; AARCH64_LINUX_GNU_GCC_PREFIX="$1";;
--armcc) no_armcc=;;
- --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
--armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
--clang-earliest) shift; CLANG_EARLIEST="$1";;
--clang-latest) shift; CLANG_LATEST="$1";;
@@ -800,7 +807,6 @@
echo "OPENSSL_NEXT: $OPENSSL_NEXT"
echo "GNUTLS_CLI: $GNUTLS_CLI"
echo "GNUTLS_SERV: $GNUTLS_SERV"
- echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
}
@@ -848,14 +854,10 @@
case " $RUN_COMPONENTS " in
*_armcc*)
- ARMC5_CC="$ARMC5_BIN_DIR/armcc"
- ARMC5_AR="$ARMC5_BIN_DIR/armar"
- ARMC5_FROMELF="$ARMC5_BIN_DIR/fromelf"
ARMC6_CC="$ARMC6_BIN_DIR/armclang"
ARMC6_AR="$ARMC6_BIN_DIR/armar"
ARMC6_FROMELF="$ARMC6_BIN_DIR/fromelf"
- check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC5_FROMELF" \
- "$ARMC6_CC" "$ARMC6_AR" "$ARMC6_FROMELF";;
+ check_tools "$ARMC6_CC" "$ARMC6_AR" "$ARMC6_FROMELF";;
esac
# past this point, no call to check_tool, only printing output
@@ -866,7 +868,7 @@
msg "info: output_env.sh"
case $RUN_COMPONENTS in
*_armcc*)
- set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
+ set "$@" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
*) set "$@" RUN_ARMCC=0;;
esac
# Use a path relative to the currently-sourced file.
diff --git a/tests/scripts/all-helpers.sh b/tests/scripts/all-helpers.sh
index 0e97f39..cdb3f4e 100644
--- a/tests/scripts/all-helpers.sh
+++ b/tests/scripts/all-helpers.sh
@@ -265,3 +265,63 @@
echo 0 # report version 0 for "no clang"
fi
}
+
+gcc_version() {
+ gcc="$1"
+ if command -v "$gcc" > /dev/null ; then
+ "$gcc" --version | sed -En '1s/^[^ ]* \([^)]*\) ([0-9]+).*/\1/p'
+ else
+ echo 0 # report version 0 for "no gcc"
+ fi
+}
+
+can_run_cc_output() {
+ cc="$1"
+ result=false
+ if type "$cc" >/dev/null 2>&1; then
+ testbin=$(mktemp)
+ if echo 'int main(void){return 0;}' | "$cc" -o "$testbin" -x c -; then
+ if "$testbin" 2>/dev/null; then
+ result=true
+ fi
+ fi
+ rm -f "$testbin"
+ fi
+ $result
+}
+
+can_run_arm_linux_gnueabi=
+can_run_arm_linux_gnueabi () {
+ if [ -z "$can_run_arm_linux_gnueabi" ]; then
+ if can_run_cc_output "${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc"; then
+ can_run_arm_linux_gnueabi=true
+ else
+ can_run_arm_linux_gnueabi=false
+ fi
+ fi
+ $can_run_arm_linux_gnueabi
+}
+
+can_run_arm_linux_gnueabihf=
+can_run_arm_linux_gnueabihf () {
+ if [ -z "$can_run_arm_linux_gnueabihf" ]; then
+ if can_run_cc_output "${ARM_LINUX_GNUEABIHF_GCC_PREFIX}gcc"; then
+ can_run_arm_linux_gnueabihf=true
+ else
+ can_run_arm_linux_gnueabihf=false
+ fi
+ fi
+ $can_run_arm_linux_gnueabihf
+}
+
+can_run_aarch64_linux_gnu=
+can_run_aarch64_linux_gnu () {
+ if [ -z "$can_run_aarch64_linux_gnu" ]; then
+ if can_run_cc_output "${AARCH64_LINUX_GNU_GCC_PREFIX}gcc"; then
+ can_run_aarch64_linux_gnu=true
+ else
+ can_run_aarch64_linux_gnu=false
+ fi
+ fi
+ $can_run_aarch64_linux_gnu
+}
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 43982ce..f6f7d87 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -85,12 +85,6 @@
# TLS doesn't use restartable ECDH yet.
# https://github.com/Mbed-TLS/mbedtls/issues/7294
re.compile(r'EC restart:.*no USE_PSA.*'),
- # It seems that we don't run `ssl-opt.sh` with
- # `MBEDTLS_USE_PSA_CRYPTO` enabled but `MBEDTLS_SSL_ASYNC_PRIVATE`
- # disabled.
- # https://github.com/Mbed-TLS/mbedtls/issues/9581
- 'Opaque key for server authentication: invalid key: decrypt with ECC key, no async',
- 'Opaque key for server authentication: invalid key: ecdh with RSA key, no async',
],
'test_suite_config.mbedtls_boolean': [
# https://github.com/Mbed-TLS/mbedtls/issues/9583
@@ -140,9 +134,6 @@
# We don't test with HMAC disabled.
# https://github.com/Mbed-TLS/mbedtls/issues/9591
'Config: !PSA_WANT_ALG_HMAC',
- # We don't test with HMAC disabled.
- # https://github.com/Mbed-TLS/mbedtls/issues/9591
- 'Config: !PSA_WANT_ALG_TLS12_PRF',
# The DERIVE key type is always enabled.
'Config: !PSA_WANT_KEY_TYPE_DERIVE',
# More granularity of key pair type enablement macros
@@ -256,14 +247,6 @@
# "PSA test case generation: dependency inference class: operation fail"
# from https://github.com/Mbed-TLS/mbedtls/pull/9025 .
re.compile(r'.* with (?:DH|ECC)_(?:KEY_PAIR|PUBLIC_KEY)\(.*'),
- # We never test with TLS12_PRF or TLS12_PSK_TO_MS disabled
- # but certain other things enabled.
- # https://github.com/Mbed-TLS/mbedtls/issues/9577
- re.compile(r'PSA key_derivation TLS12_PRF\(\w+\): !TLS12_PRF'),
- re.compile(r'PSA key_derivation TLS12_PSK_TO_MS'
- r'\((?!SHA_256|SHA_384|SHA_512)\w+\): !TLS12_PSK_TO_MS'),
- 'PSA key_derivation KEY_AGREEMENT(ECDH,TLS12_PRF(SHA_256)): !TLS12_PRF',
- 'PSA key_derivation KEY_AGREEMENT(ECDH,TLS12_PRF(SHA_384)): !TLS12_PRF',
# We never test with the HMAC algorithm enabled but the HMAC
# key type disabled. Those dependencies don't really make sense.
@@ -426,6 +409,8 @@
IGNORED_SUITES = [
# Modules replaced by drivers
'ecdsa', 'ecdh', 'ecjpake',
+ # Unit tests for the built-in implementation
+ 'psa_crypto_ecp',
]
IGNORED_TESTS = {
'test_suite_config': [
@@ -466,6 +451,8 @@
IGNORED_SUITES = [
# Modules replaced by drivers
'ecp', 'ecdsa', 'ecdh', 'ecjpake',
+ # Unit tests for the built-in implementation
+ 'psa_crypto_ecp',
]
IGNORED_TESTS = {
'test_suite_config': [
@@ -506,6 +493,8 @@
'ecp', 'ecdsa', 'ecdh', 'ecjpake',
'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw',
'bignum.generated', 'bignum.misc',
+ # Unit tests for the built-in implementation
+ 'psa_crypto_ecp',
]
IGNORED_TESTS = {
'test_suite_config': [
@@ -551,6 +540,8 @@
'ecp', 'ecdsa', 'ecdh', 'ecjpake', 'dhm',
'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw',
'bignum.generated', 'bignum.misc',
+ # Unit tests for the built-in implementation
+ 'psa_crypto_ecp',
]
IGNORED_TESTS = {
'ssl-opt': [
@@ -621,6 +612,8 @@
'ecp', 'ecdsa', 'ecdh', 'ecjpake',
'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw',
'bignum.generated', 'bignum.misc',
+ # Unit tests for the built-in implementation
+ 'psa_crypto_ecp',
]
IGNORED_TESTS = {
'test_suite_config': [
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 583c26e..a224e58 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -170,7 +170,7 @@
# Additional checks for Mbed TLS only
if in_mbedtls_repo; then
- check scripts/generate_errors.pl ${builtin_drivers_dir}/error.c
+ check scripts/generate_errors.pl library/error.c
check scripts/generate_query_config.pl programs/test/query_config.c
check scripts/generate_features.pl library/version_features.c
check framework/scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh
index 5ecd029..e9bfe5c 100644
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -109,6 +109,9 @@
# the test code and that's probably the most convenient way of achieving
# the test's goal.
echo "MBEDTLS_ASN1_WRITE_C" >> $expected
+ # No PSA equivalent - used in test_suite_psa_crypto to get some "known" size
+ # for raw key generation.
+ echo "MBEDTLS_CTR_DRBG_MAX_REQUEST" >> $expected
# No PSA equivalent - we should probably have one in the future.
echo "MBEDTLS_ECP_RESTARTABLE" >> $expected
# No PSA equivalent - needed by some init tests
@@ -162,4 +165,3 @@
msg "unit test: translate_ciphers.py"
python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
}
-
diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh
index 2c2d460..f2b74a9 100644
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@@ -115,7 +115,32 @@
make
./cmake_package
if [[ "$OSTYPE" == linux* ]]; then
- PKG_CONFIG_PATH="${build_variant_dir}/mbedtls/pkgconfig" ${root_dir}/tests/scripts/pkgconfig.sh
+ PKG_CONFIG_PATH="${build_variant_dir}/mbedtls/pkgconfig" \
+ ${root_dir}/tests/scripts/pkgconfig.sh \
+ mbedtls mbedx509 mbedcrypto
+ # These are the EXPECTED package names. Renaming these could break
+ # consumers of pkg-config, consider carefully.
+ fi
+}
+
+component_test_tf_psa_crypto_cmake_as_package () {
+ # Remove existing generated files so that we use the ones CMake
+ # generates
+ make neat
+
+ msg "build: cmake 'as-package' build"
+ root_dir="$(pwd)"
+ cd tf-psa-crypto/programs/test/cmake_package
+ build_variant_dir="$(pwd)"
+ cmake .
+ make
+ ./cmake_package
+ if [[ "$OSTYPE" == linux* ]]; then
+ PKG_CONFIG_PATH="${build_variant_dir}/tf-psa-crypto/pkgconfig" \
+ ${root_dir}/tests/scripts/pkgconfig.sh \
+ tfpsacrypto
+ # This is the EXPECTED package name. Renaming it could break consumers
+ # of pkg-config, consider carefully.
fi
}
diff --git a/tests/scripts/components-compiler.sh b/tests/scripts/components-compiler.sh
index d89bbed..5d22735 100644
--- a/tests/scripts/components-compiler.sh
+++ b/tests/scripts/components-compiler.sh
@@ -56,7 +56,7 @@
component_test_clang_earliest_opt () {
scripts/config.py full
- test_build_opt 'full config' "$CLANG_EARLIEST" -O0
+ test_build_opt 'full config' "$CLANG_EARLIEST" -O2
}
support_test_clang_earliest_opt () {
@@ -74,7 +74,7 @@
component_test_gcc_earliest_opt () {
scripts/config.py full
- test_build_opt 'full config' "$GCC_EARLIEST" -O0
+ test_build_opt 'full config' "$GCC_EARLIEST" -O2
}
support_test_gcc_earliest_opt () {
@@ -83,20 +83,20 @@
component_build_mingw () {
msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
- make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs
# note Make tests only builds the tests, but doesn't run them
- make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests
make WINDOWS_BUILD=1 clean
msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
- make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs
- make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests
make WINDOWS_BUILD=1 clean
msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s
./scripts/config.py unset MBEDTLS_AESNI_C #
- make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib
+ make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib
make WINDOWS_BUILD=1 clean
}
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index 68de6bb..eaa0bca 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -31,6 +31,25 @@
make test
}
+component_test_crypto_with_static_key_slots() {
+ msg "build: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS"
+ scripts/config.py crypto_full
+ scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS
+ # Intentionally set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE to a value that
+ # is enough to contain:
+ # - all RSA public keys up to 4096 bits (max of PSA_VENDOR_RSA_MAX_KEY_BITS).
+ # - RSA key pairs up to 1024 bits, but not 2048 or larger.
+ # - all FFDH key pairs and public keys up to 8192 bits (max of PSA_VENDOR_FFDH_MAX_KEY_BITS).
+ # - all EC key pairs and public keys up to 521 bits (max of PSA_VENDOR_ECC_MAX_CURVE_BITS).
+ scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 1212
+ # Disable the fully dynamic key store (default on) since it conflicts
+ # with the static behavior that we're testing here.
+ scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC
+
+ msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS"
+ make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test
+}
+
# check_renamed_symbols HEADER LIB
# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
# name in LIB.
@@ -56,6 +75,68 @@
check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
}
+# The goal of this component is to build a configuration where:
+# - test code and libtestdriver1 can make use of calloc/free and
+# - core library (including PSA core) cannot use calloc/free.
+component_test_psa_crypto_without_heap() {
+ msg "crypto without heap: build libtestdriver1"
+ # Disable PSA features that cannot be accelerated and whose builtin support
+ # requires calloc/free.
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+ scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF"
+ scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_"
+ scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_"
+ # RSA key support requires ASN1 parse/write support for testing, but ASN1
+ # is disabled below.
+ scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_"
+ scripts/config.py -f $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_"
+ # DES requires built-in support for key generation (parity check) so it
+ # cannot be accelerated
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
+ # EC-JPAKE use calloc/free in PSA core
+ scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
+
+ # Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H).
+ PSA_SYM_LIST=$(./scripts/config.py -f $CRYPTO_CONFIG_H get-all-enabled PSA_WANT)
+ loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g')
+
+ helper_libtestdriver1_adjust_config crypto
+ helper_libtestdriver1_make_drivers "$loc_accel_list"
+
+ msg "crypto without heap: build main library"
+ # Disable all legacy MBEDTLS_xxx symbols.
+ scripts/config.py unset-all "^MBEDTLS_"
+ # Build the PSA core using the proper config file.
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_C
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ # Enable fully-static key slots in PSA core.
+ scripts/config.py set MBEDTLS_PSA_STATIC_KEY_SLOTS
+ # Prevent PSA core from creating a copy of input/output buffers.
+ scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+ # Prevent PSA core from using CTR-DRBG or HMAC-DRBG for random generation.
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+ # Set calloc/free as null pointer functions. Calling them would crash
+ # the program so we can use this as a "sentinel" for being sure no module
+ # is making use of these functions in the library.
+ scripts/config.py set MBEDTLS_PLATFORM_C
+ scripts/config.py set MBEDTLS_PLATFORM_MEMORY
+ scripts/config.py set MBEDTLS_PLATFORM_STD_CALLOC NULL
+ scripts/config.py set MBEDTLS_PLATFORM_STD_FREE NULL
+
+ helper_libtestdriver1_make_main "$loc_accel_list" lib
+
+ msg "crypto without heap: build test suites and helpers"
+ # Reset calloc/free functions to normal operations so that test code can
+ # freely use them.
+ scripts/config.py unset MBEDTLS_PLATFORM_MEMORY
+ scripts/config.py unset MBEDTLS_PLATFORM_STD_CALLOC
+ scripts/config.py unset MBEDTLS_PLATFORM_STD_FREE
+ helper_libtestdriver1_make_main "$loc_accel_list" tests
+
+ msg "crypto without heap: test"
+ make test
+}
+
component_test_no_rsa_key_pair_generation () {
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
@@ -102,34 +183,10 @@
tests/context-info.sh
}
-component_test_no_ctr_drbg_classic () {
- msg "build: Full minus CTR_DRBG, classic crypto in TLS"
- scripts/config.py full
- scripts/config.py unset MBEDTLS_CTR_DRBG_C
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-
- CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
- make
-
- msg "test: Full minus CTR_DRBG, classic crypto - main suites"
- make test
-
- # In this configuration, the TLS test programs use HMAC_DRBG.
- # The SSL tests are slow, so run a small subset, just enough to get
- # confidence that the SSL code copes with HMAC_DRBG.
- msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
-
- msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)"
- tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
-}
-
component_test_no_ctr_drbg_use_psa () {
msg "build: Full minus CTR_DRBG, PSA crypto in TLS"
scripts/config.py full
scripts/config.py unset MBEDTLS_CTR_DRBG_C
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
@@ -147,40 +204,11 @@
tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL
}
-component_test_no_hmac_drbg_classic () {
- msg "build: Full minus HMAC_DRBG, classic crypto in TLS"
- scripts/config.py full
- scripts/config.py unset MBEDTLS_HMAC_DRBG_C
- scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-
- CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
- make
-
- msg "test: Full minus HMAC_DRBG, classic crypto - main suites"
- make test
-
- # Normally our ECDSA implementation uses deterministic ECDSA. But since
- # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
- # instead.
- # Test SSL with non-deterministic ECDSA. Only test features that
- # might be affected by how ECDSA signature is performed.
- msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
-
- # To save time, only test one protocol version, since this part of
- # the protocol is identical in (D)TLS up to 1.2.
- msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)"
- tests/compat.sh -m tls12 -t 'ECDSA'
-}
-
component_test_no_hmac_drbg_use_psa () {
msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
scripts/config.py full
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
@@ -202,30 +230,6 @@
tests/compat.sh -m tls12 -t 'ECDSA'
}
-component_test_psa_external_rng_no_drbg_classic () {
- msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS"
- scripts/config.py full
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
- scripts/config.py unset MBEDTLS_ENTROPY_C
- scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
- scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
- scripts/config.py unset MBEDTLS_CTR_DRBG_C
- scripts/config.py unset MBEDTLS_HMAC_DRBG_C
- scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
- # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
- # the SSL test programs don't have an RNG and can't work. Explicitly
- # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
- make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
-
- msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
- make test
-
- msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)"
- tests/ssl-opt.sh -f 'Default'
-}
-
component_test_psa_external_rng_no_drbg_use_psa () {
msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
scripts/config.py full
@@ -249,7 +253,6 @@
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_CTR_DRBG_C
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@@ -650,8 +653,6 @@
# Start from default config + TLS 1.3
helper_libtestdriver1_adjust_config "default"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
-
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -1422,12 +1423,6 @@
echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H"
cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H"
- # Other config adjustment to make the tests pass.
- # This should probably be adopted upstream.
- #
- # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS
- echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H"
-
# Config adjustment for better test coverage in our environment.
# This is not needed just to build and pass tests.
#
@@ -1495,17 +1490,17 @@
# - component_test_psa_ecc_key_pair_no_generate
# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols
# enabled, but one. Input arguments are as follows:
-# - $1 is the key type under test, i.e. ECC/RSA/DH
-# - $2 is the key option to be unset (i.e. generate, derive, etc)
+# - $1 is the configuration to start from
+# - $2 is the key type under test, i.e. ECC/RSA/DH
+# - $3 is the key option to be unset (i.e. generate, derive, etc)
build_and_test_psa_want_key_pair_partial () {
- key_type=$1
- unset_option=$2
+ base_config=$1
+ key_type=$2
+ unset_option=$3
disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
- msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
- scripts/config.py full
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
+ msg "build: $base_config - ${disabled_psa_want}"
+ scripts/config.py "$base_config"
# All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
# crypto_config.h so we just disable the one we don't want.
@@ -1513,16 +1508,20 @@
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
- msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
+ msg "test: $base_config - ${disabled_psa_want}"
make test
}
component_test_psa_ecc_key_pair_no_derive () {
- build_and_test_psa_want_key_pair_partial "ECC" "DERIVE"
+ build_and_test_psa_want_key_pair_partial full "ECC" "DERIVE"
}
component_test_psa_ecc_key_pair_no_generate () {
- build_and_test_psa_want_key_pair_partial "ECC" "GENERATE"
+ # TLS needs ECC key generation whenever ephemeral ECDH is enabled.
+ # We don't have proper guards for configurations with ECC key generation
+ # disabled (https://github.com/Mbed-TLS/mbedtls/issues/9481). Until
+ # then (if ever), just test the crypto part of the library.
+ build_and_test_psa_want_key_pair_partial crypto_full "ECC" "GENERATE"
}
config_psa_crypto_accel_rsa () {
@@ -1887,7 +1886,7 @@
helper_libtestdriver1_make_main "$loc_accel_list"
# Make sure this was not re-enabled by accident (additive config)
- not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o
+ not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
# Run the tests
# -------------
@@ -2713,5 +2712,3 @@
msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
make test
}
-
-
diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh
index b8834d6..077d0a0 100644
--- a/tests/scripts/components-configuration-tls.sh
+++ b/tests/scripts/components-configuration-tls.sh
@@ -57,7 +57,6 @@
component_test_tls1_2_default_stream_cipher_only () {
msg "build: default with only stream cipher use psa"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
@@ -95,7 +94,6 @@
component_test_tls1_2_default_cbc_legacy_cipher_only () {
msg "build: default with only CBC-legacy cipher use psa"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
@@ -130,7 +128,6 @@
component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
@@ -184,39 +181,6 @@
tests/ssl-opt.sh -f 'ECJPAKE.*nolog'
}
-# We're not aware of any other (open source) implementation of EC J-PAKE in TLS
-# that we could use for interop testing. However, we now have sort of two
-# implementations ourselves: one using PSA, the other not. At least test that
-# these two interoperate with each other.
-component_test_tls1_2_ecjpake_compatibility () {
- msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA"
- scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
- # Explicitly make lib first to avoid a race condition:
- # https://github.com/Mbed-TLS/mbedtls/issues/8229
- make lib
- make -C programs ssl/ssl_server2 ssl/ssl_client2
- cp programs/ssl/ssl_server2 s2_no_use_psa
- cp programs/ssl/ssl_client2 c2_no_use_psa
-
- msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA"
- scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
- make clean
- make lib
- make -C programs ssl/ssl_server2 ssl/ssl_client2
- make -C programs test/udp_proxy test/query_compile_time_config
-
- msg "test: server w/o USE_PSA - client w/ USE_PSA, text password"
- P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
- msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password"
- P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS"
- msg "test: client w/o USE_PSA - server w/ USE_PSA, text password"
- P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS"
- msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password"
- P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS"
-
- rm s2_no_use_psa c2_no_use_psa
-}
-
component_test_tls1_2_ccm_psk () {
msg "build: configs/config-ccm-psk-tls1_2.h"
cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H"
diff --git a/tests/scripts/components-platform.sh b/tests/scripts/components-platform.sh
index fd858a7..abae283 100644
--- a/tests/scripts/components-platform.sh
+++ b/tests/scripts/components-platform.sh
@@ -222,49 +222,53 @@
scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+ msg "clang, test aarch64 crypto instructions built"
+ grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+ msg "clang, test A32 crypto instructions built"
+ grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
-
- scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
-
- msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
-
- msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
-
- msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
-
- # test for presence of AES instructions
- scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
- msg "clang, test A32 crypto instructions built"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
- grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
msg "clang, test T32 crypto instructions built"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
- grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
- msg "clang, test aarch64 crypto instructions built"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
- grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+ grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
- # test for absence of AES instructions
scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
+
+ msg "MBEDTLS_AES_USE_both, clang, aarch64"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+ msg "clang, test aarch64 crypto instructions built"
+ grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
+
+ msg "MBEDTLS_AES_USE_both, clang, arm"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+ msg "clang, test A32 crypto instructions built"
+ grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
+
+ msg "MBEDTLS_AES_USE_both, clang, thumb"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+ msg "clang, test T32 crypto instructions built"
+ grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
+
scripts/config.py unset MBEDTLS_AESCE_C
- msg "clang, test A32 crypto instructions not built"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
- not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
- msg "clang, test T32 crypto instructions not built"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
- not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+
+ msg "no MBEDTLS_AESCE_C, clang, aarch64"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
msg "clang, test aarch64 crypto instructions not built"
- make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
- not grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
+ not grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
+
+ msg "no MBEDTLS_AESCE_C, clang, arm"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72 -marm"
+ msg "clang, test A32 crypto instructions not built"
+ not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
+
+ msg "no MBEDTLS_AESCE_C, clang, thumb"
+ make -B library/../${BUILTIN_SRC_PATH}/aesce.o library/../${BUILTIN_SRC_PATH}/aesce.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32 -mthumb"
+ msg "clang, test T32 crypto instructions not built"
+ not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.s
}
support_build_sha_armce () {
@@ -275,67 +279,171 @@
component_build_sha_armce () {
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
-
# Test variations of SHA256 Armv8 crypto extensions
scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+ msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, test aarch64 crypto instructions built"
+ grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
+
msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+ msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, test A32 crypto instructions built"
+ grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
# test the deprecated form of the config option
scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+ msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, test T32 crypto instructions built"
+ grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+ msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, test aarch64 crypto instructions built"
+ grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
# test the deprecated form of the config option
scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
+
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+ msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, test T32 crypto instructions built"
+ grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
-
- # examine the disassembly for presence of SHA instructions
- for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do
- scripts/config.py set ${opt}
- msg "${opt} clang, test A32 crypto instructions built"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
- grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
-
- msg "${opt} clang, test T32 crypto instructions built"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
- grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
-
- msg "${opt} clang, test aarch64 crypto instructions built"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
- grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
- scripts/config.py unset ${opt}
- done
-
-
# examine the disassembly for absence of SHA instructions
msg "clang, test A32 crypto instructions not built"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
- not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72 -marm"
+ not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
msg "clang, test T32 crypto instructions not built"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
- not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32 -mthumb"
+ not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
msg "clang, test aarch64 crypto instructions not built"
- make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
- not grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
+ make -B library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+ not grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
+}
+
+component_test_arm_linux_gnueabi_gcc_arm5vte () {
+ # Mimic Debian armel port
+ msg "test: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, default config" # ~4m
+ make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1'
+
+ msg "test: main suites make, default config (out-of-box)" # ~7m 40s
+ make test
+
+ msg "selftest: make, default config (out-of-box)" # ~0s
+ programs/test/selftest
+
+ msg "program demos: make, default config (out-of-box)" # ~0s
+ tests/scripts/run_demos.py
+}
+
+support_test_arm_linux_gnueabi_gcc_arm5vte () {
+ can_run_arm_linux_gnueabi
+}
+
+# The hard float ABI is not implemented for Thumb 1, so use gnueabi
+# Some Thumb 1 asm is sensitive to optimisation level, so test both -O0 and -Os
+component_test_arm_linux_gnueabi_gcc_thumb_1_opt_0 () {
+ msg "test: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -O0, thumb 1, default config" # ~2m 10s
+ make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" CFLAGS='-std=c99 -Werror -Wextra -O0 -mcpu=arm1136j-s -mthumb'
+
+ msg "test: main suites make, default config (out-of-box)" # ~36m
+ make test
+
+ msg "selftest: make, default config (out-of-box)" # ~10s
+ programs/test/selftest
+
+ msg "program demos: make, default config (out-of-box)" # ~0s
+ tests/scripts/run_demos.py
+}
+
+support_test_arm_linux_gnueabi_gcc_thumb_1_opt_0 () {
+ can_run_arm_linux_gnueabi
+}
+
+component_test_arm_linux_gnueabi_gcc_thumb_1_opt_s () {
+ msg "test: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -Os, thumb 1, default config" # ~3m 10s
+ make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" CFLAGS='-std=c99 -Werror -Wextra -Os -mcpu=arm1136j-s -mthumb'
+
+ msg "test: main suites make, default config (out-of-box)" # ~21m 10s
+ make test
+
+ msg "selftest: make, default config (out-of-box)" # ~2s
+ programs/test/selftest
+
+ msg "program demos: make, default config (out-of-box)" # ~0s
+ tests/scripts/run_demos.py
+}
+
+support_test_arm_linux_gnueabi_gcc_thumb_1_opt_s () {
+ can_run_arm_linux_gnueabi
+}
+
+component_test_arm_linux_gnueabihf_gcc_armv7 () {
+ msg "test: ${ARM_LINUX_GNUEABIHF_GCC_PREFIX}gcc -O2, A32, default config" # ~4m 30s
+ make CC="${ARM_LINUX_GNUEABIHF_GCC_PREFIX}gcc" CFLAGS='-std=c99 -Werror -Wextra -O2 -march=armv7-a -marm'
+
+ msg "test: main suites make, default config (out-of-box)" # ~3m 30s
+ make test
+
+ msg "selftest: make, default config (out-of-box)" # ~0s
+ programs/test/selftest
+
+ msg "program demos: make, default config (out-of-box)" # ~0s
+ tests/scripts/run_demos.py
+}
+
+support_test_arm_linux_gnueabihf_gcc_armv7 () {
+ can_run_arm_linux_gnueabihf
+}
+
+component_test_arm_linux_gnueabihf_gcc_thumb_2 () {
+ msg "test: ${ARM_LINUX_GNUEABIHF_GCC_PREFIX}gcc -Os, thumb 2, default config" # ~4m
+ make CC="${ARM_LINUX_GNUEABIHF_GCC_PREFIX}gcc" CFLAGS='-std=c99 -Werror -Wextra -Os -march=armv7-a -mthumb'
+
+ msg "test: main suites make, default config (out-of-box)" # ~3m 40s
+ make test
+
+ msg "selftest: make, default config (out-of-box)" # ~0s
+ programs/test/selftest
+
+ msg "program demos: make, default config (out-of-box)" # ~0s
+ tests/scripts/run_demos.py
+}
+
+support_test_arm_linux_gnueabihf_gcc_thumb_2 () {
+ can_run_arm_linux_gnueabihf
+}
+
+component_test_aarch64_linux_gnu_gcc () {
+ msg "test: ${AARCH64_LINUX_GNU_GCC_PREFIX}gcc -O2, default config" # ~3m 50s
+ make CC="${AARCH64_LINUX_GNU_GCC_PREFIX}gcc" CFLAGS='-std=c99 -Werror -Wextra -O2'
+
+ msg "test: main suites make, default config (out-of-box)" # ~1m 50s
+ make test
+
+ msg "selftest: make, default config (out-of-box)" # ~0s
+ programs/test/selftest
+
+ msg "program demos: make, default config (out-of-box)" # ~0s
+ tests/scripts/run_demos.py
+}
+
+support_test_aarch64_linux_gnu_gcc () {
+ # Minimum version of GCC for MBEDTLS_AESCE_C is 6.0
+ [ "$(gcc_version "${AARCH64_LINUX_GNU_GCC_PREFIX}gcc")" -ge 6 ] && can_run_aarch64_linux_gnu
}
component_build_arm_none_eabi_gcc () {
@@ -440,8 +548,9 @@
}
component_build_armcc () {
- msg "build: ARM Compiler 5"
+ # Common configuration for all the builds below
scripts/config.py baremetal
+
# armc[56] don't support SHA-512 intrinsics
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
@@ -458,13 +567,6 @@
scripts/config.py set MBEDTLS_HAVE_ASM
- make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
-
- msg "size: ARM Compiler 5"
- "$ARMC5_FROMELF" -z library/*.o
- "$ARMC5_FROMELF" -z ${PSA_CORE_PATH}/*.o
- "$ARMC5_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
-
# Compile mostly with -O1 since some Arm inline assembly is disabled for -O0.
# ARM Compiler 6 - Target ARMv7-A
@@ -497,7 +599,6 @@
}
support_build_armcc () {
- armc5_cc="$ARMC5_BIN_DIR/armcc"
armc6_cc="$ARMC6_BIN_DIR/armclang"
- (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
+ (check_tools "$armc6_cc" > /dev/null 2>&1)
}
diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh
index a3c150b..e872af0 100644
--- a/tests/scripts/components-sanitizers.sh
+++ b/tests/scripts/components-sanitizers.sh
@@ -37,26 +37,6 @@
export SKIP_TEST_SUITES
}
-component_test_memsan_constant_flow () {
- # This tests both (1) accesses to undefined memory, and (2) branches or
- # memory access depending on secret values. To distinguish between those:
- # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist?
- # - or alternatively, change the build type to MemSanDbg, which enables
- # origin tracking and nicer stack traces (which are useful for debugging
- # anyway), and check if the origin was TEST_CF_SECRET() or something else.
- msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
- scripts/config.py full
- scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
- scripts/config.py unset MBEDTLS_HAVE_ASM
- CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
- make
-
- msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)"
- make test
-}
-
component_test_memsan_constant_flow_psa () {
# This tests both (1) accesses to undefined memory, and (2) branches or
# memory access depending on secret values. To distinguish between those:
@@ -76,39 +56,6 @@
make test
}
-component_release_test_valgrind_constant_flow () {
- # This tests both (1) everything that valgrind's memcheck usually checks
- # (heap buffer overflows, use of uninitialized memory, use-after-free,
- # etc.) and (2) branches or memory access depending on secret values,
- # which will be reported as uninitialized memory. To distinguish between
- # secret and actually uninitialized:
- # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist?
- # - or alternatively, build with debug info and manually run the offending
- # test suite with valgrind --track-origins=yes, then check if the origin
- # was TEST_CF_SECRET() or something else.
- msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing"
- scripts/config.py full
- scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- skip_suites_without_constant_flow
- cmake -D CMAKE_BUILD_TYPE:String=Release .
- make
-
- # this only shows a summary of the results (how many of each type)
- # details are left in Testing/<date>/DynamicAnalysis.xml
- msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)"
- make memcheck
-
- # Test asm path in constant time module - by default, it will test the plain C
- # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s)
- msg "test: valgrind asm constant_time"
- skip_all_except_given_suite test_suite_constant_time
- cmake -D CMAKE_BUILD_TYPE:String=Release .
- make clean
- make
- make memcheck
-}
-
component_release_test_valgrind_constant_flow_no_asm () {
# This tests both (1) everything that valgrind's memcheck usually checks
# (heap buffer overflows, use of uninitialized memory, use-after-free,
@@ -122,7 +69,6 @@
msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing"
scripts/config.py full
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_AESNI_C
scripts/config.py unset MBEDTLS_HAVE_ASM
skip_suites_without_constant_flow
diff --git a/tests/scripts/pkgconfig.sh b/tests/scripts/pkgconfig.sh
index 2702bfa..07a73b3 100755
--- a/tests/scripts/pkgconfig.sh
+++ b/tests/scripts/pkgconfig.sh
@@ -18,11 +18,14 @@
set -e -u
-# These are the EXPECTED package names. Renaming these could break
-# consumers of pkg-config, consider carefully.
-all_pcs="mbedtls mbedx509 mbedcrypto"
+if [ $# -le 0 ]
+then
+ echo " [!] No package names specified" >&2
+ echo "Usage: $0 <package name 1> <package name 2> ..." >&2
+ exit 1
+fi
-for pc in $all_pcs; do
+for pc in "$@"; do
printf "testing package config file: ${pc} ... "
pkg-config --validate "${pc}"
version="$(pkg-config --modversion "${pc}")"
diff --git a/tests/src/bignum_codepath_check.c b/tests/src/bignum_codepath_check.c
index b752d13..9c6bbc7 100644
--- a/tests/src/bignum_codepath_check.c
+++ b/tests/src/bignum_codepath_check.c
@@ -11,14 +11,14 @@
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
int mbedtls_codepath_check = MBEDTLS_MPI_IS_TEST;
-void mbedtls_codepath_take_safe(void)
+static void mbedtls_codepath_take_safe(void)
{
if (mbedtls_codepath_check == MBEDTLS_MPI_IS_TEST) {
mbedtls_codepath_check = MBEDTLS_MPI_IS_SECRET;
}
}
-void mbedtls_codepath_take_unsafe(void)
+static void mbedtls_codepath_take_unsafe(void)
{
mbedtls_codepath_check = MBEDTLS_MPI_IS_PUBLIC;
}
diff --git a/tests/src/drivers/hash.c b/tests/src/drivers/hash.c
index 5d938ea..54aec93 100644
--- a/tests/src/drivers/hash.c
+++ b/tests/src/drivers/hash.c
@@ -13,8 +13,12 @@
#include "test/drivers/hash.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_hash.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.h"
#endif
+#endif
mbedtls_test_driver_hash_hooks_t
mbedtls_test_driver_hash_hooks = MBEDTLS_TEST_DRIVER_HASH_INIT;
diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c
index 9c0677a..6992a06 100644
--- a/tests/src/drivers/test_driver_aead.c
+++ b/tests/src/drivers/test_driver_aead.c
@@ -16,8 +16,12 @@
#include "mbedtls/constant_time.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_aead.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.h"
#endif
+#endif
mbedtls_test_driver_aead_hooks_t
mbedtls_test_driver_aead_hooks = MBEDTLS_TEST_DRIVER_AEAD_INIT;
diff --git a/tests/src/drivers/test_driver_asymmetric_encryption.c b/tests/src/drivers/test_driver_asymmetric_encryption.c
index 3264400..6fdbe43 100644
--- a/tests/src/drivers/test_driver_asymmetric_encryption.c
+++ b/tests/src/drivers/test_driver_asymmetric_encryption.c
@@ -16,8 +16,12 @@
#include "test/drivers/key_management.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_rsa.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.h"
#endif
+#endif
#define PSA_RSA_KEY_PAIR_MAX_SIZE \
PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)
diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c
index 136610b..90256fc 100644
--- a/tests/src/drivers/test_driver_cipher.c
+++ b/tests/src/drivers/test_driver_cipher.c
@@ -19,8 +19,12 @@
#include "test/random.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_cipher.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.h"
#endif
+#endif
#include <string.h>
diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c
index b99d7cd..8a7a9ea 100644
--- a/tests/src/drivers/test_driver_key_agreement.c
+++ b/tests/src/drivers/test_driver_key_agreement.c
@@ -20,10 +20,16 @@
#include <string.h>
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/include/psa/crypto.h"
+#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/library/psa_crypto_ffdh.h"
+#else
#include "libtestdriver1/tf-psa-crypto/include/psa/crypto.h"
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.h"
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.h"
#endif
+#endif
mbedtls_test_driver_key_agreement_hooks_t
mbedtls_test_driver_key_agreement_hooks = MBEDTLS_TEST_DRIVER_KEY_AGREEMENT_INIT;
diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c
index 337c254..d2ca157 100644
--- a/tests/src/drivers/test_driver_key_management.c
+++ b/tests/src/drivers/test_driver_key_management.c
@@ -23,10 +23,16 @@
#include "test/random.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/library/psa_crypto_ffdh.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.h"
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.h"
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.h"
#endif
+#endif
#include <string.h>
diff --git a/tests/src/drivers/test_driver_mac.c b/tests/src/drivers/test_driver_mac.c
index 9b671b8..f1cf504 100644
--- a/tests/src/drivers/test_driver_mac.c
+++ b/tests/src/drivers/test_driver_mac.c
@@ -13,8 +13,12 @@
#include "test/drivers/mac.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_mac.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.h"
#endif
+#endif
mbedtls_test_driver_mac_hooks_t mbedtls_test_driver_mac_hooks =
MBEDTLS_TEST_DRIVER_MAC_INIT;
diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c
index bcef6b5..c3ce326 100644
--- a/tests/src/drivers/test_driver_pake.c
+++ b/tests/src/drivers/test_driver_pake.c
@@ -14,8 +14,12 @@
#include "string.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_pake.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.h"
#endif
+#endif
mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks =
MBEDTLS_TEST_DRIVER_PAKE_INIT;
diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c
index 92ec93b..a6eef57 100644
--- a/tests/src/drivers/test_driver_signature.c
+++ b/tests/src/drivers/test_driver_signature.c
@@ -26,10 +26,16 @@
#include "test/random.h"
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
+#if MBEDTLS_VERSION_MAJOR < 4
+#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/library/psa_crypto_hash.h"
+#include "libtestdriver1/library/psa_crypto_rsa.h"
+#else
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.h"
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.h"
#include "libtestdriver1/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.h"
#endif
+#endif
#include <string.h>
diff --git a/tests/src/helpers.c b/tests/src/helpers.c
index db50296..1a15733 100644
--- a/tests/src/helpers.c
+++ b/tests/src/helpers.c
@@ -717,4 +717,7 @@
line, file);
}
}
+
+void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
+
#endif /* MBEDTLS_TEST_HOOKS */
diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index ee83997..032c489 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -11,7 +11,8 @@
#include <test/macros.h>
#include <test/psa_exercise_key.h>
-#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if (MBEDTLS_VERSION_MAJOR < 4 && defined(MBEDTLS_PSA_CRYPTO_C)) || \
+ (MBEDTLS_VERSION_MAJOR >= 4 && defined(MBEDTLS_PSA_CRYPTO_CLIENT))
#include <mbedtls/asn1.h>
#include <psa/crypto.h>
@@ -1332,4 +1333,4 @@
}
#endif /* MBEDTLS_PK_C */
-#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_PSA_CRYPTO_C || MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index e7eef1a..bf39952 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -422,29 +422,16 @@
requires_cipher_enabled() {
KEY_TYPE=$1
MODE=${2:-}
- if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
- case "$KEY_TYPE" in
- CHACHA20)
- requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305
- requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20
- ;;
- *)
- requires_config_enabled PSA_WANT_ALG_${MODE}
- requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE}
- ;;
- esac
- else
- case "$KEY_TYPE" in
- CHACHA20)
- requires_config_enabled MBEDTLS_CHACHA20_C
- requires_config_enabled MBEDTLS_CHACHAPOLY_C
- ;;
- *)
- requires_config_enabled MBEDTLS_${MODE}_C
- requires_config_enabled MBEDTLS_${KEY_TYPE}_C
- ;;
- esac
- fi
+ case "$KEY_TYPE" in
+ CHACHA20)
+ requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305
+ requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20
+ ;;
+ *)
+ requires_config_enabled PSA_WANT_ALG_${MODE}
+ requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE}
+ ;;
+ esac
}
# Automatically detect required features based on command line parameters.
@@ -665,20 +652,7 @@
check_for_hash_alg()
{
CURR_ALG="INVALID";
- USE_PSA="NO"
- if is_config_enabled "MBEDTLS_USE_PSA_CRYPTO"; then
- USE_PSA="YES";
- fi
- if [ $USE_PSA = "YES" ]; then
- CURR_ALG=PSA_WANT_ALG_${1}
- else
- CURR_ALG=MBEDTLS_${1}_C
- # Remove the second underscore to match MBEDTLS_* naming convention
- # MD5 is an exception to this convention
- if [ "${1}" != "MD5" ]; then
- CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2')
- fi
- fi
+ CURR_ALG=PSA_WANT_ALG_${1}
case $CONFIGS_ENABLED in
*" $CURR_ALG"[\ =]*)
@@ -728,11 +702,7 @@
requires_pk_alg() {
case $1 in
ECDSA)
- if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
- requires_config_enabled PSA_WANT_ALG_ECDSA
- else
- requires_config_enabled MBEDTLS_ECDSA_C
- fi
+ requires_config_enabled PSA_WANT_ALG_ECDSA
;;
*)
echo "Unknown/unimplemented case $1 in requires_pk_alg"
@@ -989,6 +959,14 @@
fi
}
+# Skip the next test if called by all.sh in a component with MSan
+# (which we also call MemSan) or Valgrind.
+not_with_msan_or_valgrind() {
+ case "_${MBEDTLS_TEST_CONFIGURATION:-}_" in
+ *_msan_*|*_memsan_*|*_valgrind_*) SKIP_NEXT="YES";;
+ esac
+}
+
# skip the next test if valgrind is in use
not_with_valgrind() {
if [ "$MEMCHECK" -gt 0 ]; then
@@ -1362,10 +1340,7 @@
*) echo "Bad parameter 1 to set_maybe_calc_verify: $1"; exit 1;;
esac
esac
- case $CONFIGS_ENABLED in
- *\ MBEDTLS_USE_PSA_CRYPTO\ *) maybe_calc_verify="PSA calc verify";;
- *) maybe_calc_verify="<= calc verify";;
- esac
+ maybe_calc_verify="PSA calc verify"
}
# Compare file content
@@ -1874,7 +1849,6 @@
}
run_test_psa() {
- requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
set_maybe_calc_verify none
run_test "PSA-supported ciphersuite: $1" \
"$P_SRV debug_level=3 force_version=tls12" \
@@ -1893,7 +1867,6 @@
}
run_test_psa_force_curve() {
- requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
set_maybe_calc_verify none
run_test "PSA - ECDH with $1" \
"$P_SRV debug_level=4 force_version=tls12 groups=$1" \
@@ -2270,7 +2243,6 @@
-C "error"
# Test using an EC opaque private key for client authentication
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
@@ -2288,7 +2260,6 @@
-C "error"
# Test using a RSA opaque private key for client authentication
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -2306,7 +2277,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2325,7 +2295,6 @@
-C "error"
# Test using an EC opaque private key for server authentication
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
@@ -2341,7 +2310,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: ECDH-" \
@@ -2357,7 +2325,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
@@ -2372,7 +2339,6 @@
-c "error" \
-c "Public key type mismatch"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
@@ -2389,7 +2355,6 @@
-c "error" \
-c "Public key type mismatch"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
@@ -2404,7 +2369,6 @@
-s "error" \
-c "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
@@ -2420,7 +2384,6 @@
-s "error" \
-c "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \
@@ -2434,7 +2397,6 @@
-s "error" \
-c "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
@@ -2454,7 +2416,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_384
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
@@ -2473,7 +2434,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_384
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
@@ -2493,7 +2453,6 @@
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -2507,7 +2466,6 @@
-s "no suitable signature algorithm"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -2521,7 +2479,6 @@
-S "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -2536,7 +2493,6 @@
-S "error" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -2550,7 +2506,6 @@
-S "error" \
# Test using a RSA opaque private key for server authentication
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -2567,7 +2522,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2583,7 +2537,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2600,7 +2553,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2615,7 +2567,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2630,7 +2581,6 @@
-s "error" \
-c "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2651,7 +2601,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_384
@@ -2672,7 +2621,6 @@
-C "error"
# Test using an EC opaque private key for client/server authentication
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
requires_hash_alg SHA_256
@@ -2692,7 +2640,6 @@
-C "error"
# Test using a RSA opaque private key for client/server authentication
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -2712,7 +2659,6 @@
-S "error" \
-C "error"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_hash_alg SHA_256
@@ -8594,7 +8540,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -8606,7 +8551,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8618,7 +8562,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -8630,7 +8573,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8642,7 +8584,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
@@ -8654,7 +8595,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8666,7 +8606,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
@@ -8678,7 +8617,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8690,7 +8628,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
@@ -8702,7 +8639,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8714,7 +8650,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
@@ -8726,7 +8661,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8738,7 +8672,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
@@ -8750,7 +8683,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8762,7 +8694,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
@@ -8774,7 +8705,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8786,7 +8716,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -8798,7 +8727,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8810,7 +8738,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -8823,7 +8750,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -8836,7 +8762,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
@@ -8848,7 +8773,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8860,7 +8784,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -8873,7 +8796,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -8886,7 +8808,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
@@ -8898,7 +8819,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8910,7 +8830,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -8923,7 +8842,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -8936,7 +8854,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
@@ -8948,7 +8865,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -8960,7 +8876,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -8973,7 +8888,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -8986,7 +8900,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -8998,7 +8911,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
@@ -9010,7 +8922,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -9023,7 +8934,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -9036,7 +8946,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
@@ -9048,7 +8957,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
@@ -9060,7 +8968,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -9073,7 +8980,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -9086,7 +8992,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
@@ -9098,7 +9003,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -9110,7 +9014,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -9123,7 +9026,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -9136,7 +9038,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
@@ -9148,7 +9049,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
@@ -9160,7 +9060,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
@@ -9173,7 +9072,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
@@ -9186,7 +9084,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -9198,7 +9095,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -9210,7 +9106,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -9222,7 +9117,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -9234,7 +9128,6 @@
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
@@ -9348,7 +9241,6 @@
-S "SSL - Verification of the message MAC failed"
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "ECJPAKE: opaque password client+server, working, TLS" \
"$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \
"$P_CLI debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1\
@@ -9370,7 +9262,6 @@
# Note: if the name of this test is changed, then please adjust the corresponding
# filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh")
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "ECJPAKE: opaque password client only, working, TLS" \
"$P_SRV debug_level=3 ecjpake_pw=bla" \
"$P_CLI debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1\
@@ -9392,7 +9283,6 @@
# Note: if the name of this test is changed, then please adjust the corresponding
# filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh")
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "ECJPAKE: opaque password server only, working, TLS" \
"$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \
"$P_CLI debug_level=3 ecjpake_pw=bla\
@@ -9423,7 +9313,6 @@
server_needs_more_time 1
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "ECJPAKE_OPAQUE_PW: opaque password mismatch, TLS" \
"$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \
"$P_CLI debug_level=3 ecjpake_pw=bad ecjpake_pw_opaque=1 \
@@ -9820,10 +9709,23 @@
-C "mbedtls_ecdh_make_public.*4b00" \
-C "mbedtls_pk_sign.*4b00"
+# The following test cases for restartable ECDH come in two variants:
+# * The "(USE_PSA)" variant expects the current behavior, which is the behavior
+# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests
+# the partial implementation where ECDH in TLS is not actually restartable.
+# * The "(no USE_PSA)" variant expects the desired behavior. These test
+# cases cannot currently pass because the implementation of restartable ECC
+# in TLS is partial: ECDH is not actually restartable. This is the behavior
+# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled.
+#
+# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294,
+# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test
+# cases.
+
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+skip_next_test
run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@@ -9839,7 +9741,6 @@
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@@ -9874,7 +9775,7 @@
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+skip_next_test
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -9895,7 +9796,6 @@
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -9915,7 +9815,7 @@
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+skip_next_test
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -9936,7 +9836,6 @@
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required \
crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -9956,7 +9855,7 @@
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+skip_next_test
run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@@ -9972,7 +9871,6 @@
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
"$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@@ -9987,7 +9885,7 @@
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
+skip_next_test
run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \
"$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@@ -10003,7 +9901,6 @@
# everything except ECDH (where TLS calls PSA directly).
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \
"$P_SRV groups=secp256r1" \
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
@@ -13086,7 +12983,6 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \
@@ -13101,7 +12997,6 @@
requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
@@ -13116,7 +13011,6 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
@@ -13132,7 +13026,6 @@
requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
@@ -13147,7 +13040,6 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
@@ -13163,7 +13055,6 @@
requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
@@ -13178,7 +13069,6 @@
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
@@ -13194,7 +13084,6 @@
requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
@@ -13210,7 +13099,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
@@ -13227,7 +13115,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
@@ -13243,7 +13130,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
@@ -13260,7 +13146,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
@@ -13276,7 +13161,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
@@ -13293,7 +13177,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
@@ -13309,7 +13192,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \
"$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10
@@ -13327,7 +13209,6 @@
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_RSA_C
-requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \
"$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \
@@ -14339,6 +14220,14 @@
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
+# Tests using FFDH with a large prime take a long time to run with a memory
+# sanitizer. GnuTLS <=3.8.1 has a hard-coded timeout and gives up after
+# 30s (since 3.8.1, it can be configured with --timeout). We've observed
+# 8192-bit FFDH test cases failing intermittently on heavily loaded CI
+# executors (https://github.com/Mbed-TLS/mbedtls/issues/9742),
+# when using MSan. As a workaround, skip them.
+# Also skip 6144-bit FFDH to have a bit of safety margin.
+not_with_msan_or_valgrind
run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \
"$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
"$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
@@ -14359,6 +14248,7 @@
requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
requires_config_enabled PSA_WANT_ALG_FFDH
requires_config_enabled PSA_WANT_DH_RFC7919_6144
+not_with_msan_or_valgrind
run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \
"$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
"$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \
@@ -14380,6 +14270,7 @@
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
+not_with_msan_or_valgrind
client_needs_more_time 4
run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \
"$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
@@ -14401,6 +14292,7 @@
requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
requires_config_enabled PSA_WANT_ALG_FFDH
requires_config_enabled PSA_WANT_DH_RFC7919_8192
+not_with_msan_or_valgrind
client_needs_more_time 4
run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \
"$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
diff --git a/tf-psa-crypto/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data
similarity index 100%
rename from tf-psa-crypto/tests/suites/test_suite_error.data
rename to tests/suites/test_suite_error.data
diff --git a/tf-psa-crypto/tests/suites/test_suite_error.function b/tests/suites/test_suite_error.function
similarity index 100%
rename from tf-psa-crypto/tests/suites/test_suite_error.function
rename to tests/suites/test_suite_error.function
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 15380b0..d962f34 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -899,10 +899,6 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_1
x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
-X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, !USE_PSA)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:!MBEDTLS_USE_PSA_CRYPTO
-x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
-
X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO
x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 64b4e9e..d0fdd8a 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -288,21 +288,24 @@
int cert_type)
{
mbedtls_pk_context key;
+ mbedtls_pk_init(&key);
+
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+
mbedtls_x509write_csr req;
+ mbedtls_x509write_csr_init(&req);
+
unsigned char buf[4096];
int ret;
size_t pem_len = 0;
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
mbedtls_test_rnd_pseudo_info rnd_info;
- mbedtls_x509write_csr_init(&req);
MD_OR_USE_PSA_INIT();
memset(&rnd_info, 0x2a, sizeof(mbedtls_test_rnd_pseudo_info));
- mbedtls_pk_init(&key);
TEST_ASSERT(mbedtls_pk_parse_keyfile(&key, key_file, NULL,
mbedtls_test_rnd_std_rand, NULL) == 0);
diff --git a/tf-psa-crypto/CMakeLists.txt b/tf-psa-crypto/CMakeLists.txt
index 63a71fc..21eb64e 100644
--- a/tf-psa-crypto/CMakeLists.txt
+++ b/tf-psa-crypto/CMakeLists.txt
@@ -33,10 +33,6 @@
if(NOT (CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR))
-if(LIB_INSTALL_DIR)
- set(CMAKE_INSTALL_LIBDIR "${LIB_INSTALL_DIR}")
-endif()
-
set(TF_PSA_CRYPTO_PYTHON_EXECUTABLE ${MBEDTLS_PYTHON_EXECUTABLE})
set(USE_STATIC_TF_PSA_CRYPTO_LIBRARY ${USE_STATIC_MBEDTLS_LIBRARY})
set(USE_SHARED_TF_PSA_CRYPTO_LIBRARY ${USE_SHARED_MBEDTLS_LIBRARY})
@@ -57,15 +53,18 @@
else(NOT (CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR))
+set(TF_PSA_CRYPTO_VERSION 0.1.0)
+set(TF_PSA_CRYPTO_SOVERSION 0)
+
if(TEST_CPP)
project("TF-PSA-Crypto"
LANGUAGES C CXX
- VERSION 0.1.0
+ VERSION ${TF_PSA_CRYPTO_VERSION}
)
else()
project("TF-PSA-Crypto"
LANGUAGES C
- VERSION 0.1.0
+ VERSION ${TF_PSA_CRYPTO_VERSION}
)
endif()
diff --git a/tf-psa-crypto/TF-PSA-Crypto.cmake b/tf-psa-crypto/TF-PSA-Crypto.cmake
index e520ad1..13b7a45 100644
--- a/tf-psa-crypto/TF-PSA-Crypto.cmake
+++ b/tf-psa-crypto/TF-PSA-Crypto.cmake
@@ -1,3 +1,4 @@
+include(CMakePackageConfigHelpers)
include(GNUInstallDirs)
# Determine if TF-PSA-Crypto is being built as a subproject using add_subdirectory()
@@ -13,9 +14,21 @@
set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/..)
set(MBEDTLS_FRAMEWORK_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../framework)
+# Put the version numbers into relevant files
+set(version_number_files
+ doxygen/input/doc_mainpage.h
+ doxygen/tfpsacrypto.doxyfile)
+foreach(file ${version_number_files})
+ configure_file(${file}.in
+ ${TF_PSA_CRYPTO_DIR}/${file})
+endforeach(file)
+
+ADD_CUSTOM_TARGET(${TF_PSA_CRYPTO_TARGET_PREFIX}apidoc
+ COMMAND doxygen tfpsacrypto.doxyfile
+ WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
+
option(ENABLE_PROGRAMS "Build TF-PSA-Crypto programs." ON)
-option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
option(TF_PSA_CRYPTO_FATAL_WARNINGS "Compiler warnings treated as errors" ON)
if(CMAKE_HOST_WIN32)
# N.B. The comment on the next line is significant! If you change it,
@@ -27,7 +40,7 @@
endif()
# Support for package config and install to be added later.
-option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ON)
+option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${TF_PSA_CRYPTO_AS_SUBPROJECT})
if (CMAKE_C_SIMULATE_ID)
set(COMPILER_ID ${CMAKE_C_SIMULATE_ID})
@@ -101,7 +114,7 @@
find_package(Threads)
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
-if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
+if(NOT TF_PSA_CRYPTO_AS_SUBPROJECT)
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
FORCE)
@@ -164,87 +177,121 @@
set(CMAKE_C_EXTENSIONS OFF)
set(CMAKE_C_STANDARD 99)
-if(CMAKE_COMPILER_IS_GNU)
+function(set_base_compile_options target)
+ if(CMAKE_COMPILER_IS_GNU)
+ set_gnu_base_compile_options(${target})
+ elseif(CMAKE_COMPILER_IS_CLANG)
+ set_clang_base_compile_options(${target})
+ elseif(CMAKE_COMPILER_IS_IAR)
+ set_iar_base_compile_options(${target})
+ elseif(CMAKE_COMPILER_IS_MSVC)
+ set_msvc_base_compile_options(${target})
+ endif()
+endfunction(set_base_compile_options)
+
+function(set_gnu_base_compile_options target)
# some warnings we want are not available with old GCC versions
# note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
OUTPUT_VARIABLE GCC_VERSION)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes")
+ target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes)
if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat=2 -Wno-format-nonliteral")
+ target_compile_options(${target} PRIVATE -Wformat=2 -Wno-format-nonliteral)
endif()
if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wvla")
+ target_compile_options(${target} PRIVATE -Wvla)
endif()
if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
+ target_compile_options(${target} PRIVATE -Wlogical-op)
endif()
if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
+ target_compile_options(${target} PRIVATE -Wshadow)
endif()
if (GCC_VERSION VERSION_GREATER 5.0)
CHECK_C_COMPILER_FLAG("-Wformat-signedness" C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
if(C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-signedness")
+ target_compile_options(${target} PRIVATE -Wformat-signedness)
endif()
endif()
if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2 -Wformat-truncation")
+ target_compile_options(${target} PRIVATE -Wformat-overflow=2 -Wformat-truncation)
endif()
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
- set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
- set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
- set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_CHECK "-Os")
- set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
-endif(CMAKE_COMPILER_IS_GNU)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
+ # Old GCC versions hit a performance problem with test_suite_pkwrite
+ # "Private keey write check EC" tests when building with Asan+UBSan
+ # and -O3: those tests take more than 100x time than normal, with
+ # test_suite_pkwrite taking >3h on the CI. Observed with GCC 5.4 on
+ # Ubuntu 16.04 x86_64 and GCC 6.5 on Ubuntu 18.04 x86_64.
+ # GCC 7.5 and above on Ubuntu 18.04 appear fine.
+ # To avoid the performance problem, we use -O2 when GCC version is lower than 7.0.
+ # It doesn't slow down much even with modern compiler versions.
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all>)
+ if (GCC_VERSION VERSION_LESS 7.0)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O2>)
+ else()
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O3>)
+ endif()
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:CheckFull>:-Os -Wcast-qual>)
-if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
- set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
- set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_MEMSAN "-fsanitize=memory -O3")
- set(CMAKE_C_FLAGS_MEMSANDBG "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
- set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
- set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
- set(CMAKE_C_FLAGS_CHECK "-Os")
-endif(CMAKE_COMPILER_IS_CLANG)
+ if(TF_PSA_CRYPTO_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE -Werror)
+ endif(TF_PSA_CRYPTO_FATAL_WARNINGS)
+endfunction(set_gnu_base_compile_options)
-if(CMAKE_COMPILER_IS_IAR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts")
- set(CMAKE_C_FLAGS_RELEASE "-Ohz")
- set(CMAKE_C_FLAGS_DEBUG "--debug -On")
-endif(CMAKE_COMPILER_IS_IAR)
+function(set_clang_base_compile_options target)
+ target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:MemSan>:-fsanitize=memory>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSAN "-fsanitize=memory")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:MemSanDbg>:-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSANDBG "-fsanitize=memory")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+ set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
-if(CMAKE_COMPILER_IS_MSVC)
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE -Werror)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_clang_base_compile_options)
+
+function(set_iar_base_compile_options target)
+ target_compile_options(${target} PRIVATE --warn_about_c_style_casts)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-Ohz>)
+ target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:--debug -On>)
+
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE --warnings_are_errors)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_iar_base_compile_options)
+
+function(set_msvc_base_compile_options target)
# Strictest warnings, UTF-8 source and execution charset
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3 /utf-8")
-endif(CMAKE_COMPILER_IS_MSVC)
+ target_compile_options(${target} PRIVATE /W3 /utf-8)
-if(TF_PSA_CRYPTO_FATAL_WARNINGS)
- if(CMAKE_COMPILER_IS_MSVC)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
- endif(CMAKE_COMPILER_IS_MSVC)
-
- if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
- if(UNSAFE_BUILD)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error=cpp")
- set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error=cpp")
- set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error=cpp")
- endif(UNSAFE_BUILD)
- endif(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
-
- if (CMAKE_COMPILER_IS_IAR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warnings_are_errors")
- endif(CMAKE_COMPILER_IS_IAR)
-endif(TF_PSA_CRYPTO_FATAL_WARNINGS)
+ if(MBEDTLS_FATAL_WARNINGS)
+ target_compile_options(${target} PRIVATE /WX)
+ endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_msvc_base_compile_options)
if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
set(CMAKE_CXX_STANDARD 11)
@@ -255,16 +302,6 @@
endif()
endif()
-if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
- if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
- endif(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
-endif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
-
-if(LIB_INSTALL_DIR)
- set(CMAKE_INSTALL_LIBDIR "${LIB_INSTALL_DIR}")
-endif()
-
if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
endif()
@@ -272,6 +309,7 @@
add_subdirectory(include)
add_subdirectory(core)
add_subdirectory(drivers)
+add_subdirectory(pkgconfig)
#
# The C files in tests/src directory contain test code shared among test suites
@@ -292,6 +330,7 @@
${MBEDTLS_DIR}/tests/src/*.c
${MBEDTLS_DIR}/tests/src/drivers/*.c)
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
+ set_base_compile_options(mbedtls_test)
if(GEN_FILES)
add_custom_command(
OUTPUT
@@ -356,6 +395,17 @@
# additional convenience targets for Unix only
if(UNIX)
+ # For coverage testing:
+ # 1. Build with:
+ # cmake -D CMAKE_BUILD_TYPE=Coverage /path/to/source && make
+ # 2. Run the relevant tests for the part of the code you're interested in.
+ # For the reference coverage measurement, see
+ # tests/scripts/basic-build-test.sh
+ # 3. Run scripts/lcov.sh to generate an HTML report.
+ ADD_CUSTOM_TARGET(lcov
+ COMMAND ${MBEDTLS_DIR}/scripts/lcov.sh
+ )
+
ADD_CUSTOM_TARGET(memcheck
COMMAND sed -i.bak s+/usr/bin/valgrind+`which valgrind`+ DartConfiguration.tcl
COMMAND ctest -O memcheck.log -D ExperimentalMemCheck
@@ -374,3 +424,39 @@
${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
endif()
endif()
+
+if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
+ configure_package_config_file(
+ "cmake/TF-PSA-CryptoConfig.cmake.in"
+ "cmake/TF-PSA-CryptoConfig.cmake"
+ INSTALL_DESTINATION "cmake")
+
+ write_basic_package_version_file(
+ "cmake/TF-PSA-CryptoConfigVersion.cmake"
+ COMPATIBILITY SameMajorVersion
+ VERSION 0.1.0)
+
+ install(
+ FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/TF-PSA-CryptoConfig.cmake"
+ "${CMAKE_CURRENT_BINARY_DIR}/cmake/TF-PSA-CryptoConfigVersion.cmake"
+ DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/TF-PSA-Crypto")
+
+ export(
+ EXPORT MbedTLSTargets
+ NAMESPACE TF-PSA-Crypto::
+ FILE "cmake/TF-PSA-CryptoTargets.cmake")
+
+ install(
+ EXPORT MbedTLSTargets
+ NAMESPACE TF-PSA-Crypto::
+ DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/TF-PSA-Crypto"
+ FILE "TF-PSA-CryptoTargets.cmake")
+
+ if(CMAKE_VERSION VERSION_GREATER 3.15 OR CMAKE_VERSION VERSION_EQUAL 3.15)
+ # Do not export the package by default
+ cmake_policy(SET CMP0090 NEW)
+
+ # Make this package visible to the system
+ export(PACKAGE TF-PSA-Crypto)
+ endif()
+endif()
diff --git a/tf-psa-crypto/cmake/.gitignore b/tf-psa-crypto/cmake/.gitignore
new file mode 100644
index 0000000..fc85262
--- /dev/null
+++ b/tf-psa-crypto/cmake/.gitignore
@@ -0,0 +1 @@
+TF-PSA-CryptoConfig.cmake
diff --git a/tf-psa-crypto/cmake/TF-PSA-CryptoConfig.cmake.in b/tf-psa-crypto/cmake/TF-PSA-CryptoConfig.cmake.in
new file mode 100644
index 0000000..94a9195
--- /dev/null
+++ b/tf-psa-crypto/cmake/TF-PSA-CryptoConfig.cmake.in
@@ -0,0 +1,3 @@
+@PACKAGE_INIT@
+
+include("${CMAKE_CURRENT_LIST_DIR}/TF-PSA-CryptoTargets.cmake")
diff --git a/tf-psa-crypto/core/CMakeLists.txt b/tf-psa-crypto/core/CMakeLists.txt
index 0917cae..1264acf 100644
--- a/tf-psa-crypto/core/CMakeLists.txt
+++ b/tf-psa-crypto/core/CMakeLists.txt
@@ -28,11 +28,11 @@
endif()
if(CMAKE_COMPILER_IS_GNUCC)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
+ set(LIBS_C_FLAGS -Wmissing-declarations -Wmissing-prototypes)
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+ set(LIBS_C_FLAGS -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code)
endif(CMAKE_COMPILER_IS_CLANG)
if(CMAKE_COMPILER_IS_MSVC)
@@ -91,6 +91,8 @@
if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
+ set_base_compile_options(${mbedcrypto_static_target})
+ target_compile_options(${mbedcrypto_static_target} PRIVATE ${LIBS_C_FLAGS})
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
@@ -108,6 +110,8 @@
if(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
+ set_base_compile_options(${mbedcrypto_target})
+ target_compile_options(${mbedcrypto_static_target} PRIVATE ${LIBS_C_FLAGS})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 4.0.0 SOVERSION 16)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
diff --git a/tf-psa-crypto/core/psa_crypto.c b/tf-psa-crypto/core/psa_crypto.c
index d1c93fd..5f44cc3 100644
--- a/tf-psa-crypto/core/psa_crypto.c
+++ b/tf-psa-crypto/core/psa_crypto.c
@@ -58,13 +58,13 @@
#include "mbedtls/ecdh.h"
#include "mbedtls/ecp.h"
#include "mbedtls/entropy.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/gcm.h"
#include "mbedtls/md5.h"
#include "mbedtls/pk.h"
#include "pk_wrap.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/ripemd160.h"
#include "mbedtls/rsa.h"
#include "mbedtls/sha1.h"
@@ -705,6 +705,11 @@
psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
size_t buffer_length)
{
+#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+ if (buffer_length > ((size_t) MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+#else
if (slot->key.data != NULL) {
return PSA_ERROR_ALREADY_EXISTS;
}
@@ -713,6 +718,7 @@
if (slot->key.data == NULL) {
return PSA_ERROR_INSUFFICIENT_MEMORY;
}
+#endif
slot->key.bytes = buffer_length;
return PSA_SUCCESS;
@@ -1177,11 +1183,18 @@
psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
{
+#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+ if (slot->key.bytes > 0) {
+ mbedtls_platform_zeroize(slot->key.data, MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE);
+ }
+#else
if (slot->key.data != NULL) {
mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
}
slot->key.data = NULL;
+#endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */
+
slot->key.bytes = 0;
return PSA_SUCCESS;
@@ -2096,7 +2109,7 @@
* storage ( thus not in the case of importing a key in a secure element
* with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
* buffer to hold the imported key material. */
- if (slot->key.data == NULL) {
+ if (slot->key.bytes == 0) {
if (psa_key_lifetime_is_external(attributes->lifetime)) {
status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
attributes, data, data_length, &storage_size);
@@ -8030,7 +8043,7 @@
* storage ( thus not in the case of generating a key in a secure element
* with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
* buffer to hold the generated key material. */
- if (slot->key.data == NULL) {
+ if (slot->key.bytes == 0) {
if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
PSA_KEY_LOCATION_LOCAL_STORAGE) {
status = psa_validate_key_type_and_size_for_key_generation(
@@ -8085,6 +8098,112 @@
key);
}
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static psa_status_t psa_generate_key_iop_abort_internal(
+ psa_generate_key_iop_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->id == 0) {
+ return PSA_SUCCESS;
+ }
+
+ status = mbedtls_psa_generate_key_iop_abort(&operation->ctx);
+
+ operation->id = 0;
+
+ return status;
+}
+#endif
+
+uint32_t psa_generate_key_iop_get_num_ops(
+ psa_generate_key_iop_t *operation)
+{
+ (void) operation;
+ return 0;
+}
+
+psa_status_t psa_generate_key_iop_setup(
+ psa_generate_key_iop_t *operation,
+ const psa_key_attributes_t *attributes)
+{
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_type_t type;
+
+ if (operation->id != 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ type = psa_get_key_type(attributes);
+
+ if (!PSA_KEY_TYPE_IS_ECC(type)) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+ if (psa_get_key_bits(attributes) == 0) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ operation->attributes = *attributes;
+
+ operation->num_ops = 0;
+
+ /* We only support the builtin/Mbed TLS driver for now. */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+
+ status = mbedtls_psa_generate_key_iop_setup(&operation->ctx, attributes);
+
+exit:
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_generate_key_iop_abort_internal(operation);
+ }
+
+ return status;
+#else
+ (void) operation;
+ (void) attributes;
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif
+}
+
+psa_status_t psa_generate_key_iop_complete(
+ psa_generate_key_iop_t *operation,
+ psa_key_id_t *key)
+{
+ (void) operation;
+ (void) key;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_generate_key_iop_abort(
+ psa_generate_key_iop_t *operation)
+{
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ psa_status_t status;
+
+ status = psa_generate_key_iop_abort_internal(operation);
+
+ operation->error_occurred = 0;
+ operation->num_ops = 0;
+ return status;
+#else
+ (void) operation;
+ return PSA_SUCCESS;
+#endif
+}
+
+
/****************************************************************/
/* Module setup */
/****************************************************************/
diff --git a/tf-psa-crypto/core/psa_crypto_core.h b/tf-psa-crypto/core/psa_crypto_core.h
index 21e7559..1753554 100644
--- a/tf-psa-crypto/core/psa_crypto_core.h
+++ b/tf-psa-crypto/core/psa_crypto_core.h
@@ -155,7 +155,11 @@
/* Dynamically allocated key data buffer.
* Format as specified in psa_export_key(). */
struct key_data {
+#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+ uint8_t data[MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE];
+#else
uint8_t *data;
+#endif
size_t bytes;
} key;
} psa_key_slot_t;
@@ -431,6 +435,40 @@
size_t key_buffer_size,
size_t *key_buffer_length);
+/**
+ * \brief Setup a new interruptible key generation operation.
+ *
+ * \param[in] operation The \c mbedtls_psa_generate_key_iop_t to use.
+ * This must be initialized first.
+ * \param[in] attributes The desired attributes of the generated key.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c mbedtls_psa_generate_key_complete()
+ * with the same operation to complete the operation.
+ * * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Either no internal interruptible operations are
+ * currently supported, or the key attributes are not unsupported.
+ * * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory to load the key representation.
+ *
+ */
+psa_status_t mbedtls_psa_generate_key_iop_setup(
+ mbedtls_psa_generate_key_iop_t *operation,
+ const psa_key_attributes_t *attributes);
+
+/**
+ * \brief Abort a key generation operation.
+ *
+ * \param[in] operation The \c mbedtls_psa_generate_key_iop_t to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ *
+ */
+psa_status_t mbedtls_psa_generate_key_iop_abort(
+ mbedtls_psa_generate_key_iop_t *operation);
+
+
/** Sign a message with a private key. For hash-and-sign algorithms,
* this includes the hashing step.
*
diff --git a/tf-psa-crypto/core/psa_crypto_storage.h b/tf-psa-crypto/core/psa_crypto_storage.h
index d7f5b18..433ecdc 100644
--- a/tf-psa-crypto/core/psa_crypto_storage.h
+++ b/tf-psa-crypto/core/psa_crypto_storage.h
@@ -21,9 +21,16 @@
#include <stdint.h>
#include <string.h>
-/* Limit the maximum key size in storage. This should have no effect
- * since the key size is limited in memory. */
+/* Limit the maximum key size in storage. */
+#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+/* Reflect the maximum size for the key buffer. */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE (MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)
+#else
+/* Just set an upper boundary but it should have no effect since the key size
+ * is limited in memory. */
#define PSA_CRYPTO_MAX_STORAGE_SIZE (PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS))
+#endif
+
/* Sanity check: a file size must fit in 32 bits. Allow a generous
* 64kB of metadata. */
#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
diff --git a/tf-psa-crypto/doxygen/.gitignore b/tf-psa-crypto/doxygen/.gitignore
new file mode 100644
index 0000000..3d1b31d
--- /dev/null
+++ b/tf-psa-crypto/doxygen/.gitignore
@@ -0,0 +1 @@
+tfpsacrypto.doxyfile
diff --git a/tf-psa-crypto/doxygen/input/.gitignore b/tf-psa-crypto/doxygen/input/.gitignore
new file mode 100644
index 0000000..b806578
--- /dev/null
+++ b/tf-psa-crypto/doxygen/input/.gitignore
@@ -0,0 +1 @@
+doc_mainpage.h
diff --git a/tf-psa-crypto/doxygen/input/doc_mainpage.h.in b/tf-psa-crypto/doxygen/input/doc_mainpage.h.in
new file mode 100644
index 0000000..7c6ccb6
--- /dev/null
+++ b/tf-psa-crypto/doxygen/input/doc_mainpage.h.in
@@ -0,0 +1,19 @@
+/**
+ * \file doc_mainpage.h
+ *
+ * \brief Main page documentation file.
+ */
+/*
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * @mainpage TF-PSA-Crypto v@TF-PSA-Crypto_VERSION@ source code documentation
+ *
+ * This documentation describes the internal structure of the TF-PSA-Crypto
+ * library. It was automatically generated from specially formatted comment
+ * blocks in TF-PSA-Crypto source code using Doxygen (see
+ * http://www.stack.nl/~dimitri/doxygen/ for more information on Doxygen).
+ */
diff --git a/tf-psa-crypto/doxygen/tfpsacrypto.doxyfile.in b/tf-psa-crypto/doxygen/tfpsacrypto.doxyfile.in
new file mode 100644
index 0000000..56de487
--- /dev/null
+++ b/tf-psa-crypto/doxygen/tfpsacrypto.doxyfile.in
@@ -0,0 +1,54 @@
+PROJECT_NAME = "TF-PSA-Crypto v@TF-PSA-Crypto_VERSION@"
+OUTPUT_DIRECTORY = ../apidoc/
+FULL_PATH_NAMES = NO
+OPTIMIZE_OUTPUT_FOR_C = YES
+EXTRACT_ALL = YES
+EXTRACT_PRIVATE = YES
+EXTRACT_STATIC = YES
+CASE_SENSE_NAMES = NO
+INPUT = ../include input
+FILE_PATTERNS = *.h
+EXCLUDE = ../include/psa/crypto_se_driver.h
+RECURSIVE = YES
+EXCLUDE_SYMLINKS = YES
+SOURCE_BROWSER = YES
+REFERENCED_BY_RELATION = YES
+REFERENCES_RELATION = YES
+ALPHABETICAL_INDEX = NO
+HTML_OUTPUT = .
+HTML_TIMESTAMP = YES
+SEARCHENGINE = YES
+GENERATE_LATEX = NO
+MACRO_EXPANSION = YES
+EXPAND_ONLY_PREDEF = YES
+INCLUDE_PATH = ../include
+EXPAND_AS_DEFINED = MBEDTLS_PRIVATE
+CLASS_DIAGRAMS = NO
+HAVE_DOT = YES
+DOT_GRAPH_MAX_NODES = 200
+MAX_DOT_GRAPH_DEPTH = 1000
+DOT_TRANSPARENT = YES
+
+# We mostly use \retval declarations to document which error codes a function
+# can return. The reader can follow the hyperlink to the definition of the
+# constant to get the generic documentation of that error code. If we don't
+# have anything to say about the specific error code for the specific
+# function, we can leave the description part of the \retval command blank.
+# This is perfectly valid as far as Doxygen is concerned. However, with
+# Clang >=15, the -Wdocumentation option emits a warning for empty
+# descriptions.
+# https://github.com/Mbed-TLS/mbedtls/issues/6960
+# https://github.com/llvm/llvm-project/issues/60315
+# As a workaround, you can write something like
+# \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+# This avoids writing redundant text and keeps Clang happy.
+ALIASES += emptydescription=""
+
+# Define away macros that make parsing definitions difficult.
+# MBEDTLS_DEPRECATED is not included in this list as it's important to
+# display deprecated status in the documentation.
+PREDEFINED = "MBEDTLS_CHECK_RETURN_CRITICAL=" \
+ "MBEDTLS_CHECK_RETURN_TYPICAL=" \
+ "MBEDTLS_CHECK_RETURN_OPTIONAL=" \
+ "MBEDTLS_PRINTF_ATTRIBUTE(a,b)=" \
+ "__DOXYGEN__" \
diff --git a/tf-psa-crypto/drivers/builtin/CMakeLists.txt b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
index 5cbdbbc..dd1a113 100644
--- a/tf-psa-crypto/drivers/builtin/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
@@ -1,41 +1,13 @@
add_subdirectory(src)
file(GLOB src_builtin RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} src/*.c)
-if(NOT "src/error.c" IN_LIST "${src_builtin}")
- list(APPEND src_builtin src/error.c)
-endif()
-
-if(GEN_FILES)
- find_package(Perl REQUIRED)
-
- file(GLOB crypto_error_headers ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/*.h)
- file(GLOB tls_error_headers ${MBEDTLS_DIR}/include/mbedtls/*.h)
- add_custom_command(
- OUTPUT
- ${CMAKE_CURRENT_BINARY_DIR}/src/error.c
- COMMAND
- ${PERL_EXECUTABLE}
- ${MBEDTLS_DIR}/scripts/generate_errors.pl
- ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls
- ${MBEDTLS_DIR}/include/mbedtls
- ${MBEDTLS_DIR}/scripts/data_files
- ${CMAKE_CURRENT_BINARY_DIR}/src/error.c
- DEPENDS
- ${MBEDTLS_DIR}/scripts/generate_errors.pl
- ${crypto_error_headers}
- ${tls_error_headers}
- ${MBEDTLS_DIR}/scripts/data_files/error.fmt
- )
-else()
- link_to_source(src/error.c)
-endif()
if(CMAKE_COMPILER_IS_GNUCC)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
+ set(LIBS_C_FLAGS -Wmissing-declarations -Wmissing-prototypes)
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+ set(LIBS_C_FLAGS -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code)
endif(CMAKE_COMPILER_IS_CLANG)
if(CMAKE_COMPILER_IS_MSVC)
@@ -82,6 +54,8 @@
if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
add_library(${builtin_static_target} STATIC ${src_builtin})
+ set_base_compile_options(${builtin_static_target})
+ target_compile_options(${builtin_static_target} PRIVATE ${LIBS_C_FLAGS})
target_link_libraries(${builtin_static_target} PUBLIC ${libs})
if(TARGET ${everest_target})
target_link_libraries(${builtin_static_target} PUBLIC ${everest_target})
@@ -94,6 +68,8 @@
if(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
add_library(${builtin_target} SHARED ${src_builtin})
+ set_base_compile_options(${builtin_target})
+ target_compile_options(${builtin_static_target} PRIVATE ${LIBS_C_FLAGS})
target_link_libraries(${builtin_target} PUBLIC ${libs})
if(TARGET ${everest_target})
target_link_libraries(${builtin_target} PUBLIC ${everest_target})
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
index 8367cd3..22d5d84 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/bignum.h
@@ -238,6 +238,8 @@
}
mbedtls_mpi;
+#define MBEDTLS_MPI_INIT { 0, 0, 0 }
+
/**
* \brief Initialize an MPI context.
*
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h
index 7b0a80d..b340614 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/ecp.h
@@ -162,6 +162,8 @@
}
mbedtls_ecp_point;
+#define MBEDTLS_ECP_POINT_INIT { MBEDTLS_MPI_INIT, MBEDTLS_MPI_INIT, MBEDTLS_MPI_INIT }
+
/**
* \brief The ECP group structure.
*
@@ -250,6 +252,9 @@
}
mbedtls_ecp_group;
+#define MBEDTLS_ECP_GROUP_INIT { MBEDTLS_ECP_DP_NONE, MBEDTLS_MPI_INIT, MBEDTLS_MPI_INIT, \
+ MBEDTLS_MPI_INIT, MBEDTLS_ECP_POINT_INIT, MBEDTLS_MPI_INIT, \
+ 0, 0, 0, NULL, NULL, NULL, NULL, NULL, 0 }
/**
* \name SECTION: Module settings
*
@@ -419,6 +424,9 @@
}
mbedtls_ecp_keypair;
+#define MBEDTLS_ECP_KEYPAIR_INIT { MBEDTLS_ECP_GROUP_INIT, MBEDTLS_MPI_INIT, \
+ MBEDTLS_ECP_POINT_INIT }
+
/**
* The uncompressed point format for Short Weierstrass curves
* (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/error.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/error_common.h
similarity index 76%
rename from tf-psa-crypto/drivers/builtin/include/mbedtls/error.h
rename to tf-psa-crypto/drivers/builtin/include/mbedtls/error_common.h
index d101dee..58f1cde 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/error.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/error_common.h
@@ -1,14 +1,14 @@
/**
- * \file error.h
+ * \file error_common.h
*
- * \brief Error to string translation
+ * \brief Error codes
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
-#ifndef MBEDTLS_ERROR_H
-#define MBEDTLS_ERROR_H
+#ifndef MBEDTLS_ERROR_COMMON_H
+#define MBEDTLS_ERROR_COMMON_H
#include "mbedtls/build_info.h"
@@ -152,49 +152,8 @@
return high + low;
}
-/**
- * \brief Translate an Mbed TLS error code into a string representation.
- * The result is truncated if necessary and always includes a
- * terminating null byte.
- *
- * \param errnum error code
- * \param buffer buffer to place representation in
- * \param buflen length of the buffer
- */
-void mbedtls_strerror(int errnum, char *buffer, size_t buflen);
-
-/**
- * \brief Translate the high-level part of an Mbed TLS error code into a string
- * representation.
- *
- * This function returns a const pointer to an un-modifiable string. The caller
- * must not try to modify the string. It is intended to be used mostly for
- * logging purposes.
- *
- * \param error_code error code
- *
- * \return The string representation of the error code, or \c NULL if the error
- * code is unknown.
- */
-const char *mbedtls_high_level_strerr(int error_code);
-
-/**
- * \brief Translate the low-level part of an Mbed TLS error code into a string
- * representation.
- *
- * This function returns a const pointer to an un-modifiable string. The caller
- * must not try to modify the string. It is intended to be used mostly for
- * logging purposes.
- *
- * \param error_code error code
- *
- * \return The string representation of the error code, or \c NULL if the error
- * code is unknown.
- */
-const char *mbedtls_low_level_strerr(int error_code);
-
#ifdef __cplusplus
}
#endif
-#endif /* error.h */
+#endif /* error_common.h */
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h
index 08fa5b3..bf2748a 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/psa_util.h
@@ -161,6 +161,16 @@
* \param[out] der_len On success it contains the amount of valid data
* (in bytes) written to \p der. It's undefined
* in case of failure.
+ *
+ * \note The behavior is undefined if \p der is null,
+ * even if \p der_size is 0.
+ *
+ * \return 0 if successful.
+ * \return #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p der_size
+ * is too small or if \p bits is larger than the
+ * largest supported curve.
+ * \return #MBEDTLS_ERR_ASN1_INVALID_DATA if one of the
+ * numbers in the signature is 0.
*/
int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
unsigned char *der, size_t der_size, size_t *der_len);
@@ -177,6 +187,15 @@
* \param[out] raw_len On success it is updated with the amount of valid
* data (in bytes) written to \p raw. It's undefined
* in case of failure.
+ *
+ * \return 0 if successful.
+ * \return #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p raw_size
+ * is too small or if \p bits is larger than the
+ * largest supported curve.
+ * \return #MBEDTLS_ERR_ASN1_INVALID_DATA if the data in
+ * \p der is inconsistent with \p bits.
+ * \return An \c MBEDTLS_ERR_ASN1_xxx error code if
+ * \p der is malformed.
*/
int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
unsigned char *raw, size_t raw_size, size_t *raw_len);
diff --git a/tf-psa-crypto/drivers/builtin/src/aes.c b/tf-psa-crypto/drivers/builtin/src/aes.c
index b9145ea..c36845b 100644
--- a/tf-psa-crypto/drivers/builtin/src/aes.c
+++ b/tf-psa-crypto/drivers/builtin/src/aes.c
@@ -20,7 +20,7 @@
#include "mbedtls/aes.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
#if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \
diff --git a/tf-psa-crypto/drivers/builtin/src/asn1parse.c b/tf-psa-crypto/drivers/builtin/src/asn1parse.c
index ecea904..6128865 100644
--- a/tf-psa-crypto/drivers/builtin/src/asn1parse.c
+++ b/tf-psa-crypto/drivers/builtin/src/asn1parse.c
@@ -12,7 +12,7 @@
#include "mbedtls/asn1.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/asn1write.c b/tf-psa-crypto/drivers/builtin/src/asn1write.c
index 6355fad..3e154f4 100644
--- a/tf-psa-crypto/drivers/builtin/src/asn1write.c
+++ b/tf-psa-crypto/drivers/builtin/src/asn1write.c
@@ -11,7 +11,7 @@
defined(PSA_HAVE_ALG_SOME_ECDSA)
#include "mbedtls/asn1write.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum.c b/tf-psa-crypto/drivers/builtin/src/bignum.c
index 4244909..36c18a4 100644
--- a/tf-psa-crypto/drivers/builtin/src/bignum.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum.c
@@ -30,7 +30,7 @@
#include "bignum_internal.h"
#include "bn_mul.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "constant_time_internal.h"
#include <limits.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.c b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
index 60f48f9..67d5025 100644
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
@@ -11,7 +11,7 @@
#include <string.h>
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform_util.h"
#include "constant_time_internal.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod.c b/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
index dfd332a..0d5534f 100644
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
@@ -12,7 +12,7 @@
#include <string.h>
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/bignum.h"
#include "mbedtls/platform.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
index 5343bc6..5b889c8 100644
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
@@ -11,7 +11,7 @@
#include <string.h>
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/platform.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/ccm.c b/tf-psa-crypto/drivers/builtin/src/ccm.c
index 68af903..0e6637f 100644
--- a/tf-psa-crypto/drivers/builtin/src/ccm.c
+++ b/tf-psa-crypto/drivers/builtin/src/ccm.c
@@ -20,7 +20,7 @@
#include "mbedtls/ccm.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/constant_time.h"
#if defined(MBEDTLS_BLOCK_CIPHER_C)
diff --git a/tf-psa-crypto/drivers/builtin/src/chacha20.c b/tf-psa-crypto/drivers/builtin/src/chacha20.c
index 3501837..36a70b3 100644
--- a/tf-psa-crypto/drivers/builtin/src/chacha20.c
+++ b/tf-psa-crypto/drivers/builtin/src/chacha20.c
@@ -15,7 +15,7 @@
#include "mbedtls/chacha20.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <stddef.h>
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/chachapoly.c b/tf-psa-crypto/drivers/builtin/src/chachapoly.c
index 5bfee09..3130ac1 100644
--- a/tf-psa-crypto/drivers/builtin/src/chachapoly.c
+++ b/tf-psa-crypto/drivers/builtin/src/chachapoly.c
@@ -12,7 +12,7 @@
#include "mbedtls/chachapoly.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/constant_time.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/cipher.c b/tf-psa-crypto/drivers/builtin/src/cipher.c
index 7f4c121..15b97fa 100644
--- a/tf-psa-crypto/drivers/builtin/src/cipher.c
+++ b/tf-psa-crypto/drivers/builtin/src/cipher.c
@@ -16,7 +16,7 @@
#include "mbedtls/cipher.h"
#include "cipher_wrap.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/constant_time.h"
#include "constant_time_internal.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c b/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c
index d2fee22..9726b31 100644
--- a/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c
+++ b/tf-psa-crypto/drivers/builtin/src/cipher_wrap.c
@@ -14,7 +14,7 @@
#if defined(MBEDTLS_CIPHER_C)
#include "cipher_wrap.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_CHACHAPOLY_C)
#include "mbedtls/chachapoly.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/cmac.c b/tf-psa-crypto/drivers/builtin/src/cmac.c
index 5e517c4..7066024 100644
--- a/tf-psa-crypto/drivers/builtin/src/cmac.c
+++ b/tf-psa-crypto/drivers/builtin/src/cmac.c
@@ -32,7 +32,7 @@
#include "mbedtls/cmac.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform.h"
#include "constant_time_internal.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/constant_time.c b/tf-psa-crypto/drivers/builtin/src/constant_time.c
index 95b8122..e233b62 100644
--- a/tf-psa-crypto/drivers/builtin/src/constant_time.c
+++ b/tf-psa-crypto/drivers/builtin/src/constant_time.c
@@ -16,7 +16,7 @@
#include "common.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform_util.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c b/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c
index b82044e..facfc2e 100644
--- a/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c
+++ b/tf-psa-crypto/drivers/builtin/src/ctr_drbg.c
@@ -17,7 +17,7 @@
#include "ctr.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/des.c b/tf-psa-crypto/drivers/builtin/src/des.c
index 4bb354a..03d79ed 100644
--- a/tf-psa-crypto/drivers/builtin/src/des.c
+++ b/tf-psa-crypto/drivers/builtin/src/des.c
@@ -16,7 +16,7 @@
#if defined(MBEDTLS_DES_C)
#include "mbedtls/des.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform_util.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/dhm.c b/tf-psa-crypto/drivers/builtin/src/dhm.c
index 75af8b7..c7c3e08 100644
--- a/tf-psa-crypto/drivers/builtin/src/dhm.c
+++ b/tf-psa-crypto/drivers/builtin/src/dhm.c
@@ -19,7 +19,7 @@
#include "mbedtls/dhm.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/ecdh.c b/tf-psa-crypto/drivers/builtin/src/ecdh.c
index 28fe757..db77a31 100644
--- a/tf-psa-crypto/drivers/builtin/src/ecdh.c
+++ b/tf-psa-crypto/drivers/builtin/src/ecdh.c
@@ -18,7 +18,7 @@
#include "mbedtls/ecdh.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/ecdsa.c b/tf-psa-crypto/drivers/builtin/src/ecdsa.c
index 57d52fe..7971ef4 100644
--- a/tf-psa-crypto/drivers/builtin/src/ecdsa.c
+++ b/tf-psa-crypto/drivers/builtin/src/ecdsa.c
@@ -27,7 +27,7 @@
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_ECP_RESTARTABLE)
diff --git a/tf-psa-crypto/drivers/builtin/src/ecjpake.c b/tf-psa-crypto/drivers/builtin/src/ecjpake.c
index ebdae92..a0a386b 100644
--- a/tf-psa-crypto/drivers/builtin/src/ecjpake.c
+++ b/tf-psa-crypto/drivers/builtin/src/ecjpake.c
@@ -16,7 +16,7 @@
#include "mbedtls/ecjpake.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp.c b/tf-psa-crypto/drivers/builtin/src/ecp.c
index 1e6b69b..ef58628 100644
--- a/tf-psa-crypto/drivers/builtin/src/ecp.c
+++ b/tf-psa-crypto/drivers/builtin/src/ecp.c
@@ -36,7 +36,7 @@
#include "mbedtls/ecp.h"
#include "mbedtls/threading.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "bn_mul.h"
#include "ecp_invasive.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp_curves.c b/tf-psa-crypto/drivers/builtin/src/ecp_curves.c
index 97636a7..99ced0d 100644
--- a/tf-psa-crypto/drivers/builtin/src/ecp_curves.c
+++ b/tf-psa-crypto/drivers/builtin/src/ecp_curves.c
@@ -13,7 +13,7 @@
#include "mbedtls/ecp.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "bn_mul.h"
#include "bignum_core.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c b/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c
index 169247f..6506a22 100644
--- a/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c
+++ b/tf-psa-crypto/drivers/builtin/src/ecp_curves_new.c
@@ -14,7 +14,7 @@
#include "mbedtls/ecp.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/entropy.c b/tf-psa-crypto/drivers/builtin/src/entropy.c
index 7dcf067..fd222c0 100644
--- a/tf-psa-crypto/drivers/builtin/src/entropy.c
+++ b/tf-psa-crypto/drivers/builtin/src/entropy.c
@@ -12,7 +12,7 @@
#include "mbedtls/entropy.h"
#include "entropy_poll.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/entropy_poll.c b/tf-psa-crypto/drivers/builtin/src/entropy_poll.c
index 611768c..bd2cf69 100644
--- a/tf-psa-crypto/drivers/builtin/src/entropy_poll.c
+++ b/tf-psa-crypto/drivers/builtin/src/entropy_poll.c
@@ -20,7 +20,7 @@
#include "mbedtls/entropy.h"
#include "entropy_poll.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_TIMING_C)
#include "mbedtls/timing.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/gcm.c b/tf-psa-crypto/drivers/builtin/src/gcm.c
index dda1ff2..8406266 100644
--- a/tf-psa-crypto/drivers/builtin/src/gcm.c
+++ b/tf-psa-crypto/drivers/builtin/src/gcm.c
@@ -22,7 +22,7 @@
#include "mbedtls/gcm.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/constant_time.h"
#if defined(MBEDTLS_BLOCK_CIPHER_C)
diff --git a/tf-psa-crypto/drivers/builtin/src/hkdf.c b/tf-psa-crypto/drivers/builtin/src/hkdf.c
index 631ac24..b241020 100644
--- a/tf-psa-crypto/drivers/builtin/src/hkdf.c
+++ b/tf-psa-crypto/drivers/builtin/src/hkdf.c
@@ -11,7 +11,7 @@
#include <string.h>
#include "mbedtls/hkdf.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
size_t salt_len, const unsigned char *ikm, size_t ikm_len,
diff --git a/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c b/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c
index c29fad3..eba5079 100644
--- a/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c
+++ b/tf-psa-crypto/drivers/builtin/src/hmac_drbg.c
@@ -17,7 +17,7 @@
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/lmots.c b/tf-psa-crypto/drivers/builtin/src/lmots.c
index c51cb41..23e235c 100644
--- a/tf-psa-crypto/drivers/builtin/src/lmots.c
+++ b/tf-psa-crypto/drivers/builtin/src/lmots.c
@@ -28,7 +28,7 @@
#include "mbedtls/lms.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "psa_util_internal.h"
#include "psa/crypto.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/lms.c b/tf-psa-crypto/drivers/builtin/src/lms.c
index 7f7bec0..d354046 100644
--- a/tf-psa-crypto/drivers/builtin/src/lms.c
+++ b/tf-psa-crypto/drivers/builtin/src/lms.c
@@ -29,7 +29,7 @@
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/lms.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/platform.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/md.c b/tf-psa-crypto/drivers/builtin/src/md.c
index eee8aa3..5100528 100644
--- a/tf-psa-crypto/drivers/builtin/src/md.c
+++ b/tf-psa-crypto/drivers/builtin/src/md.c
@@ -32,7 +32,7 @@
#include "mbedtls/md.h"
#include "md_wrap.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/md5.h"
#include "mbedtls/ripemd160.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/md5.c b/tf-psa-crypto/drivers/builtin/src/md5.c
index fd9a8e9..5e5ee86 100644
--- a/tf-psa-crypto/drivers/builtin/src/md5.c
+++ b/tf-psa-crypto/drivers/builtin/src/md5.c
@@ -16,7 +16,7 @@
#include "mbedtls/md5.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/nist_kw.c b/tf-psa-crypto/drivers/builtin/src/nist_kw.c
index a4b4be7..431a8ef 100644
--- a/tf-psa-crypto/drivers/builtin/src/nist_kw.c
+++ b/tf-psa-crypto/drivers/builtin/src/nist_kw.c
@@ -21,7 +21,7 @@
#include "mbedtls/nist_kw.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/constant_time.h"
#include "constant_time_internal.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/oid.c b/tf-psa-crypto/drivers/builtin/src/oid.c
index ae30dfe..ad3d8e0 100644
--- a/tf-psa-crypto/drivers/builtin/src/oid.c
+++ b/tf-psa-crypto/drivers/builtin/src/oid.c
@@ -13,7 +13,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/rsa.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/pk.h"
#include <stdio.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/pem.c b/tf-psa-crypto/drivers/builtin/src/pem.c
index 98f708f..2128892 100644
--- a/tf-psa-crypto/drivers/builtin/src/pem.c
+++ b/tf-psa-crypto/drivers/builtin/src/pem.c
@@ -16,7 +16,7 @@
#include "mbedtls/md.h"
#include "mbedtls/cipher.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/pk.c b/tf-psa-crypto/drivers/builtin/src/pk.c
index 28b4e7a..81e2d94 100644
--- a/tf-psa-crypto/drivers/builtin/src/pk.c
+++ b/tf-psa-crypto/drivers/builtin/src/pk.c
@@ -14,7 +14,7 @@
#include "pk_internal.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_RSA_C)
#include "mbedtls/rsa.h"
@@ -35,10 +35,6 @@
#include <limits.h>
#include <stdint.h>
-#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \
- (PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \
- PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
-
/*
* Initialise a mbedtls_pk_context
*/
diff --git a/tf-psa-crypto/drivers/builtin/src/pk_ecc.c b/tf-psa-crypto/drivers/builtin/src/pk_ecc.c
index 707988d..0c4ffbf 100644
--- a/tf-psa-crypto/drivers/builtin/src/pk_ecc.c
+++ b/tf-psa-crypto/drivers/builtin/src/pk_ecc.c
@@ -8,7 +8,7 @@
#include "common.h"
#include "mbedtls/pk.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/ecp.h"
#include "pk_internal.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/pk_wrap.c b/tf-psa-crypto/drivers/builtin/src/pk_wrap.c
index 31ec2fd..9063555 100644
--- a/tf-psa-crypto/drivers/builtin/src/pk_wrap.c
+++ b/tf-psa-crypto/drivers/builtin/src/pk_wrap.c
@@ -12,7 +12,7 @@
#if defined(MBEDTLS_PK_C)
#include "pk_wrap.h"
#include "pk_internal.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/psa_util.h"
/* Even if RSA not activated, for the sake of RSA-alt */
diff --git a/tf-psa-crypto/drivers/builtin/src/pkcs12.c b/tf-psa-crypto/drivers/builtin/src/pkcs12.c
index a3467b9..0c78569 100644
--- a/tf-psa-crypto/drivers/builtin/src/pkcs12.c
+++ b/tf-psa-crypto/drivers/builtin/src/pkcs12.c
@@ -21,7 +21,7 @@
#include "mbedtls/cipher.h"
#endif /* MBEDTLS_CIPHER_C */
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/pkcs5.c b/tf-psa-crypto/drivers/builtin/src/pkcs5.c
index c57f672..b43aaf7 100644
--- a/tf-psa-crypto/drivers/builtin/src/pkcs5.c
+++ b/tf-psa-crypto/drivers/builtin/src/pkcs5.c
@@ -20,7 +20,7 @@
#if defined(MBEDTLS_PKCS5_C)
#include "mbedtls/pkcs5.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_ASN1_PARSE_C)
#include "mbedtls/asn1.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/pkparse.c b/tf-psa-crypto/drivers/builtin/src/pkparse.c
index 3419ad9..006774c 100644
--- a/tf-psa-crypto/drivers/builtin/src/pkparse.c
+++ b/tf-psa-crypto/drivers/builtin/src/pkparse.c
@@ -14,7 +14,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/platform.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/ecp.h"
#include "pk_internal.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/pkwrite.c b/tf-psa-crypto/drivers/builtin/src/pkwrite.c
index 0b57995..ba073ad 100644
--- a/tf-psa-crypto/drivers/builtin/src/pkwrite.c
+++ b/tf-psa-crypto/drivers/builtin/src/pkwrite.c
@@ -13,7 +13,7 @@
#include "mbedtls/asn1write.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "pk_internal.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/platform.c b/tf-psa-crypto/drivers/builtin/src/platform.c
index 890c4cb..c535e9e 100644
--- a/tf-psa-crypto/drivers/builtin/src/platform.c
+++ b/tf-psa-crypto/drivers/builtin/src/platform.c
@@ -11,7 +11,7 @@
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
/* The compile time configuration of memory allocation via the macros
* MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
diff --git a/tf-psa-crypto/drivers/builtin/src/poly1305.c b/tf-psa-crypto/drivers/builtin/src/poly1305.c
index 81a4846..6d898f7 100644
--- a/tf-psa-crypto/drivers/builtin/src/poly1305.c
+++ b/tf-psa-crypto/drivers/builtin/src/poly1305.c
@@ -12,7 +12,7 @@
#include "mbedtls/poly1305.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c
index a201985..bcd7d95 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_aead.c
@@ -21,7 +21,7 @@
#include "mbedtls/chachapoly.h"
#include "mbedtls/cipher.h"
#include "mbedtls/gcm.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
static psa_status_t psa_aead_setup(
mbedtls_psa_aead_operation_t *operation,
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c
index 3216c94..2f635e8 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_cipher.c
@@ -15,7 +15,7 @@
#include "psa_crypto_random_impl.h"
#include "mbedtls/cipher.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c
index 749e11b..acb2482 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_ecp.c
@@ -23,7 +23,7 @@
#include <mbedtls/ecdsa.h>
#include <mbedtls/ecdh.h>
#include <mbedtls/ecp.h>
-#include <mbedtls/error.h>
+#include <mbedtls/error_common.h>
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
@@ -321,38 +321,36 @@
const psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
attributes->type);
mbedtls_ecp_group_id grp_id =
mbedtls_ecc_group_from_psa(curve, attributes->bits);
-
- const mbedtls_ecp_curve_info *curve_info =
- mbedtls_ecp_curve_info_from_grp_id(grp_id);
- mbedtls_ecp_keypair ecp;
-
- if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) {
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
return PSA_ERROR_NOT_SUPPORTED;
}
+ mbedtls_ecp_keypair ecp;
mbedtls_ecp_keypair_init(&ecp);
- ret = mbedtls_ecp_gen_key(grp_id, &ecp,
- mbedtls_psa_get_random,
- MBEDTLS_PSA_RANDOM_STATE);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_ecp_group_load(&ecp.grp, grp_id);
if (ret != 0) {
- mbedtls_ecp_keypair_free(&ecp);
- return mbedtls_to_psa_error(ret);
+ goto exit;
}
- status = mbedtls_to_psa_error(
- mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
- key_buffer, key_buffer_size));
+ ret = mbedtls_ecp_gen_privkey(&ecp.grp, &ecp.d,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
+ key_buffer, key_buffer_size);
+
+exit:
mbedtls_ecp_keypair_free(&ecp);
-
- return status;
+ return mbedtls_to_psa_error(ret);
}
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
@@ -596,41 +594,38 @@
/* Interruptible ECC Key Generation */
/****************************************************************/
-uint32_t psa_generate_key_iop_get_num_ops(
- psa_generate_key_iop_t *operation)
-{
- (void) operation;
- return 0;
-}
+#if defined(MBEDTLS_ECP_RESTARTABLE)
-psa_status_t psa_generate_key_iop_setup(
- psa_generate_key_iop_t *operation,
+psa_status_t mbedtls_psa_generate_key_iop_setup(
+ mbedtls_psa_generate_key_iop_t *operation,
const psa_key_attributes_t *attributes)
{
- (void) operation;
- (void) attributes;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- return PSA_ERROR_NOT_SUPPORTED;
+ mbedtls_ecp_keypair_init(&operation->ecp);
+
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
+ psa_get_key_type(attributes));
+ mbedtls_ecp_group_id grp_id =
+ mbedtls_ecc_group_from_psa(curve, psa_get_key_bits(attributes));
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ status = mbedtls_ecp_group_load(&operation->ecp.grp, grp_id);
+
+ return mbedtls_to_psa_error(status);
}
-psa_status_t psa_generate_key_iop_complete(
- psa_generate_key_iop_t *operation,
- psa_key_id_t *key)
+psa_status_t mbedtls_psa_generate_key_iop_abort(
+ mbedtls_psa_generate_key_iop_t *operation)
{
- (void) operation;
- (void) key;
-
- return PSA_ERROR_NOT_SUPPORTED;
+ mbedtls_ecp_keypair_free(&operation->ecp);
+ operation->num_ops = 0;
+ return PSA_SUCCESS;
}
-psa_status_t psa_generate_key_iop_abort(
- psa_generate_key_iop_t *operation)
-{
- (void) operation;
-
- return PSA_ERROR_NOT_SUPPORTED;
-}
-
+#endif
/****************************************************************/
/* Interruptible ECC Key Agreement */
/****************************************************************/
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c
index ae38f6d..1d7828e 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_ffdh.c
@@ -21,7 +21,7 @@
#include "psa_crypto_ffdh.h"
#include "psa_crypto_random_impl.h"
#include "mbedtls/platform.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) || \
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c
index eeb7666..0849c9f 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_hash.c
@@ -14,7 +14,7 @@
#include "psa_crypto_core.h"
#include "psa_crypto_hash.h"
-#include <mbedtls/error.h>
+#include <mbedtls/error_common.h>
#include <string.h>
#if defined(MBEDTLS_PSA_BUILTIN_HASH)
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c
index 8fe6218..9486b31 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_mac.c
@@ -16,7 +16,7 @@
#include "psa_crypto_mac.h"
#include <mbedtls/md.h>
-#include <mbedtls/error.h>
+#include <mbedtls/error_common.h>
#include "mbedtls/constant_time.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c
index 9ac2e8c..2703e7d 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_pake.c
@@ -19,7 +19,7 @@
#include "psa_util_internal.h"
#include <mbedtls/platform.h>
-#include <mbedtls/error.h>
+#include <mbedtls/error_common.h>
#include <string.h>
/*
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c b/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c
index 5fe26ec..9678a96 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_crypto_rsa.c
@@ -23,7 +23,7 @@
#include "mbedtls/platform.h"
#include <mbedtls/rsa.h>
-#include <mbedtls/error.h>
+#include <mbedtls/error_common.h>
#include "rsa_internal.h"
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
diff --git a/tf-psa-crypto/drivers/builtin/src/psa_util.c b/tf-psa-crypto/drivers/builtin/src/psa_util.c
index 36ad0ce..b2d2cd9 100644
--- a/tf-psa-crypto/drivers/builtin/src/psa_util.c
+++ b/tf-psa-crypto/drivers/builtin/src/psa_util.c
@@ -9,7 +9,7 @@
#include "common.h"
/* This is needed for MBEDTLS_ERR_XXX macros */
-#include <mbedtls/error.h>
+#include <mbedtls/error_common.h>
#if defined(MBEDTLS_ASN1_WRITE_C)
#include <mbedtls/asn1write.h>
@@ -440,6 +440,9 @@
unsigned char *p = der + der_size;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if (bits == 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
if (raw_len != (2 * coordinate_len)) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
@@ -559,6 +562,9 @@
size_t coordinate_size = PSA_BITS_TO_BYTES(bits);
int ret;
+ if (bits == 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
/* The output raw buffer should be at least twice the size of a raw
* coordinate in order to store r and s. */
if (raw_size < coordinate_size * 2) {
diff --git a/tf-psa-crypto/drivers/builtin/src/ripemd160.c b/tf-psa-crypto/drivers/builtin/src/ripemd160.c
index 0845fe8..b696c04 100644
--- a/tf-psa-crypto/drivers/builtin/src/ripemd160.c
+++ b/tf-psa-crypto/drivers/builtin/src/ripemd160.c
@@ -17,7 +17,7 @@
#include "mbedtls/ripemd160.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/rsa.c b/tf-psa-crypto/drivers/builtin/src/rsa.c
index 33bb1d3..458ee26 100644
--- a/tf-psa-crypto/drivers/builtin/src/rsa.c
+++ b/tf-psa-crypto/drivers/builtin/src/rsa.c
@@ -35,7 +35,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
#include "md_psa.h"
diff --git a/tf-psa-crypto/drivers/builtin/src/sha1.c b/tf-psa-crypto/drivers/builtin/src/sha1.c
index bd1b630..208bac4 100644
--- a/tf-psa-crypto/drivers/builtin/src/sha1.c
+++ b/tf-psa-crypto/drivers/builtin/src/sha1.c
@@ -16,7 +16,7 @@
#include "mbedtls/sha1.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/sha256.c b/tf-psa-crypto/drivers/builtin/src/sha256.c
index 842b892..f2800e4 100644
--- a/tf-psa-crypto/drivers/builtin/src/sha256.c
+++ b/tf-psa-crypto/drivers/builtin/src/sha256.c
@@ -54,7 +54,7 @@
#include "mbedtls/sha256.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/sha3.c b/tf-psa-crypto/drivers/builtin/src/sha3.c
index 5738559..dc7cac4 100644
--- a/tf-psa-crypto/drivers/builtin/src/sha3.c
+++ b/tf-psa-crypto/drivers/builtin/src/sha3.c
@@ -43,7 +43,7 @@
#include "mbedtls/sha3.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include <string.h>
diff --git a/tf-psa-crypto/drivers/builtin/src/sha512.c b/tf-psa-crypto/drivers/builtin/src/sha512.c
index 9d8cffb..b915f99 100644
--- a/tf-psa-crypto/drivers/builtin/src/sha512.c
+++ b/tf-psa-crypto/drivers/builtin/src/sha512.c
@@ -32,7 +32,7 @@
#include "mbedtls/sha512.h"
#include "mbedtls/platform_util.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#if defined(_MSC_VER) || defined(__WATCOMC__)
#define UL64(x) x##ui64
diff --git a/tf-psa-crypto/drivers/everest/CMakeLists.txt b/tf-psa-crypto/drivers/everest/CMakeLists.txt
index e704859..5671200 100644
--- a/tf-psa-crypto/drivers/everest/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/everest/CMakeLists.txt
@@ -5,6 +5,7 @@
library/x25519.c
library/Hacl_Curve25519_joined.c)
+set_base_compile_options(${everest_target})
target_include_directories(${everest_target}
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
diff --git a/tf-psa-crypto/drivers/p256-m/CMakeLists.txt b/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
index bc53a5e..af046da 100644
--- a/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
@@ -4,6 +4,8 @@
p256-m_driver_entrypoints.c
p256-m/p256-m.c)
+set_base_compile_options(${p256m_target})
+
target_include_directories(${p256m_target}
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
@@ -29,7 +31,7 @@
if(INSTALL_TF_PSA_CRYPTO_HEADERS)
- install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
+ install(DIRECTORY p256-m
DESTINATION include
FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
@@ -38,6 +40,6 @@
endif(INSTALL_TF_PSA_CRYPTO_HEADERS)
install(TARGETS ${p256m_target}
-EXPORT MbedTLSTargets
-DESTINATION ${CMAKE_INSTALL_LIBDIR}
-PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+ EXPORT MbedTLSTargets
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/tf-psa-crypto/include/psa/crypto.h b/tf-psa-crypto/include/psa/crypto.h
index aa58033..58b6887 100644
--- a/tf-psa-crypto/include/psa/crypto.h
+++ b/tf-psa-crypto/include/psa/crypto.h
@@ -4360,8 +4360,9 @@
* time. The only guarantee is that lower values
* for \p max_ops means functions will block for a
* lesser maximum amount of time. The functions
- * \c psa_sign_interruptible_get_num_ops() and
- * \c psa_verify_interruptible_get_num_ops() are
+ * \c psa_sign_interruptible_get_num_ops(),
+ * \c psa_verify_interruptible_get_num_ops() and
+ * \c psa_generate_key_iop_get_num_ops() are
* provided to help with tuning this value.
*
* \note This value defaults to
diff --git a/tf-psa-crypto/include/psa/crypto_builtin_composites.h b/tf-psa-crypto/include/psa/crypto_builtin_composites.h
index c14f5dd..c9c0c6b 100644
--- a/tf-psa-crypto/include/psa/crypto_builtin_composites.h
+++ b/tf-psa-crypto/include/psa/crypto_builtin_composites.h
@@ -211,4 +211,20 @@
#define MBEDTLS_PSA_PAKE_OPERATION_INIT { { 0 } }
+typedef struct {
+#if defined(MBEDTLS_ECP_C)
+ mbedtls_ecp_keypair MBEDTLS_PRIVATE(ecp);
+ uint32_t num_ops;
+#else
+ /* Make the struct non-empty if algs not supported. */
+ unsigned MBEDTLS_PRIVATE(dummy);
+#endif
+} mbedtls_psa_generate_key_iop_t;
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PSA_GENERATE_KEY_IOP_INIT { MBEDTLS_ECP_KEYPAIR_INIT, 0 }
+#else
+#define MBEDTLS_PSA_GENERATE_KEY_IOP_INIT { 0 }
+#endif
+
#endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */
diff --git a/tf-psa-crypto/include/psa/crypto_extra.h b/tf-psa-crypto/include/psa/crypto_extra.h
index 0cf42c6..f48c087 100644
--- a/tf-psa-crypto/include/psa/crypto_extra.h
+++ b/tf-psa-crypto/include/psa/crypto_extra.h
@@ -32,6 +32,16 @@
#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
#endif
+/* If the size of static key slots is not explicitly defined by the user, then
+ * set it to the maximum between PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE and
+ * PSA_CIPHER_MAX_KEY_LENGTH.
+ * See mbedtls_config.h for the definition. */
+#if !defined(MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)
+#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE \
+ ((PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE > PSA_CIPHER_MAX_KEY_LENGTH) ? \
+ PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE : PSA_CIPHER_MAX_KEY_LENGTH)
+#endif /* !MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE*/
+
/** \addtogroup attributes
* @{
*/
diff --git a/tf-psa-crypto/include/psa/crypto_sizes.h b/tf-psa-crypto/include/psa/crypto_sizes.h
index 635ee98..87b8c39 100644
--- a/tf-psa-crypto/include/psa/crypto_sizes.h
+++ b/tf-psa-crypto/include/psa/crypto_sizes.h
@@ -1038,6 +1038,10 @@
PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
#endif
+#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \
+ ((PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \
+ PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
+
/** Sufficient output buffer size for psa_raw_key_agreement().
*
* This macro returns a compile-time constant if its arguments are
@@ -1085,6 +1089,27 @@
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS)
#endif
+/** Maximum key length for ciphers.
+ *
+ * Since there is no additional PSA_WANT_xxx symbol to specifiy the size of
+ * the key once a cipher is enabled (as it happens for asymmetric keys for
+ * example), the maximum key length is taken into account for each cipher.
+ * The resulting value will be the maximum cipher's key length given depending
+ * on which ciphers are enabled.
+ *
+ * Note: max value for AES used below would be doubled if XTS were enabled, but
+ * this mode is currently not supported in Mbed TLS implementation of PSA
+ * APIs.
+ */
+#if (defined(PSA_WANT_KEY_TYPE_AES) || defined(PSA_WANT_KEY_TYPE_ARIA) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA) || defined(PSA_WANT_KEY_TYPE_CHACHA20))
+#define PSA_CIPHER_MAX_KEY_LENGTH 32u
+#elif defined(PSA_WANT_KEY_TYPE_DES)
+#define PSA_CIPHER_MAX_KEY_LENGTH 24u
+#else
+#define PSA_CIPHER_MAX_KEY_LENGTH 0u
+#endif
+
/** The default IV size for a cipher algorithm, in bytes.
*
* The IV that is generated as part of a call to #psa_cipher_encrypt() is always
diff --git a/tf-psa-crypto/include/psa/crypto_struct.h b/tf-psa-crypto/include/psa/crypto_struct.h
index 2eec948..76ef5c4 100644
--- a/tf-psa-crypto/include/psa/crypto_struct.h
+++ b/tf-psa-crypto/include/psa/crypto_struct.h
@@ -542,14 +542,18 @@
* any driver (i.e. none of the driver contexts are active).
*/
unsigned int MBEDTLS_PRIVATE(id);
-
+ mbedtls_psa_generate_key_iop_t MBEDTLS_PRIVATE(ctx);
+ psa_key_attributes_t MBEDTLS_PRIVATE(attributes);
+ unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+ uint32_t MBEDTLS_PRIVATE(num_ops);
#endif
};
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
#define PSA_GENERATE_KEY_IOP_INIT { 0 }
#else
-#define PSA_GENERATE_KEY_IOP_INIT { 0 }
+#define PSA_GENERATE_KEY_IOP_INIT { 0, MBEDTLS_PSA_GENERATE_KEY_IOP_INIT, PSA_KEY_ATTRIBUTES_INIT, \
+ 0, 0 }
#endif
static inline struct psa_generate_key_iop_s
diff --git a/tf-psa-crypto/pkgconfig/.gitignore b/tf-psa-crypto/pkgconfig/.gitignore
new file mode 100644
index 0000000..5460c20
--- /dev/null
+++ b/tf-psa-crypto/pkgconfig/.gitignore
@@ -0,0 +1,2 @@
+Makefile
+*.pc
diff --git a/tf-psa-crypto/pkgconfig/CMakeLists.txt b/tf-psa-crypto/pkgconfig/CMakeLists.txt
new file mode 100644
index 0000000..4b62a04
--- /dev/null
+++ b/tf-psa-crypto/pkgconfig/CMakeLists.txt
@@ -0,0 +1,15 @@
+if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
+ include(JoinPaths.cmake)
+ join_paths(PKGCONFIG_INCLUDEDIR "\${prefix}" "${CMAKE_INSTALL_INCLUDEDIR}")
+ join_paths(PKGCONFIG_LIBDIR "\${prefix}" "${CMAKE_INSTALL_LIBDIR}")
+
+ #define these manually since minimum CMAKE version is not 3.9 for DESCRIPTION and 3.12 for HOMEPAGE_URL usage in project() below.
+ # Prefix with something that won't clash with newer versions of CMAKE.
+ set(PKGCONFIG_PROJECT_DESCRIPTION "TF-PSA-Crypto is a C library that implements cryptographic primitives. Its small code footprint makes it suitable for embedded systems.")
+ set(PKGCONFIG_PROJECT_HOMEPAGE_URL "https://www.trustedfirmware.org/projects/mbed-tls/")
+
+ configure_file(tfpsacrypto.pc.in tfpsacrypto.pc @ONLY)
+ install(FILES
+ ${CMAKE_CURRENT_BINARY_DIR}/tfpsacrypto.pc
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
+endif()
diff --git a/tf-psa-crypto/pkgconfig/JoinPaths.cmake b/tf-psa-crypto/pkgconfig/JoinPaths.cmake
new file mode 100644
index 0000000..193caed
--- /dev/null
+++ b/tf-psa-crypto/pkgconfig/JoinPaths.cmake
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+# This module provides function for joining paths
+# known from most languages
+#
+# Copyright The Mbed TLS Contributors
+#
+# This script originates from:
+# - https://github.com/jtojnar/cmake-snips
+# Jan has provided re-licensing under Apache 2.0 and GPL 2.0+ and
+# allowed for the change of Copyright.
+#
+# Modelled after Python’s os.path.join
+# https://docs.python.org/3.7/library/os.path.html#os.path.join
+# Windows not supported
+function(join_paths joined_path first_path_segment)
+ set(temp_path "${first_path_segment}")
+ foreach(current_segment IN LISTS ARGN)
+ if(NOT ("${current_segment}" STREQUAL ""))
+ if(IS_ABSOLUTE "${current_segment}")
+ set(temp_path "${current_segment}")
+ else()
+ set(temp_path "${temp_path}/${current_segment}")
+ endif()
+ endif()
+ endforeach()
+ set(${joined_path} "${temp_path}" PARENT_SCOPE)
+endfunction()
diff --git a/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in b/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in
new file mode 100644
index 0000000..2d130ea
--- /dev/null
+++ b/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in
@@ -0,0 +1,10 @@
+prefix=@CMAKE_INSTALL_PREFIX@
+includedir=@PKGCONFIG_INCLUDEDIR@
+libdir=@PKGCONFIG_LIBDIR@
+
+Name: @PROJECT_NAME@
+Description: @PKGCONFIG_PROJECT_DESCRIPTION@
+URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@
+Version: @PROJECT_VERSION@
+Cflags: -I"${includedir}"
+Libs: -L"${libdir}" -lmbedcrypto -lbuiltin -leverest -lp256m
diff --git a/tf-psa-crypto/programs/test/cmake_package/.gitignore b/tf-psa-crypto/programs/test/cmake_package/.gitignore
new file mode 100644
index 0000000..fd34d2b
--- /dev/null
+++ b/tf-psa-crypto/programs/test/cmake_package/.gitignore
@@ -0,0 +1,3 @@
+Makefile
+cmake_package
+tf-psa-crypto
diff --git a/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt b/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt
new file mode 100644
index 0000000..20b7322
--- /dev/null
+++ b/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt
@@ -0,0 +1,35 @@
+cmake_minimum_required(VERSION 2.8.12)
+
+#
+# Simulate configuring and building TF-PSA-Crypto as the user might do it.
+# We'll skip installing it, and use the build directory directly instead.
+#
+
+set(TF-PSA-Crypto_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../../..")
+set(TF-PSA-Crypto_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/tf-psa-crypto")
+
+execute_process(
+ COMMAND "${CMAKE_COMMAND}"
+ "-H${TF-PSA-Crypto_SOURCE_DIR}"
+ "-B${TF-PSA-Crypto_BINARY_DIR}"
+ "-DENABLE_PROGRAMS=NO"
+ "-DENABLE_TESTING=NO")
+
+execute_process(
+ COMMAND "${CMAKE_COMMAND}"
+ --build "${TF-PSA-Crypto_BINARY_DIR}")
+
+#
+# Locate the package.
+#
+
+set(TF-PSA-Crypto_DIR "${TF-PSA-Crypto_BINARY_DIR}/cmake")
+find_package(TF-PSA-Crypto REQUIRED)
+
+#
+# At this point, the TF-PSA-Crypto targets should have been imported, and we
+# can now link to them from our own program.
+#
+
+add_executable(cmake_package cmake_package.c)
+target_link_libraries(cmake_package TF-PSA-Crypto::mbedcrypto)
diff --git a/tf-psa-crypto/programs/test/cmake_package/cmake_package.c b/tf-psa-crypto/programs/test/cmake_package/cmake_package.c
new file mode 100644
index 0000000..c12ae7b
--- /dev/null
+++ b/tf-psa-crypto/programs/test/cmake_package/cmake_package.c
@@ -0,0 +1,19 @@
+/*
+ * Simple program to test that TF-PSA-Crypto builds correctly as a CMake
+ * package.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <psa/crypto.h>
+
+/* The main reason to build this is for testing the CMake build, so the program
+ * doesn't need to do very much. It calls a PSA cryptography API to ensure
+ * linkage works, but that is all. */
+int main()
+{
+ psa_crypto_init();
+
+ return 0;
+}
diff --git a/tf-psa-crypto/tests/CMakeLists.txt b/tf-psa-crypto/tests/CMakeLists.txt
index 862d862..0793dbe 100644
--- a/tf-psa-crypto/tests/CMakeLists.txt
+++ b/tf-psa-crypto/tests/CMakeLists.txt
@@ -3,13 +3,6 @@
${CMAKE_THREAD_LIBS_INIT}
)
-# Set the project root directory if it's not already defined, as may happen if
-# the tests folder is included directly by a parent project, without including
-# the top level CMakeLists.txt.
-if(NOT DEFINED MBEDTLS_DIR)
- set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
-endif()
-
if(NOT TF_PSA_CRYPTO_PYTHON_EXECUTABLE)
message(FATAL_ERROR "Cannot build test suites without Python 3")
endif()
@@ -301,6 +294,8 @@
add_executable(test_suite_${data_name} test_suite_${data_name}.c
$<TARGET_OBJECTS:mbedtls_test>)
+ set_base_compile_options(test_suite_${data_name})
+ target_compile_options(test_suite_${data_name} PRIVATE ${TEST_C_FLAGS})
add_dependencies(test_suite_${data_name} ${dependency})
target_link_libraries(test_suite_${data_name} ${libs})
# Include test-specific header files from ./include and private header
@@ -328,13 +323,12 @@
add_definitions("-D_POSIX_C_SOURCE=200809L")
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+ set(TEST_C_FLAGS -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code)
endif(CMAKE_COMPILER_IS_CLANG)
if(MSVC)
# If a warning level has been defined, suppress all warnings for test code
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W0")
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-")
+ set(TEST_C_FLAGS /W0 /WX-)
endif(MSVC)
file(GLOB test_suites RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" suites/*.data)
@@ -357,5 +351,6 @@
if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/seedfile")
link_to_source(seedfile)
endif()
+ link_to_source(Descriptions.txt)
link_to_source(../../framework/data_files)
endif()
diff --git a/tf-psa-crypto/tests/Descriptions.txt b/tf-psa-crypto/tests/Descriptions.txt
new file mode 100644
index 0000000..bc25056
--- /dev/null
+++ b/tf-psa-crypto/tests/Descriptions.txt
@@ -0,0 +1,5 @@
+test_suites
+ The various 'test_suite_XXX' programs from the 'tests' directory, executed
+ using 'make check' (Unix make) or 'make test' (Cmake), include test cases
+ (reference test vectors, sanity checks, malformed input for parsing
+ functions, etc.) for all modules except the SSL modules.
diff --git a/tf-psa-crypto/tests/suites/helpers.function b/tf-psa-crypto/tests/suites/helpers.function
index b561f47..37ed61a 100644
--- a/tf-psa-crypto/tests/suites/helpers.function
+++ b/tf-psa-crypto/tests/suites/helpers.function
@@ -16,9 +16,7 @@
#include <stdlib.h>
#include <string.h>
-#if defined(MBEDTLS_ERROR_C)
-#include "mbedtls/error.h"
-#endif
+#include "mbedtls/error_common.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
diff --git a/tf-psa-crypto/tests/suites/main_test.function b/tf-psa-crypto/tests/suites/main_test.function
index c0cc2ac..aebae1c 100644
--- a/tf-psa-crypto/tests/suites/main_test.function
+++ b/tf-psa-crypto/tests/suites/main_test.function
@@ -232,10 +232,8 @@
#if defined(MBEDTLS_TEST_HOOKS)
extern void (*mbedtls_test_hook_test_fail)(const char *test, int line, const char *file);
mbedtls_test_hook_test_fail = &mbedtls_test_fail;
-#if defined(MBEDTLS_ERROR_C)
mbedtls_test_hook_error_add = &mbedtls_test_err_add_check;
#endif
-#endif
/* Try changing to the directory containing the executable, if
* using the default data file. This allows running the executable
diff --git a/tf-psa-crypto/tests/suites/test_suite_bignum.function b/tf-psa-crypto/tests/suites/test_suite_bignum.function
index 3d2b8a1..36f1476 100644
--- a/tf-psa-crypto/tests/suites/test_suite_bignum.function
+++ b/tf-psa-crypto/tests/suites/test_suite_bignum.function
@@ -212,28 +212,22 @@
int output_size, int result)
{
mbedtls_mpi X;
- unsigned char buf[1000];
- size_t buflen;
-
- memset(buf, 0x00, 1000);
-
mbedtls_mpi_init(&X);
+ unsigned char *buf = NULL;
- TEST_ASSERT(mbedtls_test_read_mpi(&X, input_X) == 0);
+ TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
- buflen = mbedtls_mpi_size(&X);
- if (buflen > (size_t) output_size) {
- buflen = (size_t) output_size;
- }
+ TEST_CALLOC(buf, output_size);
- TEST_ASSERT(mbedtls_mpi_write_binary(&X, buf, buflen) == result);
+ TEST_EQUAL(mbedtls_mpi_write_binary(&X, buf, output_size), result);
+
if (result == 0) {
-
- TEST_ASSERT(mbedtls_test_hexcmp(buf, input_A->x,
- buflen, input_A->len) == 0);
+ TEST_EQUAL(mbedtls_test_hexcmp(buf, input_A->x,
+ output_size, input_A->len), 0);
}
exit:
+ mbedtls_free(buf);
mbedtls_mpi_free(&X);
}
/* END_CASE */
@@ -243,28 +237,22 @@
int output_size, int result)
{
mbedtls_mpi X;
- unsigned char buf[1000];
- size_t buflen;
-
- memset(buf, 0x00, 1000);
-
mbedtls_mpi_init(&X);
+ unsigned char *buf = NULL;
- TEST_ASSERT(mbedtls_test_read_mpi(&X, input_X) == 0);
+ TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0);
- buflen = mbedtls_mpi_size(&X);
- if (buflen > (size_t) output_size) {
- buflen = (size_t) output_size;
- }
+ TEST_CALLOC(buf, output_size);
- TEST_ASSERT(mbedtls_mpi_write_binary_le(&X, buf, buflen) == result);
+ TEST_EQUAL(mbedtls_mpi_write_binary_le(&X, buf, output_size), result);
+
if (result == 0) {
-
- TEST_ASSERT(mbedtls_test_hexcmp(buf, input_A->x,
- buflen, input_A->len) == 0);
+ TEST_EQUAL(mbedtls_test_hexcmp(buf, input_A->x,
+ output_size, input_A->len), 0);
}
exit:
+ mbedtls_free(buf);
mbedtls_mpi_free(&X);
}
/* END_CASE */
diff --git a/tf-psa-crypto/tests/suites/test_suite_bignum.misc.data b/tf-psa-crypto/tests/suites/test_suite_bignum.misc.data
index de2ea87..1228a4d 100644
--- a/tf-psa-crypto/tests/suites/test_suite_bignum.misc.data
+++ b/tf-psa-crypto/tests/suites/test_suite_bignum.misc.data
@@ -92,7 +92,10 @@
mpi_read_binary_le:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"24448B952FBBEF93F89286BA330E62528B151EAC265CC8CE3038519D09E148AF89288E91F48B41ACAD55D9DC5E2B18097C106BE4CE132721BF6359EAF403E7FF90623E8866EE5C192320418DAA682F144ADEDF84F25DE11F49D1FE009D374109"
Base test mbedtls_mpi_write_binary #1
-mpi_write_binary:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":200:0
+mpi_write_binary:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"000000000941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":100:0
+
+Test mbedtls_mpi_write_binary #1 (Buffer is larger)
+mpi_write_binary:"123123123123123123123123123":"000123123123123123123123123123":15:0
Test mbedtls_mpi_write_binary #1 (Buffer just fits)
mpi_write_binary:"123123123123123123123123123":"0123123123123123123123123123":14:0
@@ -100,8 +103,17 @@
Test mbedtls_mpi_write_binary #2 (Buffer too small)
mpi_write_binary:"123123123123123123123123123":"23123123123123123123123123":13:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+Test mbedtls_mpi_write_binary: nonzero to NULL
+mpi_write_binary:"01":"":0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+Test mbedtls_mpi_write_binary: 0 to NULL
+mpi_write_binary:"00":"":0:0
+
Base test mbedtls_mpi_write_binary_le #1
-mpi_write_binary_le:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"24448b952fbbef93f89286ba330e62528b151eac265cc8ce3038519d09e148af89288e91f48b41acad55d9dc5e2b18097c106be4ce132721bf6359eaf403e7ff90623e8866ee5c192320418daa682f144adedf84f25de11f49d1fe009d374109":200:0
+mpi_write_binary_le:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"24448b952fbbef93f89286ba330e62528b151eac265cc8ce3038519d09e148af89288e91f48b41acad55d9dc5e2b18097c106be4ce132721bf6359eaf403e7ff90623e8866ee5c192320418daa682f144adedf84f25de11f49d1fe009d37410900000000":100:0
+
+Test mbedtls_mpi_write_binary_le #1 (Buffer is larger)
+mpi_write_binary_le:"123123123123123123123123123":"233112233112233112233112230100":15:0
Test mbedtls_mpi_write_binary_le #1 (Buffer just fits)
mpi_write_binary_le:"123123123123123123123123123":"2331122331122331122331122301":14:0
@@ -109,6 +121,12 @@
Test mbedtls_mpi_write_binary_le #2 (Buffer too small)
mpi_write_binary_le:"123123123123123123123123123":"23311223311223311223311223":13:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+Test mbedtls_mpi_write_binary_le: nonzero to NULL
+mpi_write_binary_le:"01":"":0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+
+Test mbedtls_mpi_write_binary_le: 0 to NULL
+mpi_write_binary_le:"00":"":0:0
+
Base test mbedtls_mpi_read_file #1
mpi_read_file:"../../framework/data_files/mpi_16":"01f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09":0
diff --git a/tf-psa-crypto/tests/suites/test_suite_ccm.function b/tf-psa-crypto/tests/suites/test_suite_ccm.function
index dbb313b..798be77 100644
--- a/tf-psa-crypto/tests/suites/test_suite_ccm.function
+++ b/tf-psa-crypto/tests/suites/test_suite_ccm.function
@@ -79,11 +79,11 @@
void mbedtls_ccm_setkey(int cipher_id, int key_size, int result)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
unsigned char key[32];
int ret;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
memset(key, 0x2A, sizeof(key));
TEST_ASSERT((unsigned) key_size <= 8 * sizeof(key));
@@ -101,6 +101,7 @@
void ccm_lengths(int msg_len, int iv_len, int add_len, int tag_len, int res)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
unsigned char key[16];
unsigned char msg[10];
unsigned char iv[14];
@@ -110,7 +111,6 @@
int decrypt_ret;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_CALLOC_OR_SKIP(add, add_len);
memset(key, 0, sizeof(key));
@@ -146,6 +146,7 @@
int res)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
unsigned char key[16];
unsigned char msg[10];
unsigned char iv[14];
@@ -155,7 +156,6 @@
int decrypt_ret;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
memset(key, 0, sizeof(key));
memset(msg, 0, sizeof(msg));
@@ -191,6 +191,7 @@
data_t *add, data_t *result)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
size_t n1, n1_add;
uint8_t *io_msg_buf = NULL;
uint8_t *tag_buf = NULL;
@@ -207,7 +208,6 @@
TEST_CALLOC(tag_buf, expected_tag_len);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
/* Test with input == output */
TEST_EQUAL(mbedtls_ccm_encrypt_and_tag(&ctx, msg->len, iv->x, iv->len, add->x, add->len,
@@ -248,11 +248,11 @@
data_t *msg, data_t *iv, data_t *result)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, msg->len, 0));
@@ -277,6 +277,7 @@
data_t *expected_msg)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
size_t n1, n1_add;
const size_t expected_msg_len = msg->len - expected_tag_len;
@@ -290,7 +291,6 @@
}
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
/* Test with input == output */
TEST_EQUAL(mbedtls_ccm_auth_decrypt(&ctx, expected_msg_len, iv->x, iv->len, add->x, add->len,
@@ -343,6 +343,7 @@
{
unsigned char iv[13];
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
size_t iv_len, expected_tag_len;
size_t n1, n1_add;
uint8_t *io_msg_buf = NULL;
@@ -379,7 +380,6 @@
iv_len = sizeof(iv);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id,
key->x, key->len * 8), 0);
/* Test with input == output */
@@ -430,6 +430,7 @@
{
unsigned char iv[13];
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
size_t iv_len, expected_tag_len;
size_t n1, n1_add;
@@ -460,7 +461,6 @@
iv_len = sizeof(iv);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_ASSERT(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8) == 0);
/* Test with input == output */
TEST_EQUAL(mbedtls_ccm_star_auth_decrypt(&ctx, expected_msg_len, iv, iv_len,
@@ -507,6 +507,7 @@
data_t *result, data_t *tag)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
@@ -514,7 +515,6 @@
TEST_EQUAL(msg->len, result->len);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, 0, msg->len, tag->len));
@@ -547,10 +547,10 @@
data_t *tag)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
TEST_EQUAL(0, mbedtls_ccm_set_lengths(&ctx, add->len, 0, tag->len));
@@ -577,9 +577,12 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
+
+ /* This test can't be run with empty additional data */
+ TEST_LE_U(1, add->len);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded values for msg length and tag length. They are not a part of this test
@@ -600,9 +603,9 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded values for msg length and tag length. They are not a part of this test
@@ -622,11 +625,11 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded value for tag length. It is not a part of this test
@@ -651,10 +654,13 @@
data_t *key, data_t *iv, data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
+ /* This test can't be run with empty additional data */
+ TEST_LE_U(1, add->len);
+
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded values for msg length and tag length. They are not a part of this test
@@ -680,9 +686,9 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded values for msg length and tag length. They are not a part of this test
@@ -706,13 +712,16 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t add_second_buffer[2];
+ /* This test can't be run with empty additional data */
+ TEST_LE_U(1, add->len);
+
add_second_buffer[0] = add->x[add->len - 1];
add_second_buffer[1] = 0xAB; // some magic value
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded values for msg length and tag length. They are not a part of this test
@@ -735,11 +744,14 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
+ /* This test can't be run with an empty message */
+ TEST_LE_U(1, msg->len);
+
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded value for tag length. It is a not a part of this test
@@ -765,11 +777,14 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
+ /* This test can't be run with an empty message */
+ TEST_LE_U(1, msg->len);
+
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded value for tag length. It is not a part of this test
@@ -801,11 +816,11 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded value for tag length. It is a not a part of this test
@@ -834,15 +849,18 @@
data_t *add)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
size_t olen;
uint8_t msg_second_buffer[2];
+ /* This test can't be run with an empty message */
+ TEST_LE_U(1, msg->len);
+
msg_second_buffer[0] = msg->x[msg->len - 1];
msg_second_buffer[1] = 0xAB; // some magic value
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded value for tag length. It is a not a part of this test
@@ -869,10 +887,10 @@
data_t *key, data_t *iv)
{
mbedtls_ccm_context ctx;
+ mbedtls_ccm_init(&ctx);
uint8_t *output = NULL;
BLOCK_CIPHER_PSA_INIT();
- mbedtls_ccm_init(&ctx);
TEST_EQUAL(mbedtls_ccm_setkey(&ctx, cipher_id, key->x, key->len * 8), 0);
TEST_EQUAL(0, mbedtls_ccm_starts(&ctx, mode, iv->x, iv->len));
// use hardcoded values for add length, msg length and tag length.
diff --git a/tf-psa-crypto/tests/suites/test_suite_ctr_drbg.function b/tf-psa-crypto/tests/suites/test_suite_ctr_drbg.function
index 9fa55a7..78a63ea 100644
--- a/tf-psa-crypto/tests/suites/test_suite_ctr_drbg.function
+++ b/tf-psa-crypto/tests/suites/test_suite_ctr_drbg.function
@@ -363,14 +363,14 @@
* as this was the value used when the expected answers were calculated. */
const size_t entropy_len = 48;
+ mbedtls_ctr_drbg_context ctx;
+ mbedtls_ctr_drbg_init(&ctx);
+
AES_PSA_INIT();
TEST_CALLOC(threads, sizeof(mbedtls_test_thread_t) * thread_count);
memset(out, 0, sizeof(out));
- mbedtls_ctr_drbg_context ctx;
- mbedtls_ctr_drbg_init(&ctx);
-
test_offset_idx = 0;
/* Need to set a non-default fixed entropy len, to ensure same output across
diff --git a/tf-psa-crypto/tests/suites/test_suite_dhm.function b/tf-psa-crypto/tests/suites/test_suite_dhm.function
index 6c6f15b..d040c81 100644
--- a/tf-psa-crypto/tests/suites/test_suite_dhm.function
+++ b/tf-psa-crypto/tests/suites/test_suite_dhm.function
@@ -1,6 +1,6 @@
/* BEGIN_HEADER */
#include "mbedtls/dhm.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
static int check_get_value(const mbedtls_dhm_context *ctx,
mbedtls_dhm_parameter param,
diff --git a/tf-psa-crypto/tests/suites/test_suite_ecdsa.function b/tf-psa-crypto/tests/suites/test_suite_ecdsa.function
index 78c9875..23f83b0 100644
--- a/tf-psa-crypto/tests/suites/test_suite_ecdsa.function
+++ b/tf-psa-crypto/tests/suites/test_suite_ecdsa.function
@@ -196,13 +196,12 @@
{
mbedtls_ecp_group grp;
mbedtls_mpi d, r, s, r_check, s_check;
-
- MD_PSA_INIT();
-
mbedtls_ecp_group_init(&grp);
mbedtls_mpi_init(&d); mbedtls_mpi_init(&r); mbedtls_mpi_init(&s);
mbedtls_mpi_init(&r_check); mbedtls_mpi_init(&s_check);
+ MD_PSA_INIT();
+
TEST_ASSERT(mbedtls_ecp_group_load(&grp, id) == 0);
TEST_ASSERT(mbedtls_test_read_mpi(&d, d_str) == 0);
TEST_ASSERT(mbedtls_test_read_mpi(&r_check, r_str) == 0);
@@ -235,13 +234,13 @@
unsigned char sig[200];
size_t sig_len, i;
- MD_PSA_INIT();
-
mbedtls_ecdsa_init(&ctx);
memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
memset(hash, 0, sizeof(hash));
memset(sig, 0x2a, sizeof(sig));
+ MD_PSA_INIT();
+
/* generate signing key */
TEST_ASSERT(mbedtls_ecdsa_genkey(&ctx, id,
&mbedtls_test_rnd_pseudo_rand,
@@ -300,13 +299,13 @@
unsigned char sig[200];
size_t sig_len, i;
- MD_PSA_INIT();
-
mbedtls_ecdsa_init(&ctx);
memset(&rnd_info, 0x00, sizeof(mbedtls_test_rnd_pseudo_info));
memset(hash, 0, sizeof(hash));
memset(sig, 0x2a, sizeof(sig));
+ MD_PSA_INIT();
+
/* prepare material for signature */
TEST_ASSERT(mbedtls_test_rnd_pseudo_rand(&rnd_info,
hash, sizeof(hash)) == 0);
@@ -436,12 +435,12 @@
unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
size_t slen;
- MD_PSA_INIT();
-
mbedtls_ecdsa_restart_init(&rs_ctx);
mbedtls_ecdsa_init(&ctx);
memset(sig, 0, sizeof(sig));
+ MD_PSA_INIT();
+
TEST_ASSERT(mbedtls_ecp_group_load(&ctx.grp, id) == 0);
TEST_ASSERT(mbedtls_test_read_mpi(&ctx.d, d_str) == 0);
diff --git a/tf-psa-crypto/tests/suites/test_suite_ecjpake.function b/tf-psa-crypto/tests/suites/test_suite_ecjpake.function
index 534c7ba..1723010 100644
--- a/tf-psa-crypto/tests/suites/test_suite_ecjpake.function
+++ b/tf-psa-crypto/tests/suites/test_suite_ecjpake.function
@@ -102,6 +102,7 @@
void ecjpake_invalid_param()
{
mbedtls_ecjpake_context ctx;
+ mbedtls_ecjpake_init(&ctx);
unsigned char buf[42] = { 0 };
size_t const len = sizeof(buf);
mbedtls_ecjpake_role invalid_role = (mbedtls_ecjpake_role) 42;
@@ -110,8 +111,6 @@
MD_PSA_INIT();
- mbedtls_ecjpake_init(&ctx);
-
TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_setup(&ctx,
invalid_role,
@@ -139,13 +138,13 @@
void read_bad_md(data_t *msg)
{
mbedtls_ecjpake_context corrupt_ctx;
+ mbedtls_ecjpake_init(&corrupt_ctx);
const unsigned char *pw = NULL;
const size_t pw_len = 0;
int any_role = MBEDTLS_ECJPAKE_CLIENT;
MD_PSA_INIT();
- mbedtls_ecjpake_init(&corrupt_ctx);
TEST_ASSERT(mbedtls_ecjpake_setup(&corrupt_ctx, any_role,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw,
pw_len) == 0);
@@ -164,13 +163,12 @@
void read_round_one(int role, data_t *msg, int ref_ret)
{
mbedtls_ecjpake_context ctx;
+ mbedtls_ecjpake_init(&ctx);
const unsigned char *pw = NULL;
const size_t pw_len = 0;
MD_PSA_INIT();
- mbedtls_ecjpake_init(&ctx);
-
TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, role,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw,
pw_len) == 0);
@@ -187,13 +185,12 @@
void read_round_two_cli(data_t *msg, int ref_ret)
{
mbedtls_ecjpake_context ctx;
+ mbedtls_ecjpake_init(&ctx);
const unsigned char *pw = NULL;
const size_t pw_len = 0;
MD_PSA_INIT();
- mbedtls_ecjpake_init(&ctx);
-
TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_CLIENT,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw,
pw_len) == 0);
@@ -216,13 +213,12 @@
void read_round_two_srv(data_t *msg, int ref_ret)
{
mbedtls_ecjpake_context ctx;
+ mbedtls_ecjpake_init(&ctx);
const unsigned char *pw = NULL;
const size_t pw_len = 0;
MD_PSA_INIT();
- mbedtls_ecjpake_init(&ctx);
-
TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_SERVER,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw,
pw_len) == 0);
diff --git a/tf-psa-crypto/tests/suites/test_suite_hmac_drbg.function b/tf-psa-crypto/tests/suites/test_suite_hmac_drbg.function
index 0a50c6c..fbe1b03 100644
--- a/tf-psa-crypto/tests/suites/test_suite_hmac_drbg.function
+++ b/tf-psa-crypto/tests/suites/test_suite_hmac_drbg.function
@@ -41,8 +41,6 @@
size_t default_entropy_len;
size_t expected_consumed_entropy = 0;
- MD_PSA_INIT();
-
mbedtls_hmac_drbg_init(&ctx);
memset(buf, 0, sizeof(buf));
memset(out, 0, sizeof(out));
@@ -50,6 +48,8 @@
entropy.len = sizeof(buf);
entropy.p = buf;
+ MD_PSA_INIT();
+
md_info = mbedtls_md_info_from_type(md_alg);
TEST_ASSERT(md_info != NULL);
if (mbedtls_md_get_size(md_info) <= 20) {
@@ -129,11 +129,10 @@
{
const mbedtls_md_info_t *md_info;
mbedtls_hmac_drbg_context ctx;
+ mbedtls_hmac_drbg_init(&ctx);
MD_PSA_INIT();
- mbedtls_hmac_drbg_init(&ctx);
-
md_info = mbedtls_md_info_from_type(md_alg);
TEST_ASSERT(md_info != NULL);
@@ -159,12 +158,12 @@
mbedtls_hmac_drbg_context ctx;
size_t i;
- MD_PSA_INIT();
-
mbedtls_hmac_drbg_init(&ctx);
memset(buf, 0, sizeof(buf));
memset(out, 0, sizeof(out));
+ MD_PSA_INIT();
+
md_info = mbedtls_md_info_from_type(md_alg);
TEST_ASSERT(md_info != NULL);
TEST_ASSERT(mbedtls_hmac_drbg_seed_buf(&ctx, md_info, buf, sizeof(buf)) == 0);
@@ -194,13 +193,13 @@
const mbedtls_md_info_t *md_info;
mbedtls_hmac_drbg_context ctx;
- MD_PSA_INIT();
-
mbedtls_hmac_drbg_init(&ctx);
p_entropy.p = entropy->x;
p_entropy.len = entropy->len;
+ MD_PSA_INIT();
+
md_info = mbedtls_md_info_from_type(md_alg);
TEST_ASSERT(md_info != NULL);
@@ -244,13 +243,13 @@
const mbedtls_md_info_t *md_info;
mbedtls_hmac_drbg_context ctx;
- MD_PSA_INIT();
-
mbedtls_hmac_drbg_init(&ctx);
p_entropy.p = entropy->x;
p_entropy.len = entropy->len;
+ MD_PSA_INIT();
+
md_info = mbedtls_md_info_from_type(md_alg);
TEST_ASSERT(md_info != NULL);
@@ -279,13 +278,13 @@
const mbedtls_md_info_t *md_info;
mbedtls_hmac_drbg_context ctx;
- MD_PSA_INIT();
-
mbedtls_hmac_drbg_init(&ctx);
p_entropy.p = entropy->x;
p_entropy.len = entropy->len;
+ MD_PSA_INIT();
+
md_info = mbedtls_md_info_from_type(md_alg);
TEST_ASSERT(md_info != NULL);
diff --git a/tf-psa-crypto/tests/suites/test_suite_md.function b/tf-psa-crypto/tests/suites/test_suite_md.function
index 2a885e2..4e62154 100644
--- a/tf-psa-crypto/tests/suites/test_suite_md.function
+++ b/tf-psa-crypto/tests/suites/test_suite_md.function
@@ -21,10 +21,10 @@
const int *md_type_ptr;
const mbedtls_md_info_t *info;
mbedtls_md_context_t ctx;
+ mbedtls_md_init(&ctx);
unsigned char out[MBEDTLS_MD_MAX_SIZE] = { 0 };
MD_PSA_INIT();
- mbedtls_md_init(&ctx);
/*
* Test that mbedtls_md_list() only returns valid MDs.
@@ -87,13 +87,13 @@
void md_null_args()
{
mbedtls_md_context_t ctx;
+ mbedtls_md_init(&ctx);
#if defined(MBEDTLS_MD_C)
const mbedtls_md_info_t *info = mbedtls_md_info_from_type(*(mbedtls_md_list()));
#endif
unsigned char buf[1] = { 0 };
MD_PSA_INIT();
- mbedtls_md_init(&ctx);
TEST_EQUAL(0, mbedtls_md_get_size(NULL));
#if defined(MBEDTLS_MD_C)
@@ -245,12 +245,11 @@
const mbedtls_md_info_t *md_info = NULL;
mbedtls_md_context_t ctx, ctx_copy;
-
- MD_PSA_INIT();
-
mbedtls_md_init(&ctx);
mbedtls_md_init(&ctx_copy);
+ MD_PSA_INIT();
+
halfway = src_len / 2;
md_info = mbedtls_md_info_from_type(md_type);
@@ -291,13 +290,12 @@
unsigned char output[MBEDTLS_MD_MAX_SIZE] = { 0 };
const mbedtls_md_info_t *md_info = NULL;
mbedtls_md_context_t ctx, ctx_copy;
+ mbedtls_md_init(&ctx);
+ mbedtls_md_init(&ctx_copy);
int halfway;
MD_PSA_INIT();
- mbedtls_md_init(&ctx);
- mbedtls_md_init(&ctx_copy);
-
md_info = mbedtls_md_info_from_type(md_type);
TEST_ASSERT(md_info != NULL);
TEST_EQUAL(0, mbedtls_md_setup(&ctx, md_info, 0));
@@ -363,12 +361,11 @@
unsigned char output[MBEDTLS_MD_MAX_SIZE] = { 0 };
const mbedtls_md_info_t *md_info = NULL;
mbedtls_md_context_t ctx;
+ mbedtls_md_init(&ctx);
int halfway;
MD_PSA_INIT();
- mbedtls_md_init(&ctx);
-
md_info = mbedtls_md_info_from_type(md_type);
TEST_ASSERT(md_info != NULL);
TEST_EQUAL(0, mbedtls_md_setup(&ctx, md_info, 1));
diff --git a/tf-psa-crypto/tests/suites/test_suite_pem.function b/tf-psa-crypto/tests/suites/test_suite_pem.function
index 413dc55..091cbd1 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pem.function
+++ b/tf-psa-crypto/tests/suites/test_suite_pem.function
@@ -66,6 +66,7 @@
char *pwd, int res, data_t *out)
{
mbedtls_pem_context ctx;
+ mbedtls_pem_init(&ctx);
int ret;
size_t use_len = 0;
size_t pwd_len = strlen(pwd);
@@ -73,8 +74,6 @@
MD_PSA_INIT();
- mbedtls_pem_init(&ctx);
-
ret = mbedtls_pem_read_buffer(&ctx, header, footer, (unsigned char *) data,
(unsigned char *) pwd, pwd_len, &use_len);
TEST_ASSERT(ret == res);
diff --git a/tf-psa-crypto/tests/suites/test_suite_pk.data b/tf-psa-crypto/tests/suites/test_suite_pk.data
index b76a2e4..6e3d5f4 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pk.data
+++ b/tf-psa-crypto/tests/suites/test_suite_pk.data
@@ -526,10 +526,6 @@
depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_256
pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:128:0
-Verify ext RSA #5a (PKCS1 v2.1, wrong salt_len) !USE_PSA
-depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_256:!MBEDTLS_USE_PSA_CRYPTO
-pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_INVALID_PADDING
-
Verify ext RSA #5b (PKCS1 v2.1, wrong salt_len) USE_PSA
depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_256:MBEDTLS_USE_PSA_CRYPTO
pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:0
diff --git a/tf-psa-crypto/tests/suites/test_suite_pk.function b/tf-psa-crypto/tests/suites/test_suite_pk.function
index 55848ab..bad09fa 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pk.function
+++ b/tf-psa-crypto/tests/suites/test_suite_pk.function
@@ -7,7 +7,7 @@
#include "mbedtls/asn1.h"
#include "mbedtls/base64.h"
#include "mbedtls/ecp.h"
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/rsa.h"
#include "rsa_internal.h"
#include "pk_internal.h"
diff --git a/tf-psa-crypto/tests/suites/test_suite_pkcs1_v21.function b/tf-psa-crypto/tests/suites/test_suite_pkcs1_v21.function
index 6261979..a15d5d7 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pkcs1_v21.function
+++ b/tf-psa-crypto/tests/suites/test_suite_pkcs1_v21.function
@@ -14,18 +14,18 @@
{
unsigned char output[256];
mbedtls_rsa_context ctx;
+ mbedtls_rsa_init(&ctx);
mbedtls_test_rnd_buf_info info;
mbedtls_mpi N, E;
-
- MD_PSA_INIT();
+ mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
info.fallback_f_rng = mbedtls_test_rnd_std_rand;
info.fallback_p_rng = NULL;
info.buf = rnd_buf->x;
info.length = rnd_buf->len;
- mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
- mbedtls_rsa_init(&ctx);
+ MD_PSA_INIT();
+
TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
MBEDTLS_RSA_PKCS_V21, hash) == 0);
memset(output, 0x00, sizeof(output));
@@ -66,17 +66,16 @@
{
unsigned char output[64];
mbedtls_rsa_context ctx;
+ mbedtls_rsa_init(&ctx);
size_t output_len;
mbedtls_test_rnd_pseudo_info rnd_info;
mbedtls_mpi N, P, Q, E;
+ mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
+ mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
((void) seed);
MD_PSA_INIT();
- mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
- mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
-
- mbedtls_rsa_init(&ctx);
TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
MBEDTLS_RSA_PKCS_V21, hash) == 0);
@@ -131,19 +130,19 @@
{
unsigned char output[512];
mbedtls_rsa_context ctx;
+ mbedtls_rsa_init(&ctx);
mbedtls_test_rnd_buf_info info;
mbedtls_mpi N, P, Q, E;
-
- MD_PSA_INIT();
+ mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
+ mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
info.fallback_f_rng = mbedtls_test_rnd_std_rand;
info.fallback_p_rng = NULL;
info.buf = rnd_buf->x;
info.length = rnd_buf->len;
- mbedtls_mpi_init(&N); mbedtls_mpi_init(&P);
- mbedtls_mpi_init(&Q); mbedtls_mpi_init(&E);
- mbedtls_rsa_init(&ctx);
+ MD_PSA_INIT();
+
TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
MBEDTLS_RSA_PKCS_V21, hash) == 0);
@@ -196,13 +195,13 @@
char *salt, data_t *result_str, int result)
{
mbedtls_rsa_context ctx;
+ mbedtls_rsa_init(&ctx);
mbedtls_mpi N, E;
+ mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
((void) salt);
MD_PSA_INIT();
- mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
- mbedtls_rsa_init(&ctx);
TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
MBEDTLS_RSA_PKCS_V21, hash) == 0);
@@ -236,12 +235,12 @@
int result_full)
{
mbedtls_rsa_context ctx;
+ mbedtls_rsa_init(&ctx);
mbedtls_mpi N, E;
+ mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
MD_PSA_INIT();
- mbedtls_mpi_init(&N); mbedtls_mpi_init(&E);
- mbedtls_rsa_init(&ctx);
TEST_ASSERT(mbedtls_rsa_set_padding(&ctx,
MBEDTLS_RSA_PKCS_V21, ctx_hash) == 0);
diff --git a/tf-psa-crypto/tests/suites/test_suite_pkcs5.function b/tf-psa-crypto/tests/suites/test_suite_pkcs5.function
index f6be142..56582d4 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pkcs5.function
+++ b/tf-psa-crypto/tests/suites/test_suite_pkcs5.function
@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/pkcs5.h"
#include "mbedtls/cipher.h"
/* END_HEADER */
diff --git a/tf-psa-crypto/tests/suites/test_suite_pkparse.data b/tf-psa-crypto/tests/suites/test_suite_pkparse.data
index f896dd4..17a253d 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pkparse.data
+++ b/tf-psa-crypto/tests/suites/test_suite_pkparse.data
@@ -51,23 +51,23 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs1_2048_aes256.pem":"testkey":0
Parse RSA Key #14 (4096-bit, DES Encrypted)
-depends_on:PSA_WANT_ALG_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:PSA_WANT_ALG_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs1_4096_des.pem":"testkey":0
Parse RSA Key #15 (4096-bit, 3DES Encrypted)
-depends_on:PSA_WANT_ALG_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:PSA_WANT_ALG_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs1_4096_3des.pem":"testkey":0
Parse RSA Key #16 (4096-bit, AES-128 Encrypted)
-depends_on:PSA_WANT_ALG_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:PSA_WANT_ALG_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs1_4096_aes128.pem":"testkey":0
Parse RSA Key #17 (4096-bit, AES-192 Encrypted)
-depends_on:PSA_WANT_ALG_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs1_4096_aes192.pem":"testkey":0
Parse RSA Key #18 (4096-bit, AES-256 Encrypted)
-depends_on:PSA_WANT_ALG_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+depends_on:PSA_WANT_ALG_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs1_4096_aes256.pem":"testkey":0
Parse RSA Key #19 (PKCS#8 wrapped)
@@ -99,15 +99,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #22 (PKCS#8 encrypted SHA1-3DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTest":0
Parse RSA Key #22.1 (PKCS#8 encrypted SHA1-3DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #22.2 (PKCS#8 encrypted SHA1-3DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #23 (PKCS#8 encrypted SHA1-3DES DER)
@@ -119,7 +119,7 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der":"PolarSSLTest":0
Parse RSA Key #25 (PKCS#8 encrypted SHA1-3DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der":"PolarSSLTest":0
Parse RSA Key #26 (PKCS#8 encrypted SHA1-2DES)
@@ -147,15 +147,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #28 (PKCS#8 encrypted SHA1-2DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSSLTest":0
Parse RSA Key #28.1 (PKCS#8 encrypted SHA1-2DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #28.2 (PKCS#8 encrypted SHA1-2DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #29 (PKCS#8 encrypted SHA1-2DES DER)
@@ -167,7 +167,7 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der":"PolarSSLTest":0
Parse RSA Key #31 (PKCS#8 encrypted SHA1-2DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der":"PolarSSLTest":0
Parse RSA Key #38 (PKCS#8 encrypted v2 PBKDF2 3DES)
@@ -195,15 +195,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #40 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTest":0
Parse RSA Key #40.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #40.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #41 (PKCS#8 encrypted v2 PBKDF2 3DES DER)
@@ -231,15 +231,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #43 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTest":0
Parse RSA Key #43.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #43.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #44 (PKCS#8 encrypted v2 PBKDF2 DES)
@@ -267,15 +267,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #46 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTest":0
Parse RSA Key #46.1 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #46.2 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #47 (PKCS#8 encrypted v2 PBKDF2 DES DER)
@@ -303,15 +303,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #49 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTest":0
Parse RSA Key #49.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224)
@@ -339,15 +339,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #52 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTest":0
Parse RSA Key #52.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #52.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #53 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER)
@@ -375,15 +375,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #55 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTest":0
Parse RSA Key #55.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #55.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #56 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224)
@@ -411,15 +411,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #58 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTest":0
Parse RSA Key #58.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #58.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #59 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER)
@@ -447,15 +447,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #61 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTest":0
Parse RSA Key #61.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #61.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #62 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256)
@@ -483,15 +483,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #64 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTest":0
Parse RSA Key #64.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #64.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #65 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER)
@@ -519,15 +519,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #67 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTest":0
Parse RSA Key #68.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #68.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #69 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256)
@@ -555,15 +555,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #71 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTest":0
Parse RSA Key #71.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #71.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #72 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER)
@@ -591,15 +591,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #74 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTest":0
Parse RSA Key #74.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #74.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #75 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384)
@@ -627,15 +627,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #77 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTest":0
Parse RSA Key #77.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #77.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #78 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER)
@@ -663,15 +663,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #80 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTest":0
Parse RSA Key #80.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #80.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #81 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384)
@@ -699,15 +699,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #83 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTest":0
Parse RSA Key #83.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #83.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #84 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER)
@@ -735,15 +735,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #87 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTest":0
Parse RSA Key #87.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #87.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #88 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512)
@@ -771,15 +771,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #90 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTest":0
Parse RSA Key #90.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #90.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #91 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER)
@@ -807,15 +807,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #93 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTest":0
Parse RSA Key #93.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #93.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #94 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512)
@@ -843,15 +843,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #96 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTest":0
Parse RSA Key #96.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #96.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED
Parse RSA Key #97 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER)
@@ -879,15 +879,15 @@
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #99 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTest":0
Parse RSA Key #99.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, wrong PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH
Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, no PW)
-depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C
+depends_on:MBEDTLS_DES_C:PSA_WANT_ALG_SHA_512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_parse_keyfile_rsa:"../../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
Parse RSA Key #99.3 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384, 2048-bit)
diff --git a/tf-psa-crypto/tests/suites/test_suite_pkparse.function b/tf-psa-crypto/tests/suites/test_suite_pkparse.function
index 1cd6e2b..6f4b36d 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pkparse.function
+++ b/tf-psa-crypto/tests/suites/test_suite_pkparse.function
@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/pk.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
@@ -115,10 +115,10 @@
void pk_parse_keyfile_rsa(char *key_file, char *password, int result)
{
mbedtls_pk_context ctx;
+ mbedtls_pk_init(&ctx);
int res;
char *pwd = password;
- mbedtls_pk_init(&ctx);
MD_PSA_INIT();
if (strcmp(pwd, "NULL") == 0) {
@@ -162,9 +162,9 @@
void pk_parse_public_keyfile_rsa(char *key_file, int result)
{
mbedtls_pk_context ctx;
+ mbedtls_pk_init(&ctx);
int res;
- mbedtls_pk_init(&ctx);
MD_PSA_INIT();
res = mbedtls_pk_parse_public_keyfile(&ctx, key_file);
diff --git a/tf-psa-crypto/tests/suites/test_suite_pkwrite.data b/tf-psa-crypto/tests/suites/test_suite_pkwrite.data
index d895d39..ff9d4ec 100644
--- a/tf-psa-crypto/tests/suites/test_suite_pkwrite.data
+++ b/tf-psa-crypto/tests/suites/test_suite_pkwrite.data
@@ -7,11 +7,11 @@
pk_write_pubkey_check:"../../framework/data_files/server1.pubkey.der":TEST_DER
Public key write check RSA 4096
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_write_pubkey_check:"../../framework/data_files/rsa4096_pub.pem":TEST_PEM
Public key write check RSA 4096 (DER)
-depends_on:MBEDTLS_RSA_C
+depends_on:MBEDTLS_RSA_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_write_pubkey_check:"../../framework/data_files/rsa4096_pub.der":TEST_DER
Public key write check EC 192 bits
@@ -30,16 +30,13 @@
depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_521
pk_write_pubkey_check:"../../framework/data_files/ec_521_pub.der":TEST_DER
-## The pk_write_pubkey_check sometimes take ~3 hours to run with
-## GCC+Asan on the CI in the full config. Comment out the slowest
-## ones while we investigate and release 3.6.2.
-# Public key write check EC Brainpool 512 bits
-# depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:PSA_WANT_ECC_BRAINPOOL_P_R1_512
-# pk_write_pubkey_check:"../../framework/data_files/ec_bp512_pub.pem":TEST_PEM
+Public key write check EC Brainpool 512 bits
+depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:PSA_WANT_ECC_BRAINPOOL_P_R1_512
+pk_write_pubkey_check:"../../framework/data_files/ec_bp512_pub.pem":TEST_PEM
-# Public key write check EC Brainpool 512 bits (DER)
-# depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_BRAINPOOL_P_R1_512
-# pk_write_pubkey_check:"../../framework/data_files/ec_bp512_pub.der":TEST_DER
+Public key write check EC Brainpool 512 bits (DER)
+depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_BRAINPOOL_P_R1_512
+pk_write_pubkey_check:"../../framework/data_files/ec_bp512_pub.der":TEST_DER
Public key write check EC X25519
depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:PSA_WANT_ECC_MONTGOMERY_255
@@ -66,11 +63,11 @@
pk_write_key_check:"../../framework/data_files/server1.key.der":TEST_DER
Private key write check RSA 4096
-depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_write_key_check:"../../framework/data_files/rsa4096_prv.pem":TEST_PEM
Private key write check RSA 4096 (DER)
-depends_on:MBEDTLS_RSA_C
+depends_on:MBEDTLS_RSA_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_write_key_check:"../../framework/data_files/rsa4096_prv.der":TEST_DER
Private key write check EC 192 bits
@@ -134,7 +131,7 @@
pk_write_public_from_private:"../../framework/data_files/server1.key.der":"../../framework/data_files/server1.pubkey.der"
Derive public key RSA 4096
-depends_on:MBEDTLS_RSA_C
+depends_on:MBEDTLS_RSA_C:MBEDTLS_TEST_PK_ALLOW_RSA_KEY_PAIR_4096
pk_write_public_from_private:"../../framework/data_files/rsa4096_prv.der":"../../framework/data_files/rsa4096_pub.der"
Derive public key EC 192 bits
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data
index e921c11..dab2ee7 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data
@@ -7158,7 +7158,7 @@
# and not expected to be raised any time soon) is less than the maximum
# output from HKDF-SHA512 (255*64 = 16320 bytes).
PSA key derivation: largest possible key
-depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_512
+depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_512:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE >= PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS)
derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:PSA_MAX_KEY_BITS:PSA_SUCCESS:1
PSA key derivation: key too large
@@ -7402,12 +7402,15 @@
generate_key:PSA_KEY_TYPE_RAW_DATA:9:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0
PSA generate key: raw data, (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits
+depends_on:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE >= (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1)
generate_key:PSA_KEY_TYPE_RAW_DATA:(MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0
PSA generate key: raw data, (2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits
+depends_on:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE >= (2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1)
generate_key:PSA_KEY_TYPE_RAW_DATA:(2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0
PSA generate key: raw data, 65528 bits (large key, ok if it fits)
+depends_on:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE >= PSA_BITS_TO_BYTES(65528)
generate_key:PSA_KEY_TYPE_RAW_DATA:65528:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:1
PSA generate key: raw data, 65536 bits (not supported)
@@ -7478,16 +7481,59 @@
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_MAX_KEY_BITS+8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0
+# Following 2 tests are meant to be tested from the component_test_crypto_with_static_key_slots()
+# test component. There MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE is intentionally set to a value
+# that is OK for all public RSA key bit sizes, but only valid up to 2048 bits for key pairs.
+PSA generate key: RSA, key pair size does not fit in static key buffer
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_STATIC_KEY_SLOTS:!MBEDTLS_TEST_STATIC_KEY_SLOTS_SUPPORT_RSA_4096:PSA_VENDOR_RSA_MAX_KEY_BITS>=4096
+generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:4096:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ERROR_NOT_SUPPORTED:0
+
+PSA generate key: RSA, key pair size fits in static key buffer
+depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_STATIC_KEY_SLOTS:MBEDTLS_TEST_STATIC_KEY_SLOTS_SUPPORT_RSA_2048:PSA_VENDOR_RSA_MAX_KEY_BITS>=2048
+generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:2048:PSA_KEY_USAGE_EXPORT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_SUCCESS:0
+
PSA generate key: ECC, SECP256R1, good
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+PSA generate key: ECC, SECP384R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_384
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):384:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+
+PSA generate key: ECC, SECP521R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_521
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):521:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+
+PSA generate key: ECC, SECP192K1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_K1_192
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):192:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+
+PSA generate key: ECC, SECP256K1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_K1_256
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_K1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+
+PSA generate key: ECC, brainpool256r1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_BRAINPOOL_P_R1_256
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):256:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+
+PSA generate key: ECC, brainpool384r1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_BRAINPOOL_P_R1_384
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):384:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_SUCCESS:0
+
PSA generate key: ECC, SECP256R1, incorrect bit size
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
# INVALID_ARGUMENT would make more sense, but our code as currently structured
# doesn't fully relate the curve with its size.
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_ERROR_NOT_SUPPORTED:0
+PSA generate key: ECC, SECP256R1, zero bit size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
+generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_ERROR_INVALID_ARGUMENT:0
+
+PSA generate key: ECC, SECP256R1, public key
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256
+generate_key:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):0:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_ECDSA_ANY:PSA_ERROR_INVALID_ARGUMENT:0
+
PSA generate key: ECC, Curve25519, good
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_MONTGOMERY_255
generate_key:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY):255:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_SUCCESS:0
@@ -7520,6 +7566,9 @@
depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0
+PSA generate key interruptible object initializers zero properly
+generate_key_iop_init:
+
PSA generate key custom: RSA, flags=1
depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT
@@ -7619,15 +7668,15 @@
concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:9:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5
PSA concurrent key generation: raw data, (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits
-depends_on:MBEDTLS_THREADING_PTHREAD
+depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE >= (MBEDTLS_CTR_DRBG_MAX_REQUEST + 1)
concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:(MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5
PSA concurrent key generation: raw data, (2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8 bits
-depends_on:MBEDTLS_THREADING_PTHREAD
+depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE >= (2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1)
concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:(2 * MBEDTLS_CTR_DRBG_MAX_REQUEST + 1) * 8:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:0:8:5
PSA concurrent key generation: raw data, 65528 bits (large key, ok if it fits)
-depends_on:MBEDTLS_THREADING_PTHREAD
+depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE > PSA_BITS_TO_BYTES(65528)
concurrently_generate_keys:PSA_KEY_TYPE_RAW_DATA:65528:PSA_KEY_USAGE_EXPORT:0:PSA_SUCCESS:1:8:5
PSA concurrent key generation: raw data, 65536 bits (not supported)
@@ -7835,4 +7884,3 @@
ECP group ID <-> PSA family - Wrong values
ecc_conversion_functions_fail
-
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function
index cee73b0..eaafd90 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function
@@ -1236,7 +1236,7 @@
}
#endif /* MBEDTLS_ECP_RESTARTABLE */
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) && defined(MBEDTLS_ASN1_PARSE_C)
static int rsa_test_e(mbedtls_svc_key_id_t key,
size_t bits,
const data_t *e_arg)
@@ -1615,7 +1615,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on: !MBEDTLS_PSA_STATIC_KEY_SLOTS*/
/* Construct and attempt to import a large unstructured key. */
void import_large_key(int type_arg, int byte_size_arg,
int expected_status_arg)
@@ -10096,6 +10096,7 @@
psa_status_t expected_status = expected_status_arg;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_generate_key_iop_t operation = PSA_GENERATE_KEY_IOP_INIT;
PSA_ASSERT(psa_crypto_init());
@@ -10111,21 +10112,46 @@
TEST_ASSUME(status != PSA_ERROR_INSUFFICIENT_MEMORY);
}
TEST_EQUAL(status, expected_status);
- if (expected_status != PSA_SUCCESS) {
- goto exit;
+ if (expected_status == PSA_SUCCESS) {
+ /* Test the key information */
+ PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
+ TEST_EQUAL(psa_get_key_type(&got_attributes), type);
+ TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
+
+ /* Do something with the key according to its type and permitted usage. */
+ TEST_EQUAL(mbedtls_test_psa_exercise_key(key, usage, alg, 0), 1);
}
- /* Test the key information */
- PSA_ASSERT(psa_get_key_attributes(key, &got_attributes));
- TEST_EQUAL(psa_get_key_type(&got_attributes), type);
- TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
+ /* Adjust expected_status for interruptible key generation.
+ * Interruptible key generation is only supported for ECC key pairs and even
+ * for those only when MBEDTLS_ECP_RESTARTABLE is on.
+ */
- /* Do something with the key according to its type and permitted usage. */
- if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) {
- goto exit;
+ if (!PSA_KEY_TYPE_IS_ECC(type)) {
+ expected_status = PSA_ERROR_NOT_SUPPORTED;
}
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+ expected_status = PSA_ERROR_NOT_SUPPORTED;
+#endif
+
+ status = psa_generate_key_iop_setup(&operation, &attributes);
+ TEST_EQUAL(status, expected_status);
+
+ /* Test that calling setup 2 time consecutively fails */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ status = psa_generate_key_iop_setup(&operation, &attributes);
+ TEST_EQUAL(status, PSA_ERROR_BAD_STATE);
+#endif
+
+ PSA_ASSERT(psa_generate_key_iop_abort(&operation));
+
+ /* Test that after calling abort operation is reset to it's fresh state */
+ status = psa_generate_key_iop_setup(&operation, &attributes);
+ TEST_EQUAL(status, expected_status);
+
exit:
+ psa_generate_key_iop_abort(&operation);
/*
* Key attributes may have been returned by psa_get_key_attributes()
* thus reset them as required.
@@ -10138,6 +10164,21 @@
/* END_CASE */
/* BEGIN_CASE */
+void generate_key_iop_init()
+{
+ psa_generate_key_iop_t init = PSA_GENERATE_KEY_IOP_INIT;
+ psa_generate_key_iop_t func = psa_generate_key_iop_init();
+ psa_generate_key_iop_t zero;
+
+ memset(&zero, 0, sizeof(zero));
+
+ PSA_ASSERT(psa_generate_key_iop_abort(&init));
+ PSA_ASSERT(psa_generate_key_iop_abort(&func));
+ PSA_ASSERT(psa_generate_key_iop_abort(&zero));
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void generate_key_custom(int type_arg,
int bits_arg,
int usage_arg,
@@ -10180,7 +10221,7 @@
TEST_EQUAL(psa_get_key_type(&got_attributes), type);
TEST_EQUAL(psa_get_key_bits(&got_attributes), bits);
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) && defined(MBEDTLS_ASN1_PARSE_C)
if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
TEST_ASSERT(rsa_test_e(key, bits, custom_data));
}
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_driver_wrappers.function
index 84611fa..49b1c15 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_driver_wrappers.function
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -6,13 +6,14 @@
size_t pake_expected_hit_count = 0;
int pake_in_driver = 0;
+#if defined(PSA_WANT_ALG_JPAKE) && \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
+ defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ALG_SHA_256)
+
/* The only two JPAKE user/peer identifiers supported for the time being. */
static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
-#if defined(PSA_WANT_ALG_JPAKE) && \
- defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
- defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ALG_SHA_256)
static void ecjpake_do_round(psa_algorithm_t alg, unsigned int primitive,
psa_pake_operation_t *server,
psa_pake_operation_t *client,
@@ -437,6 +438,11 @@
mbedtls_mpi_init(&D);
mbedtls_mpi_init(&C);
mbedtls_mpi_init(&X);
+#else /* MBEDTLS_BIGNUM_C */
+ (void) alg;
+ (void) private_exponent;
+ (void) input_data;
+ (void) buf;
#endif /* MBEDTLS_BIGNUM_C */
int ok = 0;
@@ -843,7 +849,7 @@
{
psa_key_lifetime_t lifetime =
PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \
- PSA_KEY_PERSISTENCE_DEFAULT, location);
+ PSA_KEY_PERSISTENCE_VOLATILE, location);
mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make(owner_id_arg, id_arg);
psa_status_t force_status = force_status_arg;
psa_status_t expected_status = expected_status_arg;
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_ecp.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_ecp.data
new file mode 100644
index 0000000..ffb7a7b
--- /dev/null
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_ecp.data
@@ -0,0 +1,82 @@
+ECC generate: unknown family (0)
+generate_key:0:256:64:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: unknown family (0xff)
+generate_key:0xff:256:64:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 bad bit-size (0)
+generate_key:PSA_ECC_FAMILY_SECP_R1:0:64:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 bad bit-size (512)
+generate_key:PSA_ECC_FAMILY_SECP_R1:512:64:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 bad bit-size (528)
+generate_key:PSA_ECC_FAMILY_SECP_R1:528:64:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 256-bit not supported
+depends_on:!MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256
+generate_key:PSA_ECC_FAMILY_SECP_R1:256:32:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 384-bit not supported
+depends_on:!MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384
+generate_key:PSA_ECC_FAMILY_SECP_R1:384:48:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 521-bit not supported
+depends_on:!MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521
+generate_key:PSA_ECC_FAMILY_SECP_R1:521:66:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_K1 256-bit not supported
+depends_on:!MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256
+generate_key:PSA_ECC_FAMILY_SECP_K1:256:32:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: Curve25519 not supported
+depends_on:!MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:255:32:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: Curve448 not supported
+depends_on:!MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:448:56:PSA_ERROR_NOT_SUPPORTED
+
+ECC generate: SECP_R1 256-bit, size=31, too small
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256
+generate_key:PSA_ECC_FAMILY_SECP_R1:256:31:PSA_ERROR_BUFFER_TOO_SMALL
+
+ECC generate: SECP_R1 256-bit, size=32, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256
+generate_key:PSA_ECC_FAMILY_SECP_R1:256:32:PSA_SUCCESS
+
+ECC generate: SECP_R1 256-bit, size=33, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256
+generate_key:PSA_ECC_FAMILY_SECP_R1:256:33:PSA_SUCCESS
+
+ECC generate: SECP_R1 521-bit, size=65, too small
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521
+generate_key:PSA_ECC_FAMILY_SECP_R1:521:65:PSA_ERROR_BUFFER_TOO_SMALL
+
+ECC generate: SECP_R1 521-bit, size=66, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521
+generate_key:PSA_ECC_FAMILY_SECP_R1:521:66:PSA_SUCCESS
+
+ECC generate: Curve25519, size=31, too small
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:255:31:PSA_ERROR_BUFFER_TOO_SMALL
+
+ECC generate: Curve25519, size=32, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:255:32:PSA_SUCCESS
+
+ECC generate: Curve25519, size=33, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:255:33:PSA_SUCCESS
+
+ECC generate: Curve448, size=55, too small
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:448:55:PSA_ERROR_BUFFER_TOO_SMALL
+
+ECC generate: Curve448, size=56, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:448:56:PSA_SUCCESS
+
+ECC generate: Curve448, size=57, ok
+depends_on:MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448
+generate_key:PSA_ECC_FAMILY_MONTGOMERY:448:57:PSA_SUCCESS
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_ecp.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_ecp.function
new file mode 100644
index 0000000..5be7a2c
--- /dev/null
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_ecp.function
@@ -0,0 +1,165 @@
+/* BEGIN_HEADER */
+/* Unit tests for internal functions for built-in ECC mechanisms. */
+#include <psa/crypto.h>
+
+#include "psa_crypto_ecp.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+/*
+ * Check if a buffer is all-0 bytes:
+ * return 1 if it is,
+ * 0 if it isn't.
+ *
+ * TODO: we use this in multiple test suites. Move it to tests/src.
+ */
+static int buffer_is_all_zero(const uint8_t *buf, size_t size)
+{
+ for (size_t i = 0; i < size; i++) {
+ if (buf[i] != 0) {
+ return 0;
+ }
+ }
+ return 1;
+}
+
+typedef struct {
+ unsigned bit_bot; /* lowest non-forced bit */
+ unsigned bit_top; /* highest non-forced bit */
+} ecc_private_key_stats_t;
+
+/* Do some sanity checks on an ECC private key. This is not intended to be
+ * a full validity check, just to catch some potential mistakes. */
+static int check_ecc_private_key(psa_ecc_family_t family, size_t bits,
+ const uint8_t *key, size_t key_length,
+ ecc_private_key_stats_t *stats)
+{
+ int ok = 0;
+
+ /* Check the expected length (same calculation for all curves). */
+ TEST_EQUAL(PSA_BITS_TO_BYTES(bits), key_length);
+
+ /* All-bits zero is invalid and means no key material was copied to the
+ * output buffer, or a grave RNG pluming failure. */
+ TEST_ASSERT(!buffer_is_all_zero(key, key_length));
+
+ /* Check the top byte of the value for non-byte-aligned curve sizes.
+ * This is a partial endianness check. */
+ if (bits % 8 != 0) {
+ /* All supported non-byte-aligned curve sizes are for Weierstrass
+ * curves with a big-endian representation. */
+ uint8_t top_byte = key[0];
+ uint8_t mask = 0xff << (bits & 8);
+ TEST_EQUAL(top_byte & mask, 0);
+ }
+
+ /* Check masked bits on Curve25519 and Curve448 scalars.
+ * See RFC 7748 \S4.1 (we expect the "decoded" form here). */
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255)
+ if (family == PSA_ECC_FAMILY_MONTGOMERY && bits == 255) {
+ TEST_EQUAL(key[0] & 0xf8, key[0]);
+ TEST_EQUAL(key[31] & 0xc0, 0x40);
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 */
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448)
+ if (family == PSA_ECC_FAMILY_MONTGOMERY && bits == 448) {
+ TEST_EQUAL(key[0] & 0xfc, key[0]);
+ TEST_EQUAL(key[55] & 0x80, 0x80);
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 */
+
+ /* Don't bother to check that the value is in the exact permitted range
+ * (1 to p-1 for Weierstrass curves, 2^{n-1} to p-1 for Montgomery curves).
+ * We would need to bring in bignum machinery, and on most curves
+ * the probability of a number being out of range is negligible.
+ */
+
+ /* Collect statistics on random-valued bits */
+ /* Defaults for big-endian numbers */
+ uint8_t bit_bot_mask = 0x01;
+ size_t bit_bot_index = key_length - 1;
+ uint8_t bit_top_mask = (bits % 8 == 0 ? 0x80 : 1 << (bits % 8 - 1));
+ size_t bit_top_index = 0;
+ if (family == PSA_ECC_FAMILY_MONTGOMERY) {
+ bit_bot_index = 0;
+ bit_top_index = key_length - 1;
+ if (bits == 255) {
+ bit_bot_mask = 0x08;
+ bit_top_mask = 0x20;
+ } else {
+ bit_bot_mask = 0x04;
+ bit_top_mask = 0x40;
+ }
+ }
+ if (key[bit_bot_index] & bit_bot_mask) {
+ ++stats->bit_bot;
+ }
+ if (key[bit_top_index] & bit_top_mask) {
+ ++stats->bit_top;
+ }
+
+ ok = 1;
+exit:
+ return ok;
+}
+#endif
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
+void generate_key(int family_arg, int bits_arg,
+ int output_size_arg,
+ psa_status_t expected_status)
+{
+ psa_ecc_family_t family = family_arg;
+ size_t bits = bits_arg;
+ size_t output_size = output_size_arg;
+
+ uint8_t *output = NULL;
+ size_t output_length = SIZE_MAX;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(family));
+ psa_set_key_bits(&attributes, bits);
+ ecc_private_key_stats_t stats = { 0, 0 };
+
+ PSA_INIT();
+ TEST_CALLOC(output, output_size);
+
+ /* In success cases, run multiple iterations so that we can make
+ * statistical observations. */
+ unsigned iteration_count = expected_status == PSA_SUCCESS ? 256 : 1;
+ for (unsigned i = 0; i < iteration_count; i++) {
+ mbedtls_test_set_step(i);
+ TEST_EQUAL(mbedtls_psa_ecp_generate_key(&attributes,
+ output, output_size,
+ &output_length),
+ expected_status);
+ if (expected_status == PSA_SUCCESS) {
+ TEST_LE_U(output_length, output_size);
+ TEST_ASSERT(check_ecc_private_key(family, bits,
+ output, output_length,
+ &stats));
+ }
+ }
+
+ if (expected_status == PSA_SUCCESS) {
+ /* For selected bits, check that we saw the values 0 and 1 each
+ * at least some minimum number of times. The iteration count and
+ * the minimum are chosen so that a random failure is unlikely
+ * to more than cryptographic levels. */
+ unsigned const min_times = 10;
+ TEST_LE_U(min_times, stats.bit_bot);
+ TEST_LE_U(stats.bit_bot, iteration_count - min_times);
+ TEST_LE_U(min_times, stats.bit_top);
+ TEST_LE_U(stats.bit_top, iteration_count - min_times);
+ }
+
+exit:
+ PSA_DONE();
+ mbedtls_free(output);
+}
+/* END_CASE */
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_memory.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_memory.function
index 55c0092..50539e8 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_memory.function
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_memory.function
@@ -107,7 +107,10 @@
exit:
mbedtls_free(local_input.buffer);
- mbedtls_free(input);
+
+ if (local_input.buffer != input) {
+ mbedtls_free(input);
+ }
}
/* END_CASE */
@@ -243,7 +246,7 @@
TEST_CALLOC(buffer_copy_for_comparison, local_output.length);
memcpy(buffer_copy_for_comparison, local_output.buffer, local_output.length);
- psa_crypto_local_output_free(&local_output);
+ TEST_EQUAL(psa_crypto_local_output_free(&local_output), PSA_SUCCESS);
TEST_ASSERT(local_output.buffer == NULL);
TEST_EQUAL(local_output.length, 0);
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_se_driver_hal.function
index 66d2a4e..400d89d 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_se_driver_hal.function
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_se_driver_hal.function
@@ -9,7 +9,7 @@
#if defined(MBEDTLS_PSA_ITS_FILE_C)
#include "psa_crypto_its.h"
#else /* Native ITS implementation */
-#include "psa/error.h"
+#include "psa/error_common.h"
#include "psa/internal_trusted_storage.h"
#endif
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.function
index efaaba5..5788742 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.function
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.function
@@ -1,14 +1,16 @@
/* BEGIN_HEADER */
#include <psa/crypto.h>
+#include <psa_crypto_storage.h>
#include <test/psa_crypto_helpers.h>
#include <test/psa_exercise_key.h>
#include <psa_crypto_its.h>
-#define TEST_FLAG_EXERCISE 0x00000001
-#define TEST_FLAG_READ_ONLY 0x00000002
+#define TEST_FLAG_EXERCISE 0x00000001
+#define TEST_FLAG_READ_ONLY 0x00000002
+#define TEST_FLAG_OVERSIZED_KEY 0x00000004
/** Write a key with the given attributes and key material to storage.
* Test that it has the expected representation.
@@ -158,6 +160,12 @@
/* Prime the storage with a key file. */
PSA_ASSERT(psa_its_set(uid, representation->len, representation->x, 0));
+ if (flags & TEST_FLAG_OVERSIZED_KEY) {
+ TEST_EQUAL(psa_get_key_attributes(key_id, &actual_attributes), PSA_ERROR_DATA_INVALID);
+ ok = 1;
+ goto exit;
+ }
+
/* Check that the injected key exists and looks as expected. */
PSA_ASSERT(psa_get_key_attributes(key_id, &actual_attributes));
TEST_ASSERT(mbedtls_svc_key_id_equal(key_id,
@@ -281,6 +289,7 @@
mbedtls_svc_key_id_t key_id = mbedtls_svc_key_id_make(0, 1);
psa_storage_uid_t uid = 1;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t *custom_key_data = NULL, *custom_storage_data = NULL;
PSA_INIT();
TEST_USES_KEY_ID(key_id);
@@ -293,6 +302,23 @@
psa_set_key_algorithm(&attributes, alg);
psa_set_key_enrollment_algorithm(&attributes, alg2);
+ /* Create a persistent key which is intentionally larger than the specified
+ * bit size. */
+ if (flags & TEST_FLAG_OVERSIZED_KEY) {
+ TEST_CALLOC(custom_key_data, PSA_BITS_TO_BYTES(bits));
+ memset(custom_key_data, 0xAA, PSA_BITS_TO_BYTES(bits));
+ material->len = PSA_BITS_TO_BYTES(bits);
+ material->x = custom_key_data;
+
+ /* 36 bytes are the overhead of psa_persistent_key_storage_format */
+ TEST_CALLOC(custom_storage_data, PSA_BITS_TO_BYTES(bits) + 36);
+ representation->len = PSA_BITS_TO_BYTES(bits) + 36;
+ representation->x = custom_storage_data;
+
+ psa_format_key_data_for_storage(custom_key_data, PSA_BITS_TO_BYTES(bits),
+ &attributes, custom_storage_data);
+ }
+
/* Test that we can use a key with the given representation. This
* guarantees backward compatibility with keys that were stored by
* past versions of Mbed TLS. */
@@ -300,6 +326,8 @@
uid, representation, flags));
exit:
+ mbedtls_free(custom_key_data);
+ mbedtls_free(custom_storage_data);
psa_reset_key_attributes(&attributes);
PSA_DONE();
}
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.misc.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.misc.data
index 48e3804..359053e 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.misc.data
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_storage_format.misc.data
@@ -9,3 +9,9 @@
PSA storage save: AES-GCM+CTR
depends_on:PSA_WANT_KEY_TYPE_AES
key_storage_save:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_GCM:PSA_ALG_CTR:"404142434445464748494a4b4c4d4e4f":"505341004b45590000000000010000000024800001010000000250050010c00410000000404142434445464748494a4b4c4d4e4f"
+
+# Create a persistent key which is larger than MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+# so that when psa_get_key_attributes() tries to load it from the storage it will fail.
+PSA storage read: key larger than MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA:MBEDTLS_PSA_STATIC_KEY_SLOTS
+key_storage_read:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_TYPE_RAW_DATA:PSA_BYTES_TO_BITS(MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE + 1):PSA_KEY_USAGE_EXPORT:PSA_ALG_NONE:PSA_ALG_NONE:"":"":TEST_FLAG_OVERSIZED_KEY
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data
index c84a836..a0ec9fd 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data
@@ -1,3 +1,12 @@
+# mbedtls_ecdsa_der_to_raw() doesn't accept a null output buffer,
+# even with otherwise invalid paramters,
+# so we pass it a (non-null) buffer of length 1.
+ECDSA Raw -> DER, 0bit
+ecdsa_raw_to_der:0:"":"00":MBEDTLS_ERR_ASN1_INVALID_DATA
+
+ECDSA DER -> Raw, 0bit
+ecdsa_der_to_raw:0:"":"":MBEDTLS_ERR_ASN1_INVALID_DATA
+
ECDSA Raw -> DER, 256bit, Success
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0
diff --git a/tf-psa-crypto/tests/suites/test_suite_random.function b/tf-psa-crypto/tests/suites/test_suite_random.function
index 155b8e7..b58b22f 100644
--- a/tf-psa-crypto/tests/suites/test_suite_random.function
+++ b/tf-psa-crypto/tests/suites/test_suite_random.function
@@ -22,7 +22,9 @@
void random_twice_with_ctr_drbg()
{
mbedtls_entropy_context entropy;
+ mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_context drbg;
+ mbedtls_ctr_drbg_init(&drbg);
unsigned char output1[OUTPUT_SIZE];
unsigned char output2[OUTPUT_SIZE];
@@ -34,8 +36,6 @@
/* First round */
- mbedtls_entropy_init(&entropy);
- mbedtls_ctr_drbg_init(&drbg);
TEST_EQUAL(0, mbedtls_ctr_drbg_seed(&drbg,
mbedtls_entropy_func, &entropy,
NULL, 0));
@@ -73,7 +73,9 @@
void random_twice_with_hmac_drbg(int md_type)
{
mbedtls_entropy_context entropy;
+ mbedtls_entropy_init(&entropy);
mbedtls_hmac_drbg_context drbg;
+ mbedtls_hmac_drbg_init(&drbg);
unsigned char output1[OUTPUT_SIZE];
unsigned char output2[OUTPUT_SIZE];
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
@@ -81,8 +83,6 @@
MD_PSA_INIT();
/* First round */
- mbedtls_entropy_init(&entropy);
- mbedtls_hmac_drbg_init(&drbg);
TEST_EQUAL(0, mbedtls_hmac_drbg_seed(&drbg, md_info,
mbedtls_entropy_func, &entropy,
NULL, 0));
diff --git a/tf-psa-crypto/tests/suites/test_suite_rsa.function b/tf-psa-crypto/tests/suites/test_suite_rsa.function
index b84848b..0d086a4 100644
--- a/tf-psa-crypto/tests/suites/test_suite_rsa.function
+++ b/tf-psa-crypto/tests/suites/test_suite_rsa.function
@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
-#include "mbedtls/error.h"
+#include "mbedtls/error_common.h"
#include "mbedtls/rsa.h"
#include "bignum_core.h"
#include "rsa_alt_helpers.h"