From c9deb184b0bf5e72d5761d06af0db165676e0f8a Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 16 Nov 2020 19:03:12 +0000 Subject: [PATCH 001/413] mbedtls: add support for pkcs7 PKCS7 signing format is used by OpenPOWER Key Management, which is using mbedtls as its crypto library. This patch adds the limited support of pkcs7 parser and verification to the mbedtls. The limitations are: * Only signed data is supported. * CRLs are not currently handled. * Single signer is supported. Signed-off-by: Daniel Axtens Signed-off-by: Eric Richter Signed-off-by: Nayna Jain --- include/mbedtls/asn1.h | 3 +- include/mbedtls/check_config.h | 7 + include/mbedtls/error.h | 1 + include/mbedtls/mbedtls_config.h | 15 + include/mbedtls/oid.h | 11 + include/mbedtls/pkcs7.h | 224 ++++++++++ library/Makefile | 1 + library/pkcs7.c | 561 +++++++++++++++++++++++++ scripts/config.py | 1 + tests/data_files/Makefile | 92 ++++ tests/suites/test_suite_pkcs7.data | 53 +++ tests/suites/test_suite_pkcs7.function | 420 ++++++++++++++++++ 12 files changed, 1388 insertions(+), 1 deletion(-) create mode 100644 include/mbedtls/pkcs7.h create mode 100644 library/pkcs7.c create mode 100644 tests/suites/test_suite_pkcs7.data create mode 100644 tests/suites/test_suite_pkcs7.function diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index be2cae7b5a..21ade1bdbb 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -38,8 +38,9 @@ /** * \name ASN1 Error codes - * These error codes are OR'ed to X509 error codes for + * These error codes are combined with other error codes for * higher error granularity. + * e.g. X.509 and PKCS #7 error codes * ASN1 is a standard to specify data structures. * \{ */ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b5d2c40f21..dcb6392f1c 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -989,6 +989,13 @@ #error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4341" #endif +#if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ + ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ + ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) ) +#error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" +#endif + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b2b9ea580..08504329b9 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -95,6 +95,7 @@ * ECP 4 10 (Started from top) * MD 5 5 * HKDF 5 1 (Started from top) + * PKCS7 5 12 (Started from 0x5300) * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 22 (Started from top, plus 0x6000) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e9487b28f0..45dd2748cf 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2660,6 +2660,21 @@ */ #define MBEDTLS_PKCS5_C +/** + * \def MBEDTLS_PKCS7_C + * + * Enable PKCS7 core for using PKCS7 formatted signatures. + * RFC Link - https://tools.ietf.org/html/rfc2315 + * + * Module: library/pkcs7.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C + * + * This module is required for the PKCS7 parsing modules. + */ +#define MBEDTLS_PKCS7_C + /** * \def MBEDTLS_PKCS12_C * diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 4ee3f93fbe..e5c4b92493 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -220,6 +220,7 @@ #define MBEDTLS_OID_PKCS MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */ #define MBEDTLS_OID_PKCS1 MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */ #define MBEDTLS_OID_PKCS5 MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */ +#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */ #define MBEDTLS_OID_PKCS9 MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */ #define MBEDTLS_OID_PKCS12 MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */ @@ -300,6 +301,16 @@ #define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */ #define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */ +/* + * PKCS#7 OIDs + */ +#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */ +#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */ +#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */ +#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */ +#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */ + /* * PKCS#8 OIDs */ diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h new file mode 100644 index 0000000000..3f87dc3e28 --- /dev/null +++ b/include/mbedtls/pkcs7.h @@ -0,0 +1,224 @@ +/** + * \file pkcs7.h + * + * \brief PKCS7 generic defines and structures + * https://tools.ietf.org/html/rfc2315 + */ +/* + * Copyright (C) 2019, IBM Corp, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/** + * Note: For the time being, this application of the PKCS7 cryptographic + * message syntax is a partial implementation of RFC 2315. + * Differences include: + * - The RFC specifies 6 different content types. The only type currently + * supported in MbedTLS is the signed data content type. + * - The only supported PKCS7 Signed Data syntax version is version 1 + * - The RFC specifies support for BER. This application is limited to + * DER only. + * - The RFC specifies that multiple digest algorithms can be specified + * in the Signed Data type. Only one digest algorithm is supported in MbedTLS. + * - The RFC specifies the Signed Data certificate format can be + * X509 or PKCS6. The only type currently supported in MbedTLS is X509. + * - The RFC specifies the Signed Data type can contain + * certificate-revocation lists (crls). This application has no support + * for crls so it is assumed to be an empty list. + * - The RFC specifies support for multiple signers. This application only + * supports the Signed Data type with a single signer. + */ + +#ifndef MBEDTLS_PKCS7_H +#define MBEDTLS_PKCS7_H + +#include "mbedtls/build_info.h" + +#include "asn1.h" +#include "x509.h" +#include "x509_crt.h" + +/** + * \name PKCS7 Module Error codes + * \{ + */ +#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x53F0 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x54F0 /**< The PKCS7 content info invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x55F0 /**< The certificate tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x56F0 /**< Error parsing the signer's info */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x57F0 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +/* \} name */ + +/** + * \name PKCS7 Supported Version + * \{ + */ +#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01 +/* \} name */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Type-length-value structure that allows for ASN1 using DER. + */ +typedef mbedtls_asn1_buf mbedtls_pkcs7_buf; + +/** + * Container for ASN1 named information objects. + * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). + */ +typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; + +/** + * Container for a sequence of ASN.1 items + */ +typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; + +/** + * Structure holding PKCS7 signer info + */ +typedef struct mbedtls_pkcs7_signer_info +{ + int version; + mbedtls_x509_buf serial; + mbedtls_x509_name issuer; + mbedtls_x509_buf issuer_raw; + mbedtls_x509_buf alg_identifier; + mbedtls_x509_buf sig_alg_identifier; + mbedtls_x509_buf sig; + struct mbedtls_pkcs7_signer_info *next; +} +mbedtls_pkcs7_signer_info; + +/** + * Structure holding attached data as part of PKCS7 signed data format + */ +typedef struct mbedtls_pkcs7_data +{ + mbedtls_pkcs7_buf oid; + mbedtls_pkcs7_buf data; +} +mbedtls_pkcs7_data; + +/** + * Structure holding the signed data section + */ +typedef struct mbedtls_pkcs7_signed_data +{ + int version; + mbedtls_pkcs7_buf digest_alg_identifiers; + struct mbedtls_pkcs7_data content; + int no_of_certs; + mbedtls_x509_crt certs; + int no_of_crls; + mbedtls_x509_crl crl; + int no_of_signers; + mbedtls_pkcs7_signer_info signers; +} +mbedtls_pkcs7_signed_data; + +/** + * Structure holding PKCS7 structure, only signed data for now + */ +typedef struct mbedtls_pkcs7 +{ + mbedtls_pkcs7_buf raw; + mbedtls_pkcs7_buf content_type_oid; + mbedtls_pkcs7_signed_data signed_data; +} +mbedtls_pkcs7; + +/** + * \brief Initialize pkcs7 structure. + * + * \param pkcs7 pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); + +/** + * \brief Parse a single DER formatted pkcs7 content. + * + * \param pkcs7 The pkcs7 structure to be filled by parser for the output. + * \param buf The buffer holding the DER encoded pkcs7. + * \param buflen The size in Bytes of \p buf. + * + * \note This function makes an internal copy of the PKCS7 buffer + * \p buf. In particular, \p buf may be destroyed or reused + * after this call returns. + * + * \return \c 0, if successful. + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, + const size_t buflen ); + +/** + * \brief Verification of PKCS7 signature. + * + * \param pkcs7 PKCS7 structure containing signature. + * \param cert Certificate containing key to verify signature. + * \param data Plain data on which signature has to be verified. + * \param datalen Length of the data. + * + * \note This function internally calculates the hash on the supplied + * plain data for signature verification. + * + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ); + +/** + * \brief Verification of PKCS7 signature. + * + * \param pkcs7 PKCS7 structure containing signature. + * \param cert Certificate containing key to verify signature. + * \param hash Hash of the plain data on which signature has to be verified. + * \param hashlen Length of the hash. + * + * \note This function is different from mbedtls_pkcs7_signed_data_verify() + * in a way that it directly recieves the hash of the data. + * + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *hash, size_t hashlen); + +/** + * \brief Unallocate all PKCS7 data and zeroize the memory. + * It doesn't free pkcs7 itself. It should be done by the caller. + * + * \param pkcs7 PKCS7 structure to free. + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ); + +#ifdef __cplusplus +} +#endif + +#endif /* pkcs7.h */ diff --git a/library/Makefile b/library/Makefile index 85cea6b08d..a780267061 100644 --- a/library/Makefile +++ b/library/Makefile @@ -165,6 +165,7 @@ OBJS_X509= \ x509_csr.o \ x509write_crt.o \ x509write_csr.o \ + pkcs7.o \ # This line is intentionally left blank OBJS_TLS= \ diff --git a/library/pkcs7.c b/library/pkcs7.c new file mode 100644 index 0000000000..c3236e188a --- /dev/null +++ b/library/pkcs7.c @@ -0,0 +1,561 @@ +/* Copyright 2019 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "common.h" + +#include "mbedtls/build_info.h" +#if defined(MBEDTLS_PKCS7_C) +#include "mbedtls/pkcs7.h" +#include "mbedtls/x509.h" +#include "mbedtls/asn1.h" +#include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" +#include "mbedtls/oid.h" + +#include +#include +#include +#if defined(MBEDTLS_FS_IO) +#include +#include +#endif + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#include "mbedtls/platform_util.h" +#else +#include +#include +#define mbedtls_free free +#define mbedtls_calloc calloc +#define mbedtls_printf printf +#define mbedtls_snprintf snprintf +#endif + +#if defined(MBEDTLS_HAVE_TIME) +#include "mbedtls/platform_time.h" +#endif +#if defined(MBEDTLS_HAVE_TIME_DATE) +#include +#endif + +/** + * Initializes the pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) +{ + memset( pkcs7, 0, sizeof( mbedtls_pkcs7 ) ); + pkcs7->raw.p = NULL; +} + +static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, + size_t *len ) +{ + int ret; + + if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + } + + return( 0 ); +} + +/** + * version Version + * Version ::= INTEGER + **/ +static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) +{ + int ret; + + if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_VERSION + ret ); + + /* If version != 1, return invalid version */ + if( *ver != MBEDTLS_PKCS7_SUPPORTED_VERSION ) + return( MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + + return( 0 ); +} + +/** + * ContentInfo ::= SEQUENCE { + * contentType ContentType, + * content + * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } + **/ +static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *pkcs7 ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + + pkcs7->tag = MBEDTLS_ASN1_OID; + pkcs7->len = len; + pkcs7->p = *p; + + return( ret ); +} + +/** + * DigestAlgorithmIdentifier ::= AlgorithmIdentifier + * + * This is from x509.h + **/ +static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, + mbedtls_x509_buf *alg ) +{ + int ret; + + if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + + return( 0 ); +} + +/** + * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier + **/ +static int pkcs7_get_digest_algorithm_set( unsigned char **p, + unsigned char *end, + mbedtls_x509_buf *alg ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + end = *p + len; + + /** For now, it assumes there is only one digest algorithm specified **/ + ret = mbedtls_asn1_get_alg_null( p, end, alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + if ( *p != end ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT ); + + return( 0 ); +} + +/** + * certificates :: SET OF ExtendedCertificateOrCertificate, + * ExtendedCertificateOrCertificate ::= CHOICE { + * certificate Certificate -- x509, + * extendedCertificate[0] IMPLICIT ExtendedCertificate } + * Return number of certificates added to the signed data, + * 0 or higher is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, + mbedtls_x509_crt *certs ) +{ + int ret; + size_t len1 = 0; + size_t len2 = 0; + unsigned char *end_set, *end_cert; + unsigned char *start = *p; + + if( ( ret = mbedtls_asn1_get_tag( p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + { + if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) + return( 0 ); + + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + } + start = *p; + end_set = *p + len1; + + ret = mbedtls_asn1_get_tag( p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CERT + ret ); + + end_cert = *p + len2; + + /* + * This is to verify that there is only one signer certificate. It seems it is + * not easy to differentiate between the chain vs different signer's certificate. + * So, we support only the root certificate and the single signer. + * The behaviour would be improved with addition of multiple signer support. + */ + if (end_cert != end_set) + return ( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + + *p = start; + if( ( ret = mbedtls_x509_crt_parse( certs, *p, len1 ) ) < 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + + *p = *p + len1; + + /* Since in this version we strictly support single certificate, and reaching + * here implies we have parsed successfully, we return 1. */ + + return( 1 ); +} + +/** + * EncryptedDigest ::= OCTET STRING + **/ +static int pkcs7_get_signature( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *signature ) +{ + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING ); + if( ret != 0 ) + return( ret ); + + signature->tag = MBEDTLS_ASN1_OCTET_STRING; + signature->len = len; + signature->p = *p; + + *p = *p + len; + + return( 0 ); +} + +/** + * SignerInfos ::= SET of SignerInfo + * SignerInfo ::= SEQUENCE { + * version Version; + * issuerAndSerialNumber IssuerAndSerialNumber, + * digestAlgorithm DigestAlgorithmIdentifier, + * authenticatedAttributes + * [0] IMPLICIT Attributes OPTIONAL, + * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, + * encryptedDigest EncryptedDigest, + * unauthenticatedAttributes + * [1] IMPLICIT Attributes OPTIONAL, + * Return number of signers added to the signed data, + * 0 or higher is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signers_set ) +{ + unsigned char *end_set, *end_set_signer; + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_set = *p + len; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_set_signer = *p + len; + if (end_set_signer != end_set) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + end_set = end_set_signer; + + ret = mbedtls_asn1_get_int( p, end_set, &signers_set->version ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + /* Parsing IssuerAndSerialNumber */ + signers_set->issuer_raw.p = *p; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_x509_get_name( p, *p + len, &signers_set->issuer ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + signers_set->issuer_raw.len = *p - signers_set->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_set, &signers_set->serial ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->sig_alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_signature( p, end_set, &signers_set->sig ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + signers_set->next = NULL; + + if (*p != end_set) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + /* Since in this version we strictly support single signer, and reaching + * here implies we have parsed successfully, we return 1. */ + + return( 1 ); +} + +/** + * SignedData ::= SEQUENCE { + * version Version, + * digestAlgorithms DigestAlgorithmIdentifiers, + * contentInfo ContentInfo, + * certificates + * [0] IMPLICIT ExtendedCertificatesAndCertificates + * OPTIONAL, + * crls + * [0] IMPLICIT CertificateRevocationLists OPTIONAL, + * signerInfos SignerInfos } + */ +static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, + mbedtls_pkcs7_signed_data *signed_data ) +{ + unsigned char *p = buf; + unsigned char *end = buf + buflen; + unsigned char *end_set; + size_t len = 0; + int ret; + mbedtls_md_type_t md_alg; + + ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + end_set = p + len; + + /* Get version of signed data */ + ret = pkcs7_get_version( &p, end_set, &signed_data->version ); + if( ret != 0 ) + return( ret ); + + /* Get digest algorithm */ + ret = pkcs7_get_digest_algorithm_set( &p, end_set, + &signed_data->digest_alg_identifiers ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + + /* Do not expect any content */ + ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid ); + if( ret != 0 ) + return( ret ); + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ) ; + } + + p = p + signed_data->content.oid.len; + + /* Look for certificates, there may or may not be any */ + mbedtls_x509_crt_init( &signed_data->certs ); + ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); + if( ret < 0 ) + return( ret ) ; + + signed_data->no_of_certs = ret; + + /* + * Currently CRLs are not supported. If CRL exist, the parsing will fail + * at next step of getting signers info and return error as invalid + * signer info. + */ + + signed_data->no_of_crls = 0; + + /* Get signers info */ + ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers ); + if( ret < 0 ) + return( ret ); + + signed_data->no_of_signers = ret; + + /* Support single signer */ + if ( p != end ) + ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; + + ret = 0; + return( ret ); +} + +int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, + const size_t buflen ) +{ + unsigned char *start; + unsigned char *end; + size_t len = 0; + int ret; + + if( !pkcs7 ) + return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + + /* make an internal copy of the buffer for parsing */ + pkcs7->raw.p = start = mbedtls_calloc( 1, buflen ); + if( pkcs7->raw.p == NULL ) + { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + memcpy( start, buf, buflen ); + pkcs7->raw.len = buflen; + end = start + buflen; + + ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); + if( ret != 0 ) + goto out; + + if( ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) ) + { + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + goto out; + } + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid ) ) + { + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + goto out; + } + + start = start + pkcs7->content_type_oid.len; + + ret = pkcs7_get_next_content_len( &start, end, &len ); + if( ret != 0 ) + goto out; + + ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + +out: + if ( ret != 0 ) + mbedtls_pkcs7_free( pkcs7 ); + return( ret ); +} + +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ) +{ + + int ret; + unsigned char *hash; + mbedtls_pk_context pk_cxt = cert->pk; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); + if( hash == NULL ) { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + + mbedtls_md( md_info, data, datalen, hash ); + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + + mbedtls_free( hash ); + + return( ret ); +} + +int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *hash, size_t hashlen) +{ + int ret; + mbedtls_md_type_t md_alg; + mbedtls_pk_context pk_cxt; + + ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + pk_cxt = cert->pk; + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + + return ( ret ); +} + +/* + * Unallocate all pkcs7 data + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if( pkcs7 == NULL || pkcs7->raw.p == NULL ) + return; + + mbedtls_free( pkcs7->raw.p ); + + mbedtls_x509_crt_free( &pkcs7->signed_data.certs ); + mbedtls_x509_crl_free( &pkcs7->signed_data.crl ); + + name_cur = pkcs7->signed_data.signers.issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_free( name_prv ); + } + + pkcs7->raw.p = NULL; +} + +#endif diff --git a/scripts/config.py b/scripts/config.py index f045f98f95..1e0f8270ce 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -306,6 +306,7 @@ def include_in_crypto(name): if name in [ 'MBEDTLS_DEBUG_C', # part of libmbedtls 'MBEDTLS_NET_C', # part of libmbedtls + 'MBEDTLS_PKCS7_C', # part of libmbedx509 ]: return False return True diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6187d17bc3..288b01f184 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1131,6 +1131,98 @@ ecdsa_secp521r1.crt: ecdsa_secp521r1.csr all_final += ecdsa_secp521r1.crt ecdsa_secp521r1.key tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key +# PKCS7 test data +pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt +pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt +pkcs7_test_file = pkcs7_data.txt + +# Generate signing cert +pkcs7-rsa-sha256-1.crt: + $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt + cat pkcs7-rsa-sha256-1.crt pkcs7-rsa-sha256-1.key > pkcs7-rsa-sha256-1.pem +all_final += pkcs7-rsa-sha256-1.crt + +pkcs7-rsa-sha256-2.crt: + $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt + cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem +all_final += pkcs7-rsa-sha256-2.crt + +# Generate data file to be signed +pkcs7_data.txt: + echo "Hello" > $@ + echo 2 >> pkcs7_data_1.txt +all_final += pkcs7_data.txt + +# Generate another data file to check hash mismatch during certificate verification +pkcs7_data_1.txt: $(pkcs7_test_file) + cat $(pkcs7_test_file) > $@ + echo 2 >> $@ +all_final += pkcs7_data_1.txt + +# pkcs7 signature file with CERT +pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_cert_signed_sha256.der + +# pkcs7 signature file with CERT and sha1 +pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_cert_signed_sha1.der + +# pkcs7 signature file with CERT and sha512 +pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_cert_signed_sha512.der + +# pkcs7 signature file without CERT +pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ +all_final += pkcs7_data_without_cert_signed.der + +# pkcs7 signature file with multiple signers +pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ +all_final += pkcs7_data_multiple_signed.der + +# pkcs7 signature file with multiple certificates +pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_multiple_certs_signed.der + +# pkcs7 signature file with corrupted CERT +pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der + cp pkcs7_data_cert_signed_sha256.der $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=547 conv=notrunc +all_final += pkcs7_data_signed_badcert.der + +# pkcs7 signature file with corrupted signer info +pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der + cp pkcs7_data_cert_signed_sha256.der $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc +all_final += pkcs7_data_signed_badsigner.der + +# pkcs7 file with version 2 +pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der + cp pkcs7_data_cert_signed_sha256.der $@ + echo -en '\x02' | dd of=$@ bs=1 seek=25 conv=notrunc +all_final += pkcs7_data_cert_signed_v2.der + +pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.txt -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt +all_final += pkcs7_data_cert_encrypted.der + +## Negative tests +# For some interesting sizes, what happens if we make them off-by-one? +pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der + cp $< $@ + echo -en '\x35' | dd of=$@ seek=919 bs=1 conv=notrunc +all_final += pkcs7_signerInfo_issuer_invalid_size.der + +pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der + cp $< $@ + echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc +all_final += pkcs7_signerInfo_serial_invalid_size.der + ################################################################ #### Diffie-Hellman parameters ################################################################ diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data new file mode 100644 index 0000000000..870e83bb84 --- /dev/null +++ b/tests/suites/test_suite_pkcs7.data @@ -0,0 +1,53 @@ +PKCS7 Signed Data Parse Pass SHA256 #1 +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der" + +PKCS7 Signed Data Parse Pass SHA1 #2 +depends_on:MBEDTLS_SHA1_C +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der" + +PKCS7 Signed Data Parse Pass Without CERT #3 +pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der" + +PKCS7 Signed Data Parse Fail with multiple signers #4 +pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der" + +PKCS7 Signed Data Parse Fail with multiple certs #4 +pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der" + +PKCS7 Signed Data Parse Fail with corrupted cert #5 +pkcs7_parse_corrupted_cert:"data_files/pkcs7_data_signed_badcert.der" + +PKCS7 Signed Data Parse Fail with corrupted signer info #6 +pkcs7_parse_corrupted_signer_info:"data_files/pkcs7_data_signed_badsigner.der" + +PKCS7 Signed Data Parse Fail Version other than 1 #7 +pkcs7_parse_version:"data_files/pkcs7_data_cert_signed_v2.der" + +PKCS7 Signed Data Parse Fail Encrypted Content #8 +pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der" + +PKCS7 Signed Data Verification Pass SHA256 #9 +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Pass SHA256 #9.1 +pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Pass SHA1 #10 +depends_on:MBEDTLS_SHA1_C +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Pass SHA512 #11 +depends_on:MBEDTLS_SHA512_C +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Fail because of different certificate #12 +pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Fail because of different data hash #13 +pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.txt" + +PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 +pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" + +PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 +pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function new file mode 100644 index 0000000000..b5ef2ef361 --- /dev/null +++ b/tests/suites/test_suite_pkcs7.function @@ -0,0 +1,420 @@ +/* BEGIN_HEADER */ +#include "mbedtls/bignum.h" +#include "mbedtls/pkcs7.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" +#include "mbedtls/oid.h" +#include "sys/types.h" +#include "sys/stat.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_FS_IO + * END_DEPENDENCIES + */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C*/ +void pkcs7_parse_without_cert( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse_multiple_signers( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res < 0 ); + + switch ( res ){ + case MBEDTLS_ERR_PKCS7_INVALID_CERT: + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); + break; + + case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO: + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + break; + default: + TEST_ASSERT(0); + } + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse_corrupted_cert( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse_corrupted_signer_info( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res < 0 ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ +void pkcs7_parse_version( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ +void pkcs7_parse_content_oid( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res != 0 ); + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + mbedtls_free( pkcs7_buf ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + + fclose(file); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_free( data ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + unsigned char hash[32]; + struct stat st; + size_t datalen; + int res; + FILE *file; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + TEST_ASSERT( data != NULL); + + buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + fclose( file ); + + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + mbedtls_md( md_info, data, datalen, hash ); + + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash)); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_free( data ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( pkcs7_buf ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + + fclose(file); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + TEST_ASSERT( res != 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_free( data ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( pkcs7_buf ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + + fclose(file); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + TEST_ASSERT( res != 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs7_parse_failure( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res != 0 ); +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ From 673a226698e1b268fbda06235c04618c9d94a5a1 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Dec 2020 22:44:49 +0000 Subject: [PATCH 002/413] pkcs7: add support for signed data OpenSSL provides APIs to generate only the signted data format PKCS7 i.e. without content type OID. This patch adds support to parse the data correctly even if formatted only as signed data Signed-off-by: Nayna Jain --- include/mbedtls/pkcs7.h | 16 ++++++++++++++- library/pkcs7.c | 27 +++++++++++++++++++++++--- tests/data_files/Makefile | 5 +++++ tests/suites/test_suite_pkcs7.data | 3 +++ tests/suites/test_suite_pkcs7.function | 20 +++++++++---------- 5 files changed, 57 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 3f87dc3e28..59da147b9b 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -96,6 +96,20 @@ typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; */ typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; +/** + * PKCS7 types + */ +typedef enum { + MBEDTLS_PKCS7_NONE=0, + MBEDTLS_PKCS7_DATA, + MBEDTLS_PKCS7_SIGNED_DATA, + MBEDTLS_PKCS7_ENVELOPED_DATA, + MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA, + MBEDTLS_PKCS7_DIGESTED_DATA, + MBEDTLS_PKCS7_ENCRYPTED_DATA, +} +mbedtls_pkcs7_type; + /** * Structure holding PKCS7 signer info */ @@ -168,7 +182,7 @@ void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); * \p buf. In particular, \p buf may be destroyed or reused * after this call returns. * - * \return \c 0, if successful. + * \return The \c mbedtls_pkcs7_type of \p buf, if successful. * \return A negative error code on failure. */ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, diff --git a/library/pkcs7.c b/library/pkcs7.c index c3236e188a..5563f330ee 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -103,6 +103,7 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, { size_t len = 0; int ret; + unsigned char *start = *p; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); @@ -110,8 +111,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); - if( ret != 0 ) + if( ret != 0 ) { + *p = start; return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + } pkcs7->tag = MBEDTLS_ASN1_OID; pkcs7->len = len; @@ -428,6 +431,7 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, unsigned char *end; size_t len = 0; int ret; + int isoidset = 0; if( !pkcs7 ) return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); @@ -444,7 +448,10 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); if( ret != 0 ) - goto out; + { + len = buflen; + goto try_data; + } if( ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid ) || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) @@ -463,17 +470,31 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, goto out; } + isoidset = 1; start = start + pkcs7->content_type_oid.len; ret = pkcs7_get_next_content_len( &start, end, &len ); if( ret != 0 ) goto out; +try_data: ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + if ( ret != 0 ) + goto out; + + if ( !isoidset ) + { + pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID; + pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS7_SIGNED_DATA ); + pkcs7->content_type_oid.p = (unsigned char *)MBEDTLS_OID_PKCS7_SIGNED_DATA; + } + + ret = MBEDTLS_PKCS7_SIGNED_DATA; out: - if ( ret != 0 ) + if ( ret < 0 ) mbedtls_pkcs7_free( pkcs7 ); + return( ret ); } diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 288b01f184..dbe32340f7 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1223,6 +1223,11 @@ pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc all_final += pkcs7_signerInfo_serial_invalid_size.der +# pkcs7 signature file just with signed data +pkcs7_data_cert_signeddata_sha256.der: pkcs7_data_cert_signed_sha256.der + dd if=pkcs7_data_cert_signed_sha256.der of=$@ skip=19 bs=1 +all_final += pkcs7_data_cert_signeddata_sha256.der + ################################################################ #### Diffie-Hellman parameters ################################################################ diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 870e83bb84..75ee9f6b03 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -51,3 +51,6 @@ pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" + +PKCS7 Only Signed Data Parse Pass #15 +pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index b5ef2ef361..d85a455613 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -29,7 +29,7 @@ void pkcs7_parse( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); exit: mbedtls_free( pkcs7_buf ); @@ -52,7 +52,7 @@ void pkcs7_parse_without_cert( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); exit: mbedtls_free( pkcs7_buf ); @@ -210,10 +210,10 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); mbedtls_free( pkcs7_buf ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); @@ -263,9 +263,9 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); @@ -319,12 +319,12 @@ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); res = mbedtls_x509_crt_parse_file( &x509, crt ); TEST_ASSERT( res == 0 ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); @@ -369,12 +369,12 @@ void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesign TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); res = mbedtls_x509_crt_parse_file( &x509, crt ); TEST_ASSERT( res == 0 ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); From ca07f06024c381a69d692bb67a5c75b6675999b9 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Fri, 12 Jun 2020 18:44:04 +0000 Subject: [PATCH 003/413] mbedtls: add pkcs7 in generate_errors.pl This patch updates the generate_errors.pl to handle PKCS7 code as well. Signed-off-by: Nayna Jain --- scripts/generate_errors.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index 0a03f02e96..6ecd0acd41 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -52,7 +52,7 @@ my @low_level_modules = qw( AES ARIA ASN1 BASE64 BIGNUM SHA1 SHA256 SHA512 THREADING ); my @high_level_modules = qw( CIPHER DHM ECP MD PEM PK PKCS12 PKCS5 - RSA SSL X509 ); + RSA SSL X509 PKCS7 ); undef $/; @@ -136,6 +136,7 @@ foreach my $match (@matches) $define_name = "ASN1_PARSE" if ($define_name eq "ASN1"); $define_name = "SSL_TLS" if ($define_name eq "SSL"); $define_name = "PEM_PARSE,PEM_WRITE" if ($define_name eq "PEM"); + $define_name = "PKCS7" if ($define_name eq "PKCS7"); my $include_name = $module_name; $include_name =~ tr/A-Z/a-z/; From aa91d4ef0bda8306925705cfecbf76725001c43a Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Fri, 29 May 2020 00:23:21 +1000 Subject: [PATCH 004/413] pkcs7: build under CMake The patch updates CMakeLists.txt to include pkcs7. Signed-off-by: Daniel Axtens --- library/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 378cfb4570..aed4a05c47 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -89,6 +89,7 @@ set(src_crypto ) set(src_x509 + pkcs7.c x509.c x509_create.c x509_crl.c From 106a0afc5a8819d6f7fc450c66caa5919681cdd5 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Tue, 3 Nov 2020 21:07:21 +0000 Subject: [PATCH 005/413] pkcs7: provide fuzz harness This allows for pkcs7 fuzz testing with OSS-Fuzz. Signed-off-by: Daniel Axtens Signed-off-by: Nayna Jain --- programs/fuzz/.gitignore | 1 + programs/fuzz/CMakeLists.txt | 1 + programs/fuzz/fuzz_pkcs7.c | 19 +++++++++++++++++++ programs/fuzz/fuzz_pkcs7.options | 2 ++ 4 files changed, 23 insertions(+) create mode 100644 programs/fuzz/fuzz_pkcs7.c create mode 100644 programs/fuzz/fuzz_pkcs7.options diff --git a/programs/fuzz/.gitignore b/programs/fuzz/.gitignore index 5dc0960551..34e3ed0882 100644 --- a/programs/fuzz/.gitignore +++ b/programs/fuzz/.gitignore @@ -1,6 +1,7 @@ fuzz_client fuzz_dtlsclient fuzz_dtlsserver +fuzz_pkcs7 fuzz_privkey fuzz_pubkey fuzz_server diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index c7fcd356bc..7747744cd1 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -12,6 +12,7 @@ set(executables_no_common_c fuzz_x509crl fuzz_x509crt fuzz_x509csr + fuzz_pkcs7 ) set(executables_with_common_c diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c new file mode 100644 index 0000000000..960007d7ab --- /dev/null +++ b/programs/fuzz/fuzz_pkcs7.c @@ -0,0 +1,19 @@ +#include +#include "mbedtls/pkcs7.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_PKCS7_C + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + mbedtls_pkcs7_parse_der( &pkcs7, Data, Size ); + + mbedtls_pkcs7_free( &pkcs7 ); +#else + (void) Data; + (void) Size; +#endif + + return 0; +} diff --git a/programs/fuzz/fuzz_pkcs7.options b/programs/fuzz/fuzz_pkcs7.options new file mode 100644 index 0000000000..0824b19fab --- /dev/null +++ b/programs/fuzz/fuzz_pkcs7.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 From 136c6aa46732ad0fd6d1f884af8eae8893208cbe Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Wed, 18 Nov 2020 14:44:21 +0000 Subject: [PATCH 006/413] mbedtls: add pkcs7 test data This commit adds the static test data generated by commands from Makefile. Signed-off-by: Nayna Jain --- tests/data_files/pkcs7-rsa-sha256-1.crt | 20 ++++++++ tests/data_files/pkcs7-rsa-sha256-1.key | 28 ++++++++++ tests/data_files/pkcs7-rsa-sha256-1.pem | 48 ++++++++++++++++++ tests/data_files/pkcs7-rsa-sha256-2.crt | 20 ++++++++ tests/data_files/pkcs7-rsa-sha256-2.key | 28 ++++++++++ tests/data_files/pkcs7-rsa-sha256-2.pem | 48 ++++++++++++++++++ tests/data_files/pkcs7_data.txt | 1 + tests/data_files/pkcs7_data_1.txt | 1 + .../data_files/pkcs7_data_cert_encrypted.der | Bin 0 -> 452 bytes .../pkcs7_data_cert_signed_sha1.der | Bin 0 -> 1276 bytes .../pkcs7_data_cert_signed_sha256.der | Bin 0 -> 1284 bytes .../pkcs7_data_cert_signed_sha512.der | Bin 0 -> 1284 bytes .../data_files/pkcs7_data_cert_signed_v2.der | Bin 0 -> 1284 bytes .../pkcs7_data_cert_signeddata_sha256.der | Bin 0 -> 1265 bytes .../pkcs7_data_multiple_certs_signed.der | Bin 0 -> 2504 bytes .../data_files/pkcs7_data_multiple_signed.der | Bin 0 -> 810 bytes .../data_files/pkcs7_data_signed_badcert.der | Bin 0 -> 1284 bytes .../pkcs7_data_signed_badsigner.der | Bin 0 -> 1284 bytes .../pkcs7_data_without_cert_signed.der | Bin 0 -> 435 bytes .../pkcs7_signerInfo_issuer_invalid_size.der | Bin 0 -> 1284 bytes .../pkcs7_signerInfo_serial_invalid_size.der | Bin 0 -> 1284 bytes 21 files changed, 194 insertions(+) create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.crt create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.key create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.pem create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.crt create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.key create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.pem create mode 100644 tests/data_files/pkcs7_data.txt create mode 100644 tests/data_files/pkcs7_data_1.txt create mode 100644 tests/data_files/pkcs7_data_cert_encrypted.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_sha1.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_sha256.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_sha512.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_v2.der create mode 100644 tests/data_files/pkcs7_data_cert_signeddata_sha256.der create mode 100644 tests/data_files/pkcs7_data_multiple_certs_signed.der create mode 100644 tests/data_files/pkcs7_data_multiple_signed.der create mode 100644 tests/data_files/pkcs7_data_signed_badcert.der create mode 100644 tests/data_files/pkcs7_data_signed_badsigner.der create mode 100644 tests/data_files/pkcs7_data_without_cert_signed.der create mode 100644 tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der create mode 100644 tests/data_files/pkcs7_signerInfo_serial_invalid_size.der diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt new file mode 100644 index 0000000000..ebbaf7cc6e --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-1.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUMBERfOWtW1Y8Y661YJt3KlBYYZ0wDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDEwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfqRyKXRqfkj/BThWvwcKfv +qsTiZmVOE6sIusfY86qae4Yv8R8AaBgA3eYbSOat/Xyr3VFgZGtv9Hc8iDM7K1h9 +U9WBKPGN1gGw12LzAxIbf+t5qkH21YtPNkr7liwJruhTh/JLypKE/SVW1XIS47PE +Ug92emsRMKfgsReO7x/EmB/c5cnXfwnrc+DKog2eB+6eIPhq2uq0g+/bV8hkx8+D +N50Qq1OMdy0s/RXeurlYG72jhpj978eOq467vUIIxyD4ggsh9f3ZMOEGFlGjSiZL +CXTgbIbwXnndamf3iqWWN5ZiDH6NVP1UTfCvxvX4HfBE928z0OXu4k7QxNaboEEC +AwEAAaNTMFEwHQYDVR0OBBYEFF1d36HSc95cdyWYy/SRZPsmWncJMB8GA1UdIwQY +MBaAFF1d36HSc95cdyWYy/SRZPsmWncJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAIqAZJRQFPL8GFpxp0ZjF4vSiKX/D0/+LJB+vei4ZGZMaqRo +afT9LBAquK1JjXYXJ9wz56ueVxggouVLb6XTrAwsHISwVxKzxkmBde2egPZ9L7tw +EJdb2YPAkdoi3fY259N6KS8S0MwMMi/YmiXpVpQiPQ5tQFdbT9oSqewi/C7TudFc +hez1M7ToYfbMaZ1yQxf5otT8wKVKhLdEb9ncE2Jku6eH+5+lcVFsliLcNo28bd0c +joRYufduegaxmFluq4YWCozgET38AFKiG9Y8fK34He/qJIwHn7nWJ3cy3j+NAh3X +gpobw4JhCNXaInaNx/BZsoedjXnkunhgRijykOU= +-----END CERTIFICATE----- diff --git a/tests/data_files/pkcs7-rsa-sha256-1.key b/tests/data_files/pkcs7-rsa-sha256-1.key new file mode 100644 index 0000000000..0c7d37d880 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDH6kcil0an5I/w +U4Vr8HCn76rE4mZlThOrCLrH2POqmnuGL/EfAGgYAN3mG0jmrf18q91RYGRrb/R3 +PIgzOytYfVPVgSjxjdYBsNdi8wMSG3/reapB9tWLTzZK+5YsCa7oU4fyS8qShP0l +VtVyEuOzxFIPdnprETCn4LEXju8fxJgf3OXJ138J63PgyqINngfuniD4atrqtIPv +21fIZMfPgzedEKtTjHctLP0V3rq5WBu9o4aY/e/HjquOu71CCMcg+IILIfX92TDh +BhZRo0omSwl04GyG8F553Wpn94qlljeWYgx+jVT9VE3wr8b1+B3wRPdvM9Dl7uJO +0MTWm6BBAgMBAAECggEASx6bUEIryJa4B4Q61E5q5o/GSWkRNOvbtB75oHLDTM3z +sH5/Sjjq5Goe94I1KIkkgR5LcXKZCU3uPIfAXg/Tv9KIF+gKrImxar06kfHiq4Et +1hvHgDXyFADV0+MpkK6qzJ3mrYMRQXE7djZkyhKTAU+5zhmk8mppMAvcP4/0Bqk8 +EQRd6rPzeQdK6Lz0UPHsjO2bqksdqtts090W07VY13tZdSL3Xsjig0TEsM0Oalv9 +VKTU+xBLQuD9cn2QYQfSflQl7ZGrS2N7OeZ4Ju5Spygo7YO/Lsl3WMYKNPiX7E7T +Z+sD6duWLbPC6atWgk1XmD9oZLBsx/jZT/Lp+cOLaQKBgQD3u8iNs4AafDnxAdZc +3vQBH0yablI5nRtRrAmpjyj8gNNbszoeCM+7MBJ2Npw3qnYtqRWw5vKljU3gVLXG +aPxUnyAJIVBWZDdlnnqOjKY++k6IF+3vcal9In+j5W0HYEfngLSm1/mJJHfK4N21 +JaJMwIxXJBkt0AbhyJlFc5WWowKBgQDOlgPY2xabKU5r+st3n1QKReirkb07rUR0 +ky3nBDGfI3svglX+5ZC/cDsl/YjAkGgOYgpgf1z0KUj2GmkQ6eMj9QVwzstwhKql +Asg4BXTd36Ia4zAbIYluUqHgbQOXKItLwJ3o1UImRlOosxG1hrHm1YpBZu9LEq// +medOr+nvywKBgA5eNMaLJ53hoJaqzZz7TVmXUCEQzvIKe6AkAzdzVyQ18Iw7+93s +Eug/ZIK4rhzIZSxGxzxIWMBjTqX5I8XLJv9db0U4SmmITHI3W9JSs/2pFM7t3F3r +0LGyQ4bk8orf+auimlem5REgLVZ17kXoVd5vuHQBYvh2PT/xG3qctotTAoGAeVgW +lGdEJQmjPbvHjdExjQM5QqXNUGNbBVp6KOsGtqIhtmtJVfrEBh7HL253yBxKcsBV +tg65q9UgPSaQNlYbjEBc3MErMEFM9rXmozlZRwYX8tElrZoKXpn86ZU++afgAjP2 +zQ+O1mqSs1HTghvHHX6qwfXTcvZcGLfu7QJZV/cCgYEAkpfg4Ev8zPPTpDTeS3h+ +uUhrU7cQ6Ry1+S1effLjaDLm+YdpXJ7DGhtV6yLSXbZPlcmbzYZyvBmYixdz8oqw +btJym460gKjAQLIrMcLL3tJcX5ww6oRCL5hqZgvcFeIlmYSTIEZs0X69Ft8trWSu +A3BsQ4P24o/FXcvGAv0gH0E= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-1.pem b/tests/data_files/pkcs7-rsa-sha256-1.pem new file mode 100644 index 0000000000..fe1e16f8dc --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-1.pem @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUMBERfOWtW1Y8Y661YJt3KlBYYZ0wDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDEwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfqRyKXRqfkj/BThWvwcKfv +qsTiZmVOE6sIusfY86qae4Yv8R8AaBgA3eYbSOat/Xyr3VFgZGtv9Hc8iDM7K1h9 +U9WBKPGN1gGw12LzAxIbf+t5qkH21YtPNkr7liwJruhTh/JLypKE/SVW1XIS47PE +Ug92emsRMKfgsReO7x/EmB/c5cnXfwnrc+DKog2eB+6eIPhq2uq0g+/bV8hkx8+D +N50Qq1OMdy0s/RXeurlYG72jhpj978eOq467vUIIxyD4ggsh9f3ZMOEGFlGjSiZL +CXTgbIbwXnndamf3iqWWN5ZiDH6NVP1UTfCvxvX4HfBE928z0OXu4k7QxNaboEEC +AwEAAaNTMFEwHQYDVR0OBBYEFF1d36HSc95cdyWYy/SRZPsmWncJMB8GA1UdIwQY +MBaAFF1d36HSc95cdyWYy/SRZPsmWncJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAIqAZJRQFPL8GFpxp0ZjF4vSiKX/D0/+LJB+vei4ZGZMaqRo +afT9LBAquK1JjXYXJ9wz56ueVxggouVLb6XTrAwsHISwVxKzxkmBde2egPZ9L7tw +EJdb2YPAkdoi3fY259N6KS8S0MwMMi/YmiXpVpQiPQ5tQFdbT9oSqewi/C7TudFc +hez1M7ToYfbMaZ1yQxf5otT8wKVKhLdEb9ncE2Jku6eH+5+lcVFsliLcNo28bd0c +joRYufduegaxmFluq4YWCozgET38AFKiG9Y8fK34He/qJIwHn7nWJ3cy3j+NAh3X +gpobw4JhCNXaInaNx/BZsoedjXnkunhgRijykOU= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDH6kcil0an5I/w +U4Vr8HCn76rE4mZlThOrCLrH2POqmnuGL/EfAGgYAN3mG0jmrf18q91RYGRrb/R3 +PIgzOytYfVPVgSjxjdYBsNdi8wMSG3/reapB9tWLTzZK+5YsCa7oU4fyS8qShP0l +VtVyEuOzxFIPdnprETCn4LEXju8fxJgf3OXJ138J63PgyqINngfuniD4atrqtIPv +21fIZMfPgzedEKtTjHctLP0V3rq5WBu9o4aY/e/HjquOu71CCMcg+IILIfX92TDh +BhZRo0omSwl04GyG8F553Wpn94qlljeWYgx+jVT9VE3wr8b1+B3wRPdvM9Dl7uJO +0MTWm6BBAgMBAAECggEASx6bUEIryJa4B4Q61E5q5o/GSWkRNOvbtB75oHLDTM3z +sH5/Sjjq5Goe94I1KIkkgR5LcXKZCU3uPIfAXg/Tv9KIF+gKrImxar06kfHiq4Et +1hvHgDXyFADV0+MpkK6qzJ3mrYMRQXE7djZkyhKTAU+5zhmk8mppMAvcP4/0Bqk8 +EQRd6rPzeQdK6Lz0UPHsjO2bqksdqtts090W07VY13tZdSL3Xsjig0TEsM0Oalv9 +VKTU+xBLQuD9cn2QYQfSflQl7ZGrS2N7OeZ4Ju5Spygo7YO/Lsl3WMYKNPiX7E7T +Z+sD6duWLbPC6atWgk1XmD9oZLBsx/jZT/Lp+cOLaQKBgQD3u8iNs4AafDnxAdZc +3vQBH0yablI5nRtRrAmpjyj8gNNbszoeCM+7MBJ2Npw3qnYtqRWw5vKljU3gVLXG +aPxUnyAJIVBWZDdlnnqOjKY++k6IF+3vcal9In+j5W0HYEfngLSm1/mJJHfK4N21 +JaJMwIxXJBkt0AbhyJlFc5WWowKBgQDOlgPY2xabKU5r+st3n1QKReirkb07rUR0 +ky3nBDGfI3svglX+5ZC/cDsl/YjAkGgOYgpgf1z0KUj2GmkQ6eMj9QVwzstwhKql +Asg4BXTd36Ia4zAbIYluUqHgbQOXKItLwJ3o1UImRlOosxG1hrHm1YpBZu9LEq// +medOr+nvywKBgA5eNMaLJ53hoJaqzZz7TVmXUCEQzvIKe6AkAzdzVyQ18Iw7+93s +Eug/ZIK4rhzIZSxGxzxIWMBjTqX5I8XLJv9db0U4SmmITHI3W9JSs/2pFM7t3F3r +0LGyQ4bk8orf+auimlem5REgLVZ17kXoVd5vuHQBYvh2PT/xG3qctotTAoGAeVgW +lGdEJQmjPbvHjdExjQM5QqXNUGNbBVp6KOsGtqIhtmtJVfrEBh7HL253yBxKcsBV +tg65q9UgPSaQNlYbjEBc3MErMEFM9rXmozlZRwYX8tElrZoKXpn86ZU++afgAjP2 +zQ+O1mqSs1HTghvHHX6qwfXTcvZcGLfu7QJZV/cCgYEAkpfg4Ev8zPPTpDTeS3h+ +uUhrU7cQ6Ry1+S1effLjaDLm+YdpXJ7DGhtV6yLSXbZPlcmbzYZyvBmYixdz8oqw +btJym460gKjAQLIrMcLL3tJcX5ww6oRCL5hqZgvcFeIlmYSTIEZs0X69Ft8trWSu +A3BsQ4P24o/FXcvGAv0gH0E= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.crt b/tests/data_files/pkcs7-rsa-sha256-2.crt new file mode 100644 index 0000000000..0cd377afcc --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-2.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSbz5H6XcKL1urGmyF9I9v63PwccwDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDIwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4tAEi8b+ZE3OIuv91WduiU +qQQXPqMNndTj3Q3hxd5CvYCZ3dAoYQOdPOtGWxLe89zpqUI/Sp8hSpCOw0ucgxCe +96ahpx/BVvMG6BabtxSXWYmGv0rJmFE3LwzskvK9P8dwaGLZler+9CgjKtcgfhTc +zbwhSDeHCHAZWqJUtLpAACiU8rn78p7x8zWoUUsntUiTCyw1SCHvIhGPeCbT4QVX +YNxIP2H52s7waHqtHLpGtJSsSxTxfbxcmbMQlrDaY/8ArLxo2VKqvGJv90IDjbGy +ORHRMOuxxxjowC9+yH4xtVRl821dsJFSSnmAEBXas3hkneFVBxiR7vUf61Wv760C +AwEAAaNTMFEwHQYDVR0OBBYEFNdysL6wT6p/KA7w/efpAyX7/FXZMB8GA1UdIwQY +MBaAFNdysL6wT6p/KA7w/efpAyX7/FXZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKGSxRvoL+FpC4LtiT4Cie53yKlzISq+ZMR4eHm1BFSidiFv +apntxj9k1JIIlDzbabVEJdy+O8EzipqUNFdPky+EpnZTnoTXilNusPH2FW+R6qMx +XrDl4MwtSYnH1RwkjF+yjYysp6pdxm+gr6k7lS4biHq6VfUYSvQBvSuIYMn+XZa/ +ZgQs0NWeh3GgVFkpGkG/yxXMq1WRGSrFfmqExLVpMeNXTINQsK5PH/JMaj44c4T7 ++qbq9Rf4U4ezkTUXHsQQsA3dFpPiL5Lv6RS+31VKLpXYJQ9j/Z+IWBFjTf/utt5T +VA2cEFCZIkNYUoX8RVs23cQr/ZNBxxgO/7JYNSE= +-----END CERTIFICATE----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key new file mode 100644 index 0000000000..6226f8ad46 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-2.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi +Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ +jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo +IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR +j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi +b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 +H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE +8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL +MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK +lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 +QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI +MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 +0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu +G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO +sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O +4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P +A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh +dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF +gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH +9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi +55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm +ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z +Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG +EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE +kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng +Y2ncNnRJI7vczDETaW1vuoE= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem new file mode 100644 index 0000000000..0f03a43a04 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-2.pem @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSbz5H6XcKL1urGmyF9I9v63PwccwDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDIwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4tAEi8b+ZE3OIuv91WduiU +qQQXPqMNndTj3Q3hxd5CvYCZ3dAoYQOdPOtGWxLe89zpqUI/Sp8hSpCOw0ucgxCe +96ahpx/BVvMG6BabtxSXWYmGv0rJmFE3LwzskvK9P8dwaGLZler+9CgjKtcgfhTc +zbwhSDeHCHAZWqJUtLpAACiU8rn78p7x8zWoUUsntUiTCyw1SCHvIhGPeCbT4QVX +YNxIP2H52s7waHqtHLpGtJSsSxTxfbxcmbMQlrDaY/8ArLxo2VKqvGJv90IDjbGy +ORHRMOuxxxjowC9+yH4xtVRl821dsJFSSnmAEBXas3hkneFVBxiR7vUf61Wv760C +AwEAAaNTMFEwHQYDVR0OBBYEFNdysL6wT6p/KA7w/efpAyX7/FXZMB8GA1UdIwQY +MBaAFNdysL6wT6p/KA7w/efpAyX7/FXZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKGSxRvoL+FpC4LtiT4Cie53yKlzISq+ZMR4eHm1BFSidiFv +apntxj9k1JIIlDzbabVEJdy+O8EzipqUNFdPky+EpnZTnoTXilNusPH2FW+R6qMx +XrDl4MwtSYnH1RwkjF+yjYysp6pdxm+gr6k7lS4biHq6VfUYSvQBvSuIYMn+XZa/ +ZgQs0NWeh3GgVFkpGkG/yxXMq1WRGSrFfmqExLVpMeNXTINQsK5PH/JMaj44c4T7 ++qbq9Rf4U4ezkTUXHsQQsA3dFpPiL5Lv6RS+31VKLpXYJQ9j/Z+IWBFjTf/utt5T +VA2cEFCZIkNYUoX8RVs23cQr/ZNBxxgO/7JYNSE= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi +Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ +jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo +IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR +j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi +b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 +H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE +8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL +MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK +lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 +QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI +MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 +0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu +G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO +sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O +4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P +A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh +dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF +gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH +9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi +55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm +ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z +Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG +EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE +kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng +Y2ncNnRJI7vczDETaW1vuoE= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7_data.txt b/tests/data_files/pkcs7_data.txt new file mode 100644 index 0000000000..e965047ad7 --- /dev/null +++ b/tests/data_files/pkcs7_data.txt @@ -0,0 +1 @@ +Hello diff --git a/tests/data_files/pkcs7_data_1.txt b/tests/data_files/pkcs7_data_1.txt new file mode 100644 index 0000000000..0cfbf08886 --- /dev/null +++ b/tests/data_files/pkcs7_data_1.txt @@ -0,0 +1 @@ +2 diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der new file mode 100644 index 0000000000000000000000000000000000000000..0d0706931e625b35b37466511e87ea4da5a731ba GIT binary patch literal 452 zcmXqLVm!dcsnzDu_MMlJoq0hM<3@uf#CyK)2f{@U2NS<^=CU)7tGsN z8*UbRUd(O#gvgnWyQ-_FPOJF2?fIEaTr&FBt5s7?9oNTPxe9TNztPBR+2t|wwnwWhJ znwUKenwSh1Ff%bSF^L!m3f4Sb8y#koyl!j4>~gJuh{U-Dyl_2?+(08tz$P+>vaks= z`S}>~8St{-pmyaBKF5g5~d59eI?N z>Lpz%)t2V>x5H1Q96#S|K38CMa8J3e z&R@}cyLLuM?_JzBkruvF5mNwFFbws$nV0DYqJ+PGBGnUFfI-@2sDrd zMv5#Six`VYZ0!Aomx}Mjl&j7-{bgdxZ?&j$P6K(6v@(l?fmj1}1^gfd!iPY=9j-Z z0$MxPdiIuytKTtxzItA`gu=Y1t4iwE384W9i#@4c}_@cNYjukG|P_ zVB#&MyWh;7U#`;B7rJnU$4LLiEY+7`Q{cj1ae53S7@AA%zF|BXD8gF@# z`0Y&Q+#+Z3pNp>iIk42LWxGrM%{#(LDZ7`q|DM0JFfeDD(jBwjJ-K&f`dT7(e$T67 z+c+aKZ*`j(SI+}M+dm9Ji=?mF)U5p>`~Hlzu zrLx}RA0juk&+V;zva2G&P2cD0ckMZUnsnEwEq}B%zT3ClkMn8Q&2=`ZMe3HK zQEz+1z4daw-Fd>=Vrn<1StEDnajWpneVbA{--QMQEU}c__UTTLBJ=kPeQ`7I%g;8^ z(*L8RQ(D-u>|EaQ*2dRfwT0{SymtHW33*OmY_{=<)1t@kKRk}Ixb*4k_OKtvUl>%Z z-RAP~JI9iTQ^S{R{5Q!%ej9hst$wchhY?*F^F62Ed&_9huWY(2%_c~T`Q{3Ht*7>% L|DO2R;oS!S0NDC! literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der new file mode 100644 index 0000000000000000000000000000000000000000..3f2dfb5ace1ae4c6571da3551fac2c2c0d65d89a GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!MnirBUN+8zHV?*BW)>z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8TgQwqH$+Iq-tlYC+q%O!wYrPxVdu>-(HoOzhOW3N zcvL9)(8pUCp%=~p9Rf%C>!u+qah>X+UW9V>utIr$r+!sJ}sDj_3}Y^_v7|%p1~n& zbN}5tEO}|Us={*(&8CSV30aY|H`(72Sz>5%O_g)<)Y|Tomc_0&vU>#frue_@o4Lef R$+>OZT8Z9lsa$D}JOF;``!9Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?Ekt49rc8{0s(7j9g4jjEoG&U%4wycU%6X|3h$V_J@My z?^hjpl$PozyqaUz@f)94&8lwG|0vIpA;EC>nY72VwSQ|?-wjMi$;IWA8P_4cC)CGYd)Azph;6`0Z-9znRzXX*!(iUIe#)@;)`G<*#bk)gqzCn~wzX zmsMp88Z3XXQM~WH{E->*cb=ZSUeEcu_`#_~yz|)K%~SZ1b?eoZ=J&V5Pox|_-)uft zV0Ca$xvtJ%(R;ggMo8~n+&1Iy`{RA9`*!bj;yAAGqlsJb>))FO581>57kjCBbCx{F zY5NdYc{eNld)Lxw=F^gR>Uu-|hWLJ1f9&fI*$*z?^NlY&efP-k!jWsU7dSF8GcqtP z4mJohkOfAHEFX&)i%4wj{e_o`@5Pj>&N%&LV#;r|sB%sNd62X+i-dt#19k=cAO*sV zjQ?3!4VZxxaZOE0hC(UED{5H7U&m}g_@+j$M&YV~&) z2uzQ@*?eH)Ev38P%${Ga($p8aaE8Z7|HdrUmtj+sZ258>!lV6f39Wpi^hfXV&Wkav zZ@wCDd6D?-Oy=AoXYrqluKYQ$)T?E?Oa9F}!bvH+m$(0(zqBwgXPVL-v)(Mfz#g?`|8q4wyftJ4FTTwKQu-@c$?3= zUBS37#MNOAqq(G;lEbApee2(}m9TzDR)|Q~ysxy$Y1LGLut3d&OCO&&`1|S4mN(Z7 zZ}Ta<cO7|dsT+6rJ0vmMGM>?9W$@lvD%|nT+w%-Zjg(i{KvMvewvG? SEh}C;BYi=!>z)7p;->(;m;KTJ literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der new file mode 100644 index 0000000000000000000000000000000000000000..1a24a8a2e3b72232f8ec4c2a1b2a45df051a2444 GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!-PAmVmz!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-cnUbr4cZlDn+hTI06 zY|No7Y{E=_K8Ab-JRlAi4{Lz8bFjIgsDUtu&&njmg*krEPt?3yzjmIks0!Lo}Rp3&-uFe!Kp>O^Vr|bQ}~f}>(!R#_qW4Oq#QrrY(7_D zb#PC)uFhZ4d%Jcume*CFxVLxx*AfZ1c-e4BN0`&+$~wW`%=f!|NQ>{bSBj8eX%1Y%_nO~ zM&_5lIs#fd)_V4qiL2i+e!hBMxP-!@r{4KXFR$Uzk!jfwF0}cWXJhHxc@5uc^>-Ht zOpm_Vd|=`&rMutEo?oug)EByNhQ~<%#w^vBVN;ZB`Enh?qy29Qt$d^ONAL2^i!rTl zz8Y_Nk@)RQ=G-D@@t=#X{5i1Ht7W@O{>?kWNh!ORxBs5Mv@kGdn$jJ!-aWZ@W%^no zc7D&RV%s<)GH-R87+22&LEAqJL5rlX+0?B4A^ZN7N)P+|o!8XMjqcg^GRa zDUsvqEv2&F;~ye7wa@LXe6p(|!A;}Sgr|m0jOD;Hp{DZHT^0tnc4JO;QI<9OiZdKtlE77z|y}o@}@Ku8@y_t;j=B>MM zyT++^rFYh!Rc}vr$izPjn)6UL;Lk=wM#i<#<^6 TiOG_4+qkt7z1dQ^(j0jJ48;70 literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der new file mode 100644 index 0000000000000000000000000000000000000000..7c631f9d7495886951dc80a63dc299421620b8de GIT binary patch literal 1265 zcmXqLVtLEN$Y{uKz{|#&(B{FI%FM#V$jV^A&Bm$K=F#?@myw-uK@+pDK@+p5K@*eV z0%j&gCMFRBLBX1*Yoo(#lGklbm|dIr2W>vT8f0Sp)kYKp`Oxokw+P^ic?*=BMWaob=x9Kpp){dwRzS^kqvG*F|hU-b6 znT4e5UstYj{C2h5-^}axG#$=$FM``Yd7qlp@>ezNYLU?6%}0Xx%c`;k4VFLHDBky8 z{>TjZJ5NtuujhPS{NU6g-g)fr<|+Khy7g*H^ZVQ3CsK}|Z#JJRusXP>Tvz9>=)GM# zBc%5(ZkzG<{qerleY^KMaU56p(ZsFz_3urChiqbji@nsmIZGbow0(%HyqlH&y=&<- z^Jz&ub-f{fLwrB1Klb&9><5?c`NkKXzI)_%;mEbw3mlo485tNC2O9($$O0opmXAe@ zMI<)%{=!Se_hQObXPo{rG3B>fR5_=CJV;uZMZ!R=0lNZzkOE;w#{Vp=2FySTIoN@z z0vPO!3|$Q=QvyUj{gH?&T<(@E-hHWK>3@Fze>xND_P*GWlID}OBqQ_7UmXFh9cw*% z%f!|17(ZVwfegY1g1ydY(6mYmeSpC zX3sBIY3d7IIKyM4e`A*F%dja*wtTq`;nDuLgjT*$`lEMw=f#-TH(!mnyh!|ZCUb6) zv-reaH{CI99f;iQz^%iDj?Us@QLGfnA^S?`|QyE1((5j(%IBBX~I*(CdP7L(klk$JOdx{QZ()?h@6X&awIUxvotX>xa~gF`t|VJ z@XoX^%fugwJQ1k5^?Wst&pUqYd0Tflr&f0{J?y+0CVFG?%+M7#1&<0PpWI&)z_a{-q6cQ3zJ&}Iuh?)yY-A$VR`Q{W2K*)cu#Dw-_+@}H&uP=+C$Gj z_xkK4vR$j=%EsbW6;87fO}o_V+m{7jHR#ft$vAJ`x(l~!oO)M!XZ>0A_GE`l z{Ij4r4`l=XY&2wKTpL{;ZM{u5Bst@A)~5y2uU|(z4j~Ms|jdG;{? literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der new file mode 100644 index 0000000000000000000000000000000000000000..73755dbbdf77afe9bedabad2214bfd1755b4e8d9 GIT binary patch literal 2504 zcmcIldooQtYM#(j#aT_v9E+rWv zESef5mu6C%nyj{La&5+yQkgrp7!it&-t9^b3W&JKF{~_d_V@G z4URBOwM$(=0dmk12BHCEAZnoiKvV`%aD;EF9S{hUfdaA+Q1QP+po9Ux3^HK$AOlJ) zfk6Q%6a%WL#Eo*i+${rcH24-q8M=7-6@8TWk2s(xl`tbJf(ST_Dg#%8Iyn-RK;%cD zfRuG{*iYU`R0q{QVi*$nZ>+mN@We@7BKQ>+Wdah3CT2u4B1p72B!$FJ;1{Yg0Q{%N zlim=<0F)sh15ki6001JG{04u~w(|8kF*)UkIIMEEx^3iepp#mSe2buOq5ATvRKlDN zBnSr)jcMAAaU^jyB3ED95&B}3CDU}*HqUr+_ZfpZRu91K^bI9OOMAi!Ly{DMd%uGX4G~giTYqmv!^D%EcKFPR*+Sbb%$>)FVJ0O zDC#Xq`oUqihHDvVvjgJf(9u-!w=trS?^iO)^LOU^BNJE@3FUzJ=A)%mZL!S?-L!Lb zX2hwpt*5YL9~1^afHE@Z3TjIqMO#TmLk8pH^Xt{;;e*~$`jvz@Igivgh`iAZI@1k)OG-pkx0vR!OXAY4jr$w4Zxm#&Mg0+?EK#7 zd;))>iFVjAR)nTTn2 z;&MFUP8j;4SAWvI>;b%JdB=EH>{fzm=M$s}q3^Q(8~0rNZlz;;J-nO;RIA?N*NwZH zfALOvyJUK6!f*LWaM6kV*mtEb*6)>*k{fO4{X#W=+MUX@wc_&Qu1E9n!W}H$F_BhQ zvS;&3Xe_+;(!tQ0R1Jm9A(h?h5Vumz9?Lk+s`l*UrcAlw=AJE4CWBTisCF;ovgQMZ zpM3WKK9VI6AFN9&V#T~}iT1TMm_I-IyD-`F-szMJ4fvtggX^%*ceiq$-531Mwl5lc zlfNZQCeqOSd6)*bL+p6;F&p8CajVEZaw4}%2D_&WRrKPO2sQk0(3+oEAnG*mgB4j$ z*?OrCE(qULSzD2c^+@Nl9ynY{LbF#Yu2$;YcVB={XcRVLE*?xzZ6&o|a@|QlzP&Kd zw-ST}`S<5dzF#!hXxOWpfD!)8)3e)|CLgxpP$}hB%U*~DnEnfyV*ys!I?z(T9aXHt_!#RhLToFlT zC--KML%DOy>h$c%GUB(~(V-{X?b8L_TAMPzt7BzeudMcYL@&8nwJXn9lNsAWUBZzT z0sc0oZ~J?n{MN%VMxEX4wBsd|gIoWxueC${Newl7gWf6GgbTB8Fn52Yl8p2E^pyi7#Y|6?fCC?9 zZV!?vs4Hlf0{nhYx0Lm-y>^J&wn=jK32;gu>O9T$hz#hAbR@&2H3m9m%xiSqz<3SPaYlI?yP;`+;HeDgaC*PHdS6Zf z^@o0yhpGYXt#K}h2j|Ke7VAU`$%z>g;Dw@g`Cko4Ml<~edj`f(x|OU)rucVtsK;EZ zx^!!P;FdhjkK^J4q>Z3v1Yfo=08u~fF z0~HSML;f|}O`w=R`uYCc_V|qo+e0&$9n=U)Z&B9XbI+Spho-OfI(6_fY+k8jPKoFX z7*ay+GH!29>0%uZk>WjPPcu?fJ(Gl7{a1 zt64T;oP9RU#k;U$>s{-Xvd3MMYCes()tuCx%L0=V0XG8jt=qDOXIzeZL`6+qGmHyG+)IkT;^h9(O2CbSlv+^0S9~ P!j2Xp&PSN9x(@vdYO3T( literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_multiple_signed.der b/tests/data_files/pkcs7_data_multiple_signed.der new file mode 100644 index 0000000000000000000000000000000000000000..a38c3ef63fd7d725c4aa7620eaddb76e1f3a0289 GIT binary patch literal 810 zcmXqLVpe10)N1o+`_9YA&a|M3S=^wBS(u5D(U9MOmyI)_&4V$OnT3gwmBD};p^(wA ziRqm|6Js$@p@ENqi6OTECmVAp3!5;LpN}D*0S}17#lsrl?Hp`wC~6=K;xqH`fcXl} zsYN9UhD;&`f`T;Hp{DZHT z^0tnc4JO;QI<9OiZdKtlE77z|y}o@}@Ku8@y_t;j=B>MMyT++^rFYh!Rc}vr$izPj zn)6UL;Lk=wM#i<#<^6iOG_4+qkt7z1dQ^(j0jx z3w9$W5zjq8<(J;k*qgT|bCdWb+x=_LA3RPt*lU%!bo078PKTC;T%X(L(0^%%(1W*2 zuKS(d+vW0DRHXWD{$~-dx+&iz940UNvS|-zYs^Q_6di7%#%7)$dzdzaG%=R4sS7SI zzk70rTEWUWf4-Y?XxS?WEt1*ETKarmcY8q0?9-b2oOUffaru>S?DlQKe!^#_eu#Ky zvdpET_Iko*)BHk-(-V1rPg{^w_56Epc$M+&lq&s_kh>rDoXdE`$xx6Ye%rE9?-SS8 zushF6PU|t&zm64W>P^Zzo8Pu$uY<_@e2$j$(~C@#m6-Ree7;tMy=HsPuUG8zLnYEB q%VYx=XwO^Bs-r*k5!bxu-t!y$7AVe5^kj=*&Y8z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;fR5_=CJTT5=m02VV#2TzIhm@0t5&dAW!kTNAeQCYI+p(D_y4Cep>FSs9Vux( zSxYi9zx>q^(Au%qv$srK{f_bT)$_t76c#=8&R=?Y4UdjY%Z6~F&Br_&OW)3G_*SdG zyFg%i^v&i26K^Tq{bu(3a+RjO(1kNRM*25qslE)GqGZdL>kuC8e@kfP8>K&bmv>%_ zX?^q6c*~2#Z)Y;+7CDRmTy*8nfu&w8+gBCKl99M5CmGvI~5V@&+Zg1t2T@?v#8lNUSHEd!m2PVB@V9qn}AumPa&VtCf7%4{r zlRQfkBZJ%SL#;Hp{DZHT^0tnc4JO;QI<9OiZdKtlE77z|y}o@}@Ku8@y_t;j=B>MM zyT++^rFYh!Rc}vr$izPjn)6UL;Lk=wM#i<#<^6 TiOG_4+qkt7z1dQ^(j0jJeD?hR literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der new file mode 100644 index 0000000000000000000000000000000000000000..9ea4231a6eb9e0c4645d1007ca30cb3170e580f3 GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!MnirBUN+8zHV?*BW)>z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8Tja?<|)KfBpPy&luvMH zLF8PFlp}#jo~4PA!EN`U)~|=(hIgiYStkBa>$GeBSYE&)d4gIkmcr>0#&1 zFwq;6XNIo0DR@*U`Q-kZ0M5hxOPehJ7>0QHbyOxt^M+ndTA17-(2;oW+O2223d?(s z87uwV#Cu|c{iaT*y{YO`*B*NQ!PiT9TSv?WlkHj^S2h;6s&JZ>XxgP--@YvPszI0D zOvZWh)?K(=Yyla|G zO^oG0g~dRH20jKRhTI06Y|No7Y{E=_K8Ab-JRlAi4{Lz8bFjIgsDUtu&&~gJuh{U<*mIB=XbsZzn4J=KJ3~sv*wSGPPHoP^F5f?M+pmy7tiX558W? z+d5)4m~7YTxU#XhRfW^6MAI(y`u1hPR}H%KW-`v3x9-C28mHcs-dTTEy*=3>6aOq| z&O_ONKN}4h8P`UaM_X^x4N1=Uob_qJ^sAQ-%DW%8ck>JmS)2Rs-eJj0%T*PgYiKr2 z3`xj}oW05Zj>r;2lWVG+lc&~ppR_D?y^-A`us6m3ZQsl#CQHt3z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8Tc6JrsgTcR2Z9bk&;hv zXF=p#jFcmRNuH&Nk-=^Eq1La5--dUleOV^{P~?d~&8_FFd3@gSYtP%d!#TCOi|JwK z%`nj$lV^smxG8v4DEZ|6ngGtj{Y#rH{}_gN`E^t#NAreWPFk4UBG8d|@7k?ryb8;E zj~Ofd+{AlggZ-vXr@g7_Q`a7P{=wHvd0R)!29xbt9alCMx2kZOm1x?fUf;ef_^Lsd z-b}`M^VVIsUE|cd(mU(Vs<$UQWa6I%&3Pyr@MohTBjeiW@@VUAx*^FKpR+zKn11#0 zL3#J%_HLfRA!~F0-8(FKX}PMxa}CX=i6IGDk+V11-w|12XmU-JbMn;M?vs|qt~auK b1oo!*zwMj3#AM02ZQNRk-fXE{X^uPqX$SoE literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der new file mode 100644 index 0000000000000000000000000000000000000000..871e77db708b2ac4d3e045f61421e96c73d921eb GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!MnirBUN+8zHV?*BW)>z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8TgQwqM3A4^Aut#3{APv zvmkOVM#_=EB+t^s$l$j7Q0v#jZ^Jv&zAO`eDDp(0=GODoJU;LEwdZZ!;hb9C#q_ZA zW|-)W$umP&+!Q=2lzei3O#tWN{-sTpe+)ys{5mR=qj^IwCoN2F5$H&~ckR|QUWMho z$BdPJZsI+$!G2Sx)816|scR2C|KRJTysaZ6BTU9vCN;K_KuWw%#eAS>! zZzkisdFw9Ru5s#J>7Dgw)!UODGV#xX<~)=Q__NWFk#TKwd9?L5-H_yr&sm=qOuu^h zpuGEWdpFPEkhQu0?j4rAv|Lr;xrS!b#E^un$l06h?}#ihG`XhAIeBVr_eslQ*BjYA b0((>Z-}cR1VzT7iHg2s%Z?;sfG)Eo)oICp2 literal 0 HcmV?d00001 From c448c94fe3253ca8a2c2951b3ce1ecb03053c351 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Thu, 1 Jul 2021 15:29:50 -0400 Subject: [PATCH 007/413] pkcs7: pkcs7_get_content_info_type should reset *p on error The function `pkcs7_asn1_get_tag` should return an update pointer only on success. Currently, the pointer is being updated on a failure case. This commit resets *p to start if the first call to mbedtls_asn1_get_tag fails. Signed-off-by: Daniel Axtens Signed-off-by: Nick Child --- library/pkcs7.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5563f330ee..8c2a3ecaf3 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -107,8 +107,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) + if( ret != 0 ) { + *p = start; return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + } ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); if( ret != 0 ) { From 390e61a47a0f9b369e80c413add2a1cde3230d8e Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 9 Aug 2021 13:33:14 -0400 Subject: [PATCH 008/413] pkcs7.h: Make pkcs7 fields private All fields in the mbedtls_pkcs7 struct have been made private with MBEDTLS_PRIVATE. Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 46 +++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 59da147b9b..29bb503a74 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -46,6 +46,8 @@ #ifndef MBEDTLS_PKCS7_H #define MBEDTLS_PKCS7_H +#include "mbedtls/private_access.h" + #include "mbedtls/build_info.h" #include "asn1.h" @@ -115,14 +117,14 @@ mbedtls_pkcs7_type; */ typedef struct mbedtls_pkcs7_signer_info { - int version; - mbedtls_x509_buf serial; - mbedtls_x509_name issuer; - mbedtls_x509_buf issuer_raw; - mbedtls_x509_buf alg_identifier; - mbedtls_x509_buf sig_alg_identifier; - mbedtls_x509_buf sig; - struct mbedtls_pkcs7_signer_info *next; + int MBEDTLS_PRIVATE(version); + mbedtls_x509_buf MBEDTLS_PRIVATE(serial); + mbedtls_x509_name MBEDTLS_PRIVATE(issuer); + mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); + mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next); } mbedtls_pkcs7_signer_info; @@ -131,8 +133,8 @@ mbedtls_pkcs7_signer_info; */ typedef struct mbedtls_pkcs7_data { - mbedtls_pkcs7_buf oid; - mbedtls_pkcs7_buf data; + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data); } mbedtls_pkcs7_data; @@ -141,15 +143,15 @@ mbedtls_pkcs7_data; */ typedef struct mbedtls_pkcs7_signed_data { - int version; - mbedtls_pkcs7_buf digest_alg_identifiers; - struct mbedtls_pkcs7_data content; - int no_of_certs; - mbedtls_x509_crt certs; - int no_of_crls; - mbedtls_x509_crl crl; - int no_of_signers; - mbedtls_pkcs7_signer_info signers; + int MBEDTLS_PRIVATE(version); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers); + struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content); + int MBEDTLS_PRIVATE(no_of_certs); + mbedtls_x509_crt MBEDTLS_PRIVATE(certs); + int MBEDTLS_PRIVATE(no_of_crls); + mbedtls_x509_crl MBEDTLS_PRIVATE(crl); + int MBEDTLS_PRIVATE(no_of_signers); + mbedtls_pkcs7_signer_info MBEDTLS_PRIVATE(signers); } mbedtls_pkcs7_signed_data; @@ -158,9 +160,9 @@ mbedtls_pkcs7_signed_data; */ typedef struct mbedtls_pkcs7 { - mbedtls_pkcs7_buf raw; - mbedtls_pkcs7_buf content_type_oid; - mbedtls_pkcs7_signed_data signed_data; + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid); + mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); } mbedtls_pkcs7; From 600bd30427a9d53b41c03e65f0816aa931669753 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 21 Feb 2022 11:30:43 +0100 Subject: [PATCH 009/413] Avoid unwanted eol conversion of test data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also, text files don't need to be generated by the Makefile. Signed-off-by: Manuel Pégourié-Gonnard --- tests/data_files/Makefile | 28 ++++++------------- .../{pkcs7_data.txt => pkcs7_data.bin} | 0 .../{pkcs7_data_1.txt => pkcs7_data_1.bin} | 0 tests/suites/test_suite_pkcs7.data | 12 ++++---- 4 files changed, 14 insertions(+), 26 deletions(-) rename tests/data_files/{pkcs7_data.txt => pkcs7_data.bin} (100%) rename tests/data_files/{pkcs7_data_1.txt => pkcs7_data_1.bin} (100%) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index dbe32340f7..8c7520fe30 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1134,7 +1134,7 @@ tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key # PKCS7 test data pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt -pkcs7_test_file = pkcs7_data.txt +pkcs7_test_file = pkcs7_data.bin # Generate signing cert pkcs7-rsa-sha256-1.crt: @@ -1147,46 +1147,34 @@ pkcs7-rsa-sha256-2.crt: cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem all_final += pkcs7-rsa-sha256-2.crt -# Generate data file to be signed -pkcs7_data.txt: - echo "Hello" > $@ - echo 2 >> pkcs7_data_1.txt -all_final += pkcs7_data.txt - -# Generate another data file to check hash mismatch during certificate verification -pkcs7_data_1.txt: $(pkcs7_test_file) - cat $(pkcs7_test_file) > $@ - echo 2 >> $@ -all_final += pkcs7_data_1.txt - # pkcs7 signature file with CERT pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ all_final += pkcs7_data_cert_signed_sha256.der # pkcs7 signature file with CERT and sha1 pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ all_final += pkcs7_data_cert_signed_sha1.der # pkcs7 signature file with CERT and sha512 pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ all_final += pkcs7_data_cert_signed_sha512.der # pkcs7 signature file without CERT pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ all_final += pkcs7_data_without_cert_signed.der # pkcs7 signature file with multiple signers pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ all_final += pkcs7_data_multiple_signed.der # pkcs7 signature file with multiple certificates pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@ all_final += pkcs7_data_multiple_certs_signed.der # pkcs7 signature file with corrupted CERT @@ -1208,7 +1196,7 @@ pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der all_final += pkcs7_data_cert_signed_v2.der pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.txt -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt + $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.bin -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt all_final += pkcs7_data_cert_encrypted.der ## Negative tests diff --git a/tests/data_files/pkcs7_data.txt b/tests/data_files/pkcs7_data.bin similarity index 100% rename from tests/data_files/pkcs7_data.txt rename to tests/data_files/pkcs7_data.bin diff --git a/tests/data_files/pkcs7_data_1.txt b/tests/data_files/pkcs7_data_1.bin similarity index 100% rename from tests/data_files/pkcs7_data_1.txt rename to tests/data_files/pkcs7_data_1.bin diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 75ee9f6b03..4af0edad37 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -27,24 +27,24 @@ PKCS7 Signed Data Parse Fail Encrypted Content #8 pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der" PKCS7 Signed Data Verification Pass SHA256 #9 -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Pass SHA256 #9.1 -pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Pass SHA1 #10 depends_on:MBEDTLS_SHA1_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Pass SHA512 #11 depends_on:MBEDTLS_SHA512_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Fail because of different certificate #12 -pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.txt" +pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Fail because of different data hash #13 -pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.txt" +pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.bin" PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" From 6671841d919beb38ba3d1abc08d93cce8af3314f Mon Sep 17 00:00:00 2001 From: Nick Child Date: Tue, 22 Feb 2022 17:19:59 -0600 Subject: [PATCH 010/413] pkcs7.c: Do not ignore return value of mbedlts_md CI was failing due to the return value of mbedtls_md being ignored. If this function does fail, return early and propogate the md error. Signed-off-by: Nick Child --- library/pkcs7.c | 8 ++++++-- tests/suites/test_suite_pkcs7.function | 5 +++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 8c2a3ecaf3..1c73709de3 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -523,8 +523,12 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); } - mbedtls_md( md_info, data, datalen, hash ); - + ret = mbedtls_md( md_info, data, datalen, hash ); + if( ret != 0 ) + { + mbedtls_free( hash ); + return( ret ); + } ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, pkcs7->signed_data.signers.sig.p, pkcs7->signed_data.signers.sig.len ); diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index d85a455613..e2d76f36a9 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -285,9 +285,10 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) md_info = mbedtls_md_info_from_type( md_alg ); - mbedtls_md( md_info, data, datalen, hash ); + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash)); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); TEST_ASSERT( res == 0 ); exit: From 6427b34dec143af38afbf302cf6c8307894d4ffe Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 25 Feb 2022 11:43:31 -0600 Subject: [PATCH 011/413] pkcs7.c: Use pkcs7_get_version for signerInfo The function pkcs7_get_version can be used again when parsing the version of the signerInfo. Both require that the version be equal to 1. The pkcs7_get_version function will return error if the found value is not the expected version as opposed to mbedtls_asn1_get_int which does not. Signed-off-by: Nick Child --- library/pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 1c73709de3..5fa02e3114 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -289,7 +289,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, end_set = end_set_signer; - ret = mbedtls_asn1_get_int( p, end_set, &signers_set->version ); + ret = pkcs7_get_version( p, end_set, &signers_set->version ); if( ret != 0 ) return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); From 45525d37688e8b3d9918ca8b59591a3604a9c6db Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 25 Feb 2022 11:54:34 -0600 Subject: [PATCH 012/413] pkcs7: Fix dependencies for pkcs7 tests Fixes include removing PEM dependency for greater coverage when PEM config is not set and defining test dependencies at the appropriate level. Signed-off-by: Nick Child --- tests/data_files/Makefile | 9 +++++++ tests/data_files/pkcs7-rsa-sha256-1.der | Bin 0 -> 845 bytes tests/data_files/pkcs7-rsa-sha256-2.der | Bin 0 -> 845 bytes tests/suites/test_suite_pkcs7.data | 33 +++++++++++++++++------- tests/suites/test_suite_pkcs7.function | 26 +++++++++---------- 5 files changed, 46 insertions(+), 22 deletions(-) create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.der create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 8c7520fe30..b92944ac29 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1147,6 +1147,15 @@ pkcs7-rsa-sha256-2.crt: cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem all_final += pkcs7-rsa-sha256-2.crt +# Convert signing certs to DER for testing PEM-free builds +pkcs7-rsa-sha256-1.der: $(pkcs7_test_cert_1) + $(OPENSSL) x509 -in pkcs7-rsa-sha256-1.crt -out $@ -outform DER +all_final += pkcs7-rsa-sha256-1.der + +pkcs7-rsa-sha256-2.der: $(pkcs7_test_cert_2) + $(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER +all_final += pkcs7-rsa-sha256-2.der + # pkcs7 signature file with CERT pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der new file mode 100644 index 0000000000000000000000000000000000000000..622df1e7a38899b4da3a3601badd4fb36a333238 GIT binary patch literal 845 zcmXqLV)is>VlrI7%*4pVBw`>aSo3skbeK)@x~&Pb%e4X`66YH5vTwH$JbLRo$llQJx_~g5mBnX^&@X|JJO&8<>!io&TlW zro-4;JEAuDYNN)--fN5-t|xtF7Lu-iUAfBf+tqG=Gq2y%bU4?&2yXx6eQHw6U)8Xy zMM94^9|__wtI8HMSpHz6c;9>ZBQxahJUw~6p7V9_gHwxm=dr(=r|=`|)~hYe?{9~n zNI8DK*?g|R>foMoU7f$8_jc`!klwqvZN}gC$NN_I?cVFeaa`d?6Sv~mzc&pYvWW#Q z_EPiaEP0UA_93qFZdUsDuBFq=rzP>!^@jWn@%^y=*w-JjA6&lY8((<(?vdYxBiCjx zaAaa;WMEtzY!GN53yc(5J{B<+k=WS#3ojMliz!!~ar(=|l;3Jm<(vlcAZcY52?MbP z>hCTPm>zwz`M|_mN_W4RJ-=L~sV{Wl43ClijajNM!=@VlrI7%*4pVB;vW}r~J}88hi8BWNs3_WV?Uu`Gdy|c-c6$+C196^D;7W zvoaW%7;+nMvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7WFRNb zYh++(Xk=n&VrXD!83p7TB5}zywTV#)*?Ekt49rc8{0s(7j9g4jjEoHTbQwJM#213~Tme+zeW^Cn^8C z6LaszO_qWe4PI|NF7e`ke%*;W!>u8ypL1h3Obqg>Y!DE=wYef??!!=aiHYyN%D)a> z|9&kKGb01z;$VY716g3C$nvp>v4~tR+OThf|EhWoz7Kz&zhqYZ{U`LMfjmfBnMJ}t ztO2_MevkrTM#ldvtOm?L3OU$;sR9`6j0_7W9hH8e|1gug>20SSQ|G(#6Dx}qwf3bP zsi>&j$`Z1uOff%e=G$ZTDOV7Cf)zdRK7X zhL7Jw^C!MqY#6uU>4P)6o}I_9%Bb|jZ|dz?vwT(TvHS(=S6WZilkTY675Y`e>kH#v z?T&<#|6-@@Ph-)!aCKgL;ewDzO)1Cyr$x`K4xK2eb+j(4<;d1d!^h!1%>f(M`OAOu z$+EL3Zu$Ld*{iSOKZ4sgPc#*mJ0h@w_paFFNBWcAzZBVbKh#Ta>J3%? Date: Mon, 28 Feb 2022 10:09:16 -0600 Subject: [PATCH 013/413] pkcs7: Change copyright Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 4 +--- library/pkcs7.c | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 29bb503a74..7699b60d53 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -5,7 +5,7 @@ * https://tools.ietf.org/html/rfc2315 */ /* - * Copyright (C) 2019, IBM Corp, All Rights Reserved + * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +19,6 @@ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * - * This file is part of mbed TLS (https://tls.mbed.org) */ /** diff --git a/library/pkcs7.c b/library/pkcs7.c index 5fa02e3114..9b66bdb23f 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -1,17 +1,18 @@ -/* Copyright 2019 IBM Corp. +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ #include "common.h" From 8a10f666923ee7e43cbfbc11243088bd7bb97e61 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 6 Jun 2022 12:18:40 -0500 Subject: [PATCH 014/413] test/pkcs7: Add init for PSA tests Initialize the PSA subsystem in the test functions. Signed-off-by: Nick Child --- tests/suites/test_suite_pkcs7.function | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 8b35c57559..01edadb5ff 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -200,6 +200,8 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -233,6 +235,7 @@ exit: mbedtls_x509_crt_free( &x509 ); mbedtls_free( data ); mbedtls_pkcs7_free( &pkcs7 ); + USE_PSA_DONE(); } /* END_CASE */ @@ -253,6 +256,8 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -296,6 +301,7 @@ exit: mbedtls_free( data ); mbedtls_pkcs7_free( &pkcs7 ); mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); } /* END_CASE */ @@ -313,6 +319,8 @@ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -346,6 +354,7 @@ exit: mbedtls_free( data ); mbedtls_pkcs7_free( &pkcs7 ); mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); } /* END_CASE */ @@ -363,6 +372,8 @@ void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesign mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -396,6 +407,7 @@ exit: mbedtls_pkcs7_free( &pkcs7 ); mbedtls_free( data ); mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); } /* END_CASE */ From 3538479faa7a73239671239feadbfac1b68b2f0c Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Wed, 2 Sep 2020 14:48:45 +1000 Subject: [PATCH 015/413] pkcs7: support multiple signers Rather than only parsing/verifying one SignerInfo in the SignerInfos field of the PKCS7 stucture, allow the ability to parse and verify more than one signature. Verification will return success if any of the signatures produce a match. Signed-off-by: Daniel Axtens Signed-off-by: Nick Child --- library/pkcs7.c | 260 +++++++++++++++++-------- tests/suites/test_suite_pkcs7.data | 10 +- tests/suites/test_suite_pkcs7.function | 80 ++++++-- 3 files changed, 249 insertions(+), 101 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 9b66bdb23f..0f4e1ec2b4 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -250,7 +250,6 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, } /** - * SignerInfos ::= SET of SignerInfo * SignerInfo ::= SEQUENCE { * version Version; * issuerAndSerialNumber IssuerAndSerialNumber, @@ -261,6 +260,88 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, * encryptedDigest EncryptedDigest, * unauthenticatedAttributes * [1] IMPLICIT Attributes OPTIONAL, + * Returns 0 if the signerInfo is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signer ) +{ + unsigned char *end_signer; + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_signer = *p + len; + + ret = pkcs7_get_version( p, end_signer, &signer->version ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + /* Parsing IssuerAndSerialNumber */ + signer->issuer_raw.p = *p; + + ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_x509_get_name( p, *p + len, &signer->issuer ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + signer->issuer_raw.len = *p - signer->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_signer, &signer->serial ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_signature( p, end_signer, &signer->sig ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + /* Do not permit any unauthenticated attributes */ + if( *p != end_signer ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + return( 0 ); +} + +static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if( signer == NULL ) + return; + + name_cur = signer->issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_free( name_prv ); + } +} + +/** + * SignerInfos ::= SET of SignerInfo * Return number of signers added to the signed data, * 0 or higher is valid. * Return negative error code for failure. @@ -268,76 +349,61 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signers_set ) { - unsigned char *end_set, *end_set_signer; + unsigned char *end_set; int ret; + int count = 0; size_t len = 0; + mbedtls_pkcs7_signer_info *signer, *prev; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + /* Detect zero signers */ + if( len == 0 ) + return( 0 ); + end_set = *p + len; - ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); + ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + return( ret ); + count++; - end_set_signer = *p + len; - if (end_set_signer != end_set) - return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + prev = signers_set; + while( *p != end_set ) + { + signer = mbedtls_calloc( 1, sizeof( mbedtls_pkcs7_signer_info ) ); + if( !signer ) + { + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto cleanup; + } - end_set = end_set_signer; + ret = pkcs7_get_signer_info( p, end_set, signer ); + if( ret != 0 ) { + mbedtls_free( signer ); + goto cleanup; + } + prev->next = signer; + prev = signer; + count++; + } - ret = pkcs7_get_version( p, end_set, &signers_set->version ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + return( count ); - ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); - - /* Parsing IssuerAndSerialNumber */ - signers_set->issuer_raw.p = *p; - - ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); - - ret = mbedtls_x509_get_name( p, *p + len, &signers_set->issuer ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - signers_set->issuer_raw.len = *p - signers_set->issuer_raw.p; - - ret = mbedtls_x509_get_serial( p, end_set, &signers_set->serial ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->alg_identifier ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->sig_alg_identifier ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - ret = pkcs7_get_signature( p, end_set, &signers_set->sig ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - signers_set->next = NULL; - - if (*p != end_set) - return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - /* Since in this version we strictly support single signer, and reaching - * here implies we have parsed successfully, we return 1. */ - - return( 1 ); +cleanup: + signer = signers_set->next; + pkcs7_free_signer_info( signers_set ); + while( signer ) + { + prev = signer; + signer = signer->next; + pkcs7_free_signer_info( prev ); + mbedtls_free( prev ); + } + return( ret ); } /** @@ -419,7 +485,7 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, signed_data->no_of_signers = ret; - /* Support single signer */ + /* Don't permit trailing data */ if ( p != end ) ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; @@ -507,34 +573,62 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, size_t datalen ) { - int ret; + int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; unsigned char *hash; mbedtls_pk_context pk_cxt = cert->pk; const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; + mbedtls_pkcs7_signer_info *signer; - ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); - if( ret != 0 ) + if( pkcs7->signed_data.no_of_signers == 0 ) return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - md_info = mbedtls_md_info_from_type( md_alg ); - hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); - if( hash == NULL ) { - return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); - } - - ret = mbedtls_md( md_info, data, datalen, hash ); - if( ret != 0 ) + /* + * Potential TODOs + * Currently we iterate over all signers and return success if any of them + * verify. + * + * However, we could make this better by checking against the certificate's + * identification and SignerIdentifier fields first. That would also allow + * us to distinguish between 'no signature for key' and 'signature for key + * failed to validate'. + * + * We could also cache hashes by md, so if there are several sigs all using + * the same algo we don't recalculate the hash each time. + */ + signer = &pkcs7->signed_data.signers; + while( signer ) { - mbedtls_free( hash ); - return( ret ); - } - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); + ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - mbedtls_free( hash ); + md_info = mbedtls_md_info_from_type( md_alg ); + + hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); + if( hash == NULL ) { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + + ret = mbedtls_md( md_info, data, datalen, hash ); + if( ret != 0 ) + { + mbedtls_free( hash ); + return( ret ); + } + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, + mbedtls_md_get_size( md_info ), + signer->sig.p, signer->sig.len ); + + mbedtls_free( hash ); + + if( ret == 0 ) + break; + + signer = signer->next; + } return( ret ); } @@ -564,8 +658,8 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, */ void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) { - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; + mbedtls_pkcs7_signer_info *signer_cur; + mbedtls_pkcs7_signer_info *signer_prev; if( pkcs7 == NULL || pkcs7->raw.p == NULL ) return; @@ -575,12 +669,14 @@ void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) mbedtls_x509_crt_free( &pkcs7->signed_data.certs ); mbedtls_x509_crl_free( &pkcs7->signed_data.crl ); - name_cur = pkcs7->signed_data.signers.issuer.next; - while( name_cur != NULL ) + signer_cur = pkcs7->signed_data.signers.next; + pkcs7_free_signer_info( &pkcs7->signed_data.signers ); + while( signer_cur != NULL ) { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_free( name_prv ); + signer_prev = signer_cur; + signer_cur = signer_prev->next; + pkcs7_free_signer_info( signer_prev ); + mbedtls_free( signer_prev ); } pkcs7->raw.p = NULL; diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index d5ecd21ccb..daced32b55 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -10,13 +10,9 @@ PKCS7 Signed Data Parse Pass Without CERT #3 depends_on:MBEDTLS_SHA256_C pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der" -PKCS7 Signed Data Parse Fail with multiple signers #4 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der" - PKCS7 Signed Data Parse Fail with multiple certs #4 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der" +pkcs7_parse_multiple_certs:"data_files/pkcs7_data_multiple_certs_signed.der" PKCS7 Signed Data Parse Fail with corrupted cert #5 depends_on:MBEDTLS_SHA256_C @@ -69,3 +65,7 @@ pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_SHA256_C pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" + +PKCS7 Signed Data Verify with multiple signers #16 +depends_on:MBEDTLS_SHA256_C +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" \ No newline at end of file diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 01edadb5ff..261824d154 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -61,7 +61,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_multiple_signers( char *pkcs7_file ) +void pkcs7_parse_multiple_certs( char *pkcs7_file ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -75,19 +75,7 @@ void pkcs7_parse_multiple_signers( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res < 0 ); - - switch ( res ){ - case MBEDTLS_ERR_PKCS7_INVALID_CERT: - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); - break; - - case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO: - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - break; - default: - TEST_ASSERT(0); - } + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); exit: mbedtls_free( pkcs7_buf ); @@ -411,6 +399,70 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ +void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509_1; + mbedtls_x509_crt x509_2; + + USE_PSA_INIT(); + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509_1 ); + mbedtls_x509_crt_init( &x509_2 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + + TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); + + res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); + TEST_ASSERT( res == 0 ); + + res = stat( filetobesigned, &st ); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "r" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen ); + + fclose( file ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509_1 ); + mbedtls_x509_crt_free( &x509_2 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ void pkcs7_parse_failure( char *pkcs7_file ) { From 62b2d7e7d4a21500e2a159cbae4541903707133d Mon Sep 17 00:00:00 2001 From: Nick Child Date: Thu, 14 Jul 2022 16:24:59 -0500 Subject: [PATCH 016/413] pkcs7: Support verification of hash with multiple signers Make `mbedtls_pkcs7_signed_hash_verify` loop over all signatures in the PKCS7 structure and return success if any of them verify successfully. Signed-off-by: Nick Child --- library/pkcs7.c | 39 ++++++++++--- tests/suites/test_suite_pkcs7.data | 6 +- tests/suites/test_suite_pkcs7.function | 76 ++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 9 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 0f4e1ec2b4..65dc83a4c3 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -637,18 +637,41 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen) { - int ret; + int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; mbedtls_pk_context pk_cxt; - - ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + mbedtls_pkcs7_signer_info *signer; pk_cxt = cert->pk; - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); + + if( pkcs7->signed_data.no_of_signers == 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + signer = &pkcs7->signed_data.signers; + while( signer ) + { + ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + if( hashlen != mbedtls_md_get_size( md_info ) ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + signer = signer->next; + continue; + } + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + if( ret == 0 ) + break; + + signer = signer->next; + } return ( ret ); } diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index daced32b55..b813c6d3eb 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -68,4 +68,8 @@ pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" PKCS7 Signed Data Verify with multiple signers #16 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" \ No newline at end of file +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" + +PKCS7 Signed Data Hash Verify with multiple signers #17 +depends_on:MBEDTLS_SHA256_C +pkcs7_verify_hash_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 261824d154..9822fb826e 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -293,6 +293,82 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ +void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + unsigned char hash[32]; + struct stat st; + size_t datalen; + int res; + FILE *file; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509_1; + mbedtls_x509_crt x509_2; + + USE_PSA_INIT(); + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509_1 ); + mbedtls_x509_crt_init( &x509_2 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + + TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); + + res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); + TEST_ASSERT( res == 0 ); + + res = stat( filetobesigned, &st ); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "r" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen ); + + fclose( file ); + + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509_1 ); + mbedtls_x509_crt_free( &x509_2 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) { From fd6cca44489255bcba6849663ede0dd212b6f8cb Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Tue, 12 Oct 2021 09:22:33 +0200 Subject: [PATCH 017/413] CID update to RFC 9146 The DTLS 1.2 CID specification has been published as RFC 9146. This PR updates the implementation to match the RFC content. Signed-off-by: Hannes Tschofenig --- include/mbedtls/check_config.h | 6 + include/mbedtls/mbedtls_config.h | 37 +++-- include/mbedtls/ssl.h | 24 ++-- library/ssl_msg.c | 232 +++++++++++++++++++++++++++---- library/ssl_tls12_client.c | 3 - library/ssl_tls12_server.c | 6 - tests/scripts/all.sh | 19 +++ tests/ssl-opt.sh | 50 +++++++ 8 files changed, 308 insertions(+), 69 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index e00ffb5a96..3f4647a093 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -839,6 +839,12 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif +#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites" +#endif + + #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequisites" diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 990dc58512..4b5a3131ec 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1320,9 +1320,7 @@ /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID * - * Enable support for the DTLS Connection ID extension - * (version draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * Enable support for the DTLS Connection ID extension, * which allows to identify DTLS connections across changes * in the underlying transport. * @@ -1331,10 +1329,6 @@ * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for * more information. * - * \warning The Connection ID extension is still in draft state. - * We make no stability promises for the availability - * or the shape of the API controlled by this option. - * * The maximum lengths of outgoing and incoming CIDs can be configured * through the options * - MBEDTLS_SSL_CID_OUT_LEN_MAX @@ -1344,7 +1338,23 @@ * * Uncomment to enable the Connection ID extension. */ -//#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID + + +/** + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + * + * Defines whether RFC 9146 (default) or the legacy version + * (version draft-ietf-tls-dtls-connection-id-05, + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * is used. + * + * Set the value to 0 for the standard version, and + * 1 for the legacy draft version. + * + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID + */ +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 /** * \def MBEDTLS_SSL_ASYNC_PRIVATE @@ -3539,17 +3549,6 @@ //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ -/** \def MBEDTLS_TLS_EXT_CID - * - * At the time of writing, the CID extension has not been assigned its - * final value. Set this configuration option to make Mbed TLS use a - * different value. - * - * A future minor revision of Mbed TLS may change the default value of - * this option to match evolving standards and usage. - */ -//#define MBEDTLS_TLS_EXT_CID 254 - /** * Complete list of ciphersuites to use, in order of preference. * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3d820a5259..67d6118045 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -401,7 +401,13 @@ #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 #endif -/** \} name SECTION: Module settings */ +/* + * Default to standard CID mode + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#endif /* * Length of the verify data for secure renegotiation @@ -571,15 +577,10 @@ #define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */ #define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */ -/* The value of the CID extension is still TBD as of - * draft-ietf-tls-dtls-connection-id-05 - * (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05). - * - * A future minor revision of Mbed TLS may change the default value of - * this option to match evolving standards and usage. - */ -#if !defined(MBEDTLS_TLS_EXT_CID) -#define MBEDTLS_TLS_EXT_CID 254 /* TBD */ +#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#define MBEDTLS_TLS_EXT_CID 54 /* RFC 9146 DTLS 1.2 CID */ +#else +#define MBEDTLS_TLS_EXT_CID 254 /* Pre-RFC 9146 DTLS 1.2 CID */ #endif #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ @@ -2003,8 +2004,9 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * \brief Configure the use of the Connection ID (CID) * extension in the next handshake. * - * Reference: draft-ietf-tls-dtls-connection-id-05 + * Reference: RFC 9146 (or draft-ietf-tls-dtls-connection-id-05 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 + * for legacy version) * * The DTLS CID extension allows the reliable association of * DTLS records to DTLS connections across changes in the diff --git a/library/ssl_msg.c b/library/ssl_msg.c index dbef29b3f9..ecf7a2b4aa 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -388,30 +388,80 @@ static int ssl_parse_inner_plaintext( unsigned char const *content, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */ -/* `add_data` must have size 13 Bytes if the CID extension is disabled, - * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ +/* The size of the `add_data` structure depends on various + * factors, namely + * + * 1) CID functionality disabled + * + * additional_data = + * 8: seq_num + + * 1: type + + * 2: version + + * 2: length of inner plaintext + + * + * size = 13 bytes + * + * 2) CID functionality based on RFC 9146 enabled + * + * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length + * = 23 + CID-length + * + * 3) CID functionality based on legacy CID version + according to draft-ietf-tls-dtls-connection-id-05 + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 + * + * size = 13 + 1 + CID-length + * + * More information about the CID usage: + * + * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the + * size of the additional data structure is calculated as: + * + * additional_data = + * 8: seq_num + + * 1: tls12_cid + + * 2: DTLSCipherText.version + + * n: cid + + * 1: cid_length + + * 2: length_of_DTLSInnerPlaintext + * + * Per RFC 9146 the size of the add_data structure is calculated as: + * + * additional_data = + * 8: seq_num_placeholder + + * 1: tls12_cid + + * 1: cid_length + + * 1: tls12_cid + + * 2: DTLSCiphertext.version + + * 2: epoch + + * 6: sequence_number + + * n: cid + + * 2: length_of_DTLSInnerPlaintext + * + */ static void ssl_extract_add_data_from_record( unsigned char* add_data, size_t *add_data_len, mbedtls_record *rec, mbedtls_ssl_protocol_version - tls_version, + tls_version, size_t taglen ) { - /* Quoting RFC 5246 (TLS 1.2): + /* Several types of ciphers have been defined for use with TLS and DTLS, + * and the MAC calculations for those ciphers differ slightly. Further + * variants were added when the CID functionality was added with RFC 9146. + * This implementations also considers the use of a legacy version of the + * CID specification published in draft-ietf-tls-dtls-connection-id-05, + * which is used in deployments. + * + * We will distinguish between the non-CID and the CID cases below. + * + * --- Non-CID cases --- + * + * Quoting RFC 5246 (TLS 1.2): * * additional_data = seq_num + TLSCompressed.type + * TLSCompressed.version + TLSCompressed.length; * - * For the CID extension, this is extended as follows - * (quoting draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05): - * - * additional_data = seq_num + DTLSPlaintext.type + - * DTLSPlaintext.version + - * cid + - * cid_length + - * length_of_DTLSInnerPlaintext; - * * For TLS 1.3, the record sequence number is dropped from the AAD * and encoded within the nonce of the AEAD operation instead. * Moreover, the additional data involves the length of the TLS @@ -427,11 +477,72 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, * * TLSCiphertext.length = TLSInnerPlaintext.length + taglen. * - */ + * --- CID cases --- + * + * RFC 9146 uses a common pattern when constructing the data + * passed into a MAC / AEAD cipher. + * + * Data concatenation for MACs used with block ciphers with + * Encrypt-then-MAC Processing (with CID): + * + * data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * DTLSCiphertext.length + + * IV + + * ENC(content + padding + padding_length) + * + * Data concatenation for MACs used with block ciphers (with CID): + * + * data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * length_of_DTLSInnerPlaintext + + * DTLSInnerPlaintext.content + + * DTLSInnerPlaintext.real_type + + * DTLSInnerPlaintext.zeros + * + * AEAD ciphers use the following additional data calculation (with CIDs): + * + * additional_data = seq_num_placeholder + + * tls12_cid + + * cid_length + + * tls12_cid + + * DTLSCiphertext.version + + * epoch + + * sequence_number + + * cid + + * length_of_DTLSInnerPlaintext + * + * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use) + * defines the additional data calculation as follows: + * + * additional_data = seq_num + + * tls12_cid + + * DTLSCipherText.version + + * cid + + * cid_length + + * length_of_DTLSInnerPlaintext + */ unsigned char *cur = add_data; size_t ad_len_field = rec->data_len; +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; +#endif + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) { @@ -445,25 +556,78 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, { ((void) tls_version); ((void) taglen); - memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); - cur += sizeof( rec->ctr ); + +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + +#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + if( rec->cid_len != 0 ) + { + // seq_num_placeholder + memcpy( cur, seq_num_placeholder, sizeof(seq_num_placeholder) ); + cur += sizeof( seq_num_placeholder ); + + // tls12_cid type + *cur = rec->type; + cur++; + + // cid_length + *cur = rec->cid_len; + cur++; + } + else + { + // epoch + sequence number + memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); + cur += sizeof( rec->ctr ); + } +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 */ +#else + // epoch + sequence number + memcpy(cur, rec->ctr, sizeof(rec->ctr)); + cur += sizeof(rec->ctr); +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ } + // type *cur = rec->type; cur++; + // version memcpy( cur, rec->ver, sizeof( rec->ver ) ); cur += sizeof( rec->ver ); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - if( rec->cid_len != 0 ) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1 + + if (rec->cid_len != 0) { - memcpy( cur, rec->cid, rec->cid_len ); + // CID + memcpy(cur, rec->cid, rec->cid_len); cur += rec->cid_len; + // cid_length *cur = rec->cid_len; cur++; + // length of inner plaintext + MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0); + cur += 2; + } + else +#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 + + if( rec->cid_len != 0 ) + { + // epoch + sequence number + memcpy(cur, rec->ctr, sizeof(rec->ctr)); + cur += sizeof(rec->ctr); + + // CID + memcpy( cur, rec->cid, rec->cid_len ); + cur += rec->cid_len; + + // length of inner plaintext MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 ); cur += 2; } @@ -538,7 +702,14 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, mbedtls_ssl_mode_t ssl_mode; int auth_done = 0; unsigned char * data; - unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + /* For an explanation of the additional data length see + * the descrpition of ssl_extract_add_data_from_record(). + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX]; +#else + unsigned char add_data[13]; +#endif size_t add_data_len; size_t post_avail; @@ -1021,13 +1192,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, size_t sign_mac_length = 0; #endif /* MBEDTLS_USE_PSA_CRYPTO */ - /* - * MAC(MAC_write_key, seq_num + - * TLSCipherText.type + - * TLSCipherText.version + - * length_of( (IV +) ENC(...) ) + - * IV + - * ENC(content + padding + padding_length)); + /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length)) */ if( post_avail < transform->maclen) @@ -1133,7 +1298,14 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, size_t padlen = 0, correct = 1; #endif unsigned char* data; - unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ]; + /* For an explanation of the additional data length see + * the descrpition of ssl_extract_add_data_from_record(). + */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX]; +#else + unsigned char add_data[13]; +#endif size_t add_data_len; #if !defined(MBEDTLS_DEBUG_C) @@ -3487,7 +3659,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, { /* Shift pointers to account for record header including CID * struct { - * ContentType special_type = tls12_cid; + * ContentType outer_type = tls12_cid; * ProtocolVersion version; * uint16 epoch; * uint48 sequence_number; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index f8140945da..79f34d3457 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -235,9 +235,6 @@ static int ssl_write_cid_ext( mbedtls_ssl_context *ssl, size_t ext_len; /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index eab27768bc..8d1923879f 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -358,9 +358,6 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, } /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; @@ -1748,9 +1745,6 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) ); /* - * Quoting draft-ietf-tls-dtls-connection-id-05 - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 - * * struct { * opaque cid<0..2^8-1>; * } ConnectionId; diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7f259f57dc..e89108eb9f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2449,6 +2449,25 @@ component_test_variable_ssl_in_out_buffer_len_CID () { tests/compat.sh } +component_test_variable_ssl_in_out_buffer_len_CID_legacy () { + msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" + scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 + + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID" + make test + + msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + tests/compat.sh +} + component_test_ssl_alloc_buffer_and_mfl () { msg "build: default config with memory buffer allocator and MFL extension" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c4628b017e..36cb479d51 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -440,6 +440,14 @@ requires_max_content_len() { requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1 } +CID_MODE=$( get_config_value_or_default "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT" ) + +requires_cid_compat() { + if [ "$CID_MODE" = "0" ]; then + SKIP_NEXT="YES" + fi +} + # skip next test if GnuTLS isn't available requires_gnutls() { if [ -z "${GNUTLS_AVAILABLE:-}" ]; then @@ -2386,6 +2394,17 @@ run_test "Context serialization, client serializes, with CID" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, client serializes, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -c "Deserializing connection..." \ + -S "Deserializing connection..." + + requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, server serializes, CCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ @@ -2422,6 +2441,16 @@ run_test "Context serialization, server serializes, with CID" \ -C "Deserializing connection..." \ -s "Deserializing connection..." +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, server serializes, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -C "Deserializing connection..." \ + -s "Deserializing connection..." + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, both serialize, CCM" \ @@ -2460,6 +2489,17 @@ run_test "Context serialization, both serialize, with CID" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, both serialize, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -c "Deserializing connection..." \ + -s "Deserializing connection..." + + requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, client serializes, CCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ @@ -2497,6 +2537,16 @@ run_test "Context serialization, re-init, client serializes, with CID" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION +requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID +requires_cid_compat +run_test "Context serialization, re-init, client serializes, with CID (legacy)" \ + "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ + "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \ + 0 \ + -c "Deserializing connection..." \ + -S "Deserializing connection..." + requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, server serializes, CCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ From 9f4fb3e63f90225661bf3268a6390aaeb3392423 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 12 Sep 2022 16:21:02 -0500 Subject: [PATCH 018/413] pkcs7: Unite function return style In response to feedback[1], standardize return variable management across all pkcs7 functions. Additionally, when adding return codes from two error values, use `MBEDTLS_ERROR_ADD` as recommended [2]. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953634781 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953635128 Signed-off-by: Nick Child --- library/pkcs7.c | 233 +++++++++++++++++++++++++++++++----------------- 1 file changed, 152 insertions(+), 81 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 65dc83a4c3..2299cfdac6 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -24,6 +24,7 @@ #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" #include "mbedtls/oid.h" +#include "mbedtls/error.h" #include #include @@ -64,15 +65,16 @@ void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, size_t *len ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ); + if( ret != 0 ) { - return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); } - return( 0 ); + return( ret ); } /** @@ -81,16 +83,17 @@ static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, **/ static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_VERSION + ret ); + ret = mbedtls_asn1_get_int( p, end, ver ); + if( ret != 0 ) + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_VERSION, ret ); /* If version != 1, return invalid version */ if( *ver != MBEDTLS_PKCS7_SUPPORTED_VERSION ) - return( MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + ret = MBEDTLS_ERR_PKCS7_INVALID_VERSION; - return( 0 ); + return( ret ); } /** @@ -103,26 +106,29 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, mbedtls_pkcs7_buf *pkcs7 ) { size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *start = *p; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) { *p = start; - return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ); + goto out; } ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); if( ret != 0 ) { *p = start; - return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ); + goto out; } pkcs7->tag = MBEDTLS_ASN1_OID; pkcs7->len = len; pkcs7->p = *p; +out: return( ret ); } @@ -134,12 +140,12 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, mbedtls_x509_buf *alg ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); - return( 0 ); + return( ret ); } /** @@ -150,24 +156,31 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, mbedtls_x509_buf *alg ) { size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); + goto out; + } end = *p + len; /** For now, it assumes there is only one digest algorithm specified **/ ret = mbedtls_asn1_get_alg_null( p, end, alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); + goto out; + } if ( *p != end ) - return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT ); + ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; - return( 0 ); +out: + return( ret ); } /** @@ -182,7 +195,7 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, mbedtls_x509_crt *certs ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len1 = 0; size_t len2 = 0; unsigned char *end_set, *end_cert; @@ -192,9 +205,10 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) { if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) - return( 0 ); - - return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + ret = 0; + else + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); + goto out; } start = *p; end_set = *p + len1; @@ -202,7 +216,10 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_CERT + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CERT, ret ); + goto out; + } end_cert = *p + len2; @@ -213,18 +230,28 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, * The behaviour would be improved with addition of multiple signer support. */ if (end_cert != end_set) - return ( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + { + ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; + goto out; + } *p = start; if( ( ret = mbedtls_x509_crt_parse( certs, *p, len1 ) ) < 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + { + ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; + goto out; + } *p = *p + len1; - /* Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. */ + /* + * Since in this version we strictly support single certificate, and reaching + * here implies we have parsed successfully, we return 1. + */ + ret = 1; - return( 1 ); +out: + return( ret ); } /** @@ -233,12 +260,12 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, static int pkcs7_get_signature( unsigned char **p, unsigned char *end, mbedtls_pkcs7_buf *signature ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING ); if( ret != 0 ) - return( ret ); + goto out; signature->tag = MBEDTLS_ASN1_OCTET_STRING; signature->len = len; @@ -246,7 +273,8 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, *p = *p + len; - return( 0 ); +out: + return( ret ); } /** @@ -267,60 +295,67 @@ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signer ) { unsigned char *end_signer; - int ret; + int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; - ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + asn1_ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + if( asn1_ret != 0 ) + goto out; end_signer = *p + len; ret = pkcs7_get_version( p, end_signer, &signer->version ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; - ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; /* Parsing IssuerAndSerialNumber */ signer->issuer_raw.p = *p; - ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; ret = mbedtls_x509_get_name( p, *p + len, &signer->issuer ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; signer->issuer_raw.len = *p - signer->issuer_raw.p; ret = mbedtls_x509_get_serial( p, end_signer, &signer->serial ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->alg_identifier ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; ret = pkcs7_get_signature( p, end_signer, &signer->sig ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; /* Do not permit any unauthenticated attributes */ if( *p != end_signer ) - return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; - return( 0 ); +out: + if( asn1_ret != 0 ) + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, + asn1_ret ); + else if( ret != 0 ) + ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; + + return( ret ); } static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) @@ -350,7 +385,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signers_set ) { unsigned char *end_set; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int count = 0; size_t len = 0; mbedtls_pkcs7_signer_info *signer, *prev; @@ -358,17 +393,23 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret ); + goto out; + } /* Detect zero signers */ if( len == 0 ) - return( 0 ); + { + ret = 0; + goto out; + } end_set = *p + len; ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - return( ret ); + goto out; count++; prev = signers_set; @@ -391,7 +432,8 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, count++; } - return( count ); + ret = count; + goto out; cleanup: signer = signers_set->next; @@ -403,6 +445,8 @@ cleanup: pkcs7_free_signer_info( prev ); mbedtls_free( prev ); } + +out: return( ret ); } @@ -425,39 +469,46 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, unsigned char *end = buf + buflen; unsigned char *end_set; size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); + goto out; + } end_set = p + len; /* Get version of signed data */ ret = pkcs7_get_version( &p, end_set, &signed_data->version ); if( ret != 0 ) - return( ret ); + goto out; /* Get digest algorithm */ ret = pkcs7_get_digest_algorithm_set( &p, end_set, &signed_data->digest_alg_identifiers ); if( ret != 0 ) - return( ret ); + goto out; ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + { + ret = MBEDTLS_ERR_PKCS7_INVALID_ALG; + goto out; + } /* Do not expect any content */ ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid ); if( ret != 0 ) - return( ret ); + goto out; if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) ) { - return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ) ; + ret = MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; + goto out; } p = p + signed_data->content.oid.len; @@ -466,7 +517,7 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, mbedtls_x509_crt_init( &signed_data->certs ); ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); if( ret < 0 ) - return( ret ) ; + goto out; signed_data->no_of_certs = ret; @@ -481,15 +532,17 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, /* Get signers info */ ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers ); if( ret < 0 ) - return( ret ); + goto out; signed_data->no_of_signers = ret; /* Don't permit trailing data */ if ( p != end ) ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; + else + ret = 0; - ret = 0; +out: return( ret ); } @@ -499,17 +552,21 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, unsigned char *start; unsigned char *end; size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int isoidset = 0; if( !pkcs7 ) - return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + { + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + goto out; + } /* make an internal copy of the buffer for parsing */ pkcs7->raw.p = start = mbedtls_calloc( 1, buflen ); if( pkcs7->raw.p == NULL ) { - return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto out; } memcpy( start, buf, buflen ); pkcs7->raw.len = buflen; @@ -573,7 +630,7 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, size_t datalen ) { - int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *hash; mbedtls_pk_context pk_cxt = cert->pk; const mbedtls_md_info_t *md_info; @@ -581,8 +638,10 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, mbedtls_pkcs7_signer_info *signer; if( pkcs7->signed_data.no_of_signers == 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } /* * Potential TODOs @@ -602,20 +661,24 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } md_info = mbedtls_md_info_from_type( md_alg ); hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); if( hash == NULL ) { - return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto out; } ret = mbedtls_md( md_info, data, datalen, hash ); if( ret != 0 ) { mbedtls_free( hash ); - return( ret ); + goto out; } ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, @@ -630,6 +693,7 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, signer = signer->next; } +out: return( ret ); } @@ -637,7 +701,7 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen) { - int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; mbedtls_pk_context pk_cxt; @@ -646,14 +710,20 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, pk_cxt = cert->pk; if( pkcs7->signed_data.no_of_signers == 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } signer = &pkcs7->signed_data.signers; while( signer ) { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } md_info = mbedtls_md_info_from_type( md_alg ); @@ -673,6 +743,7 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, signer = signer->next; } +out: return ( ret ); } From 8a94de40c711612048aa4583b8dc617b206b7f37 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 10:51:51 -0500 Subject: [PATCH 019/413] test/pkcs7: Reduce number of test functions In response to feedback[1], we can reuse much of the functions in similar test cases by specifying some additional parameters. Specifically, test cases which probe the functionality of `mbedtls_pkcs7_parse_der` have all been merged into one test function. Additionally, all test cases which examine the `mbedtls_pkcs7_signed_data_verify` and `mbedtls_pkcs7_signed_hash_verify` functions have been merged into two test functions (one for single and one for multiple signers). [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953686780 Signed-off-by: Nick Child --- tests/suites/test_suite_pkcs7.data | 50 +-- tests/suites/test_suite_pkcs7.function | 439 ++----------------------- 2 files changed, 61 insertions(+), 428 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index b813c6d3eb..b26a16fb94 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -1,75 +1,75 @@ PKCS7 Signed Data Parse Pass SHA256 #1 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Pass SHA1 #2 -depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der" +depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Pass Without CERT #3 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der" +pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with multiple certs #4 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_multiple_certs:"data_files/pkcs7_data_multiple_certs_signed.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_INVALID_CERT PKCS7 Signed Data Parse Fail with corrupted cert #5 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_corrupted_cert:"data_files/pkcs7_data_signed_badcert.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT PKCS7 Signed Data Parse Fail with corrupted signer info #6 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_corrupted_signer_info:"data_files/pkcs7_data_signed_badsigner.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail Version other than 1 #7 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_version:"data_files/pkcs7_data_cert_signed_v2.der" +pkcs7_parse:"data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION PKCS7 Signed Data Parse Fail Encrypted Content #8 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der" +pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Verification Pass SHA256 #9 depends_on:MBEDTLS_SHA256_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Pass SHA256 #9.1 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 PKCS7 Signed Data Verification Pass SHA1 #10 depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Pass SHA512 #11 depends_on:MBEDTLS_SHA512_C:MBEDTLS_SHA256_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Fail because of different certificate #12 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Verification Fail because of different data hash #13 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" +pkcs7_parse:"data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" +pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Only Signed Data Parse Pass #15 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Verify with multiple signers #16 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Hash Verify with multiple signers #17 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_hash_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 9822fb826e..8db3f3f53d 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -14,31 +14,8 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_without_cert( char *pkcs7_file ) +void pkcs7_parse( char *pkcs7_file, int res_expect ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -52,7 +29,7 @@ void pkcs7_parse_without_cert( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + TEST_ASSERT( res == res_expect ); exit: mbedtls_free( pkcs7_buf ); @@ -60,175 +37,8 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_multiple_certs( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_corrupted_cert( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_corrupted_signer_info( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res < 0 ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_version( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_VERSION ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_content_oid( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res != 0 ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509 ); - - res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - mbedtls_free( pkcs7_buf ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "rb" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); - - fclose(file); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); - TEST_ASSERT( res == 0 ); - -exit: - mbedtls_x509_crt_free( &x509 ); - mbedtls_free( data ); - mbedtls_pkcs7_free( &pkcs7 ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ -void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) +void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_hash_alg, int res_expect ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -272,17 +82,23 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( buflen == datalen); fclose( file ); - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); - TEST_ASSERT( res == 0 ); - TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + if( do_hash_alg ) + { + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == (mbedtls_md_type_t) do_hash_alg ); + md_info = mbedtls_md_info_from_type( md_alg ); - md_info = mbedtls_md_info_from_type( md_alg ); + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); - res = mbedtls_md( md_info, data, datalen, hash ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); - TEST_ASSERT( res == 0 ); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); + } + else + { + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + } + TEST_ASSERT( res == res_expect ); exit: mbedtls_x509_crt_free( &x509 ); @@ -294,7 +110,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned, int do_hash_alg, int res_expect ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -344,20 +160,28 @@ void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt fclose( file ); - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); - TEST_ASSERT( res == 0 ); - TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + if( do_hash_alg ) + { + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); - md_info = mbedtls_md_info_from_type( md_alg ); + md_info = mbedtls_md_info_from_type( md_alg ); - res = mbedtls_md( md_info, data, datalen, hash ); - TEST_ASSERT( res == 0 ); + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); - TEST_ASSERT( res == 0 ); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + TEST_ASSERT( res == res_expect ); + } + else + { + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); + TEST_ASSERT( res == res_expect ); + } res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == res_expect ); exit: mbedtls_x509_crt_free( &x509_1 ); @@ -368,194 +192,3 @@ exit: USE_PSA_DONE(); } /* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - - res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "rb" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); - - fclose(file); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); - TEST_ASSERT( res != 0 ); - -exit: - mbedtls_x509_crt_free( &x509 ); - mbedtls_free( data ); - mbedtls_pkcs7_free( &pkcs7 ); - mbedtls_free( pkcs7_buf ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - - res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "rb" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); - - fclose(file); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); - TEST_ASSERT( res != 0 ); - -exit: - mbedtls_x509_crt_free( &x509 ); - mbedtls_pkcs7_free( &pkcs7 ); - mbedtls_free( data ); - mbedtls_free( pkcs7_buf ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509_1; - mbedtls_x509_crt x509_2; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509_1 ); - mbedtls_x509_crt_init( &x509_2 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - - TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); - - res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); - TEST_ASSERT( res == 0 ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "r" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen ); - - fclose( file ); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); - TEST_ASSERT( res == 0 ); - -exit: - mbedtls_x509_crt_free( &x509_1 ); - mbedtls_x509_crt_free( &x509_2 ); - mbedtls_pkcs7_free( &pkcs7 ); - mbedtls_free( data ); - mbedtls_free( pkcs7_buf ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_failure( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res != 0 ); -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ From 7089ce83812a13191ba4f3af4b68e840d4660693 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 14:10:00 -0500 Subject: [PATCH 020/413] pkcs7: Handle md errors in multisigner pkcs7 verification In resonse to feedback [1], if `mbedtls_md_info_from_type` were to fail then skip the signer and try the next one. Additionally, use a for loop instead of a while loop when iterating over signers because it simplifies the use of `continue`. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967198650 Signed-off-by: Nick Child --- library/pkcs7.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 2299cfdac6..3178ddcabc 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -656,17 +656,21 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, * We could also cache hashes by md, so if there are several sigs all using * the same algo we don't recalculate the hash each time. */ - signer = &pkcs7->signed_data.signers; - while( signer ) + for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - goto out; + continue; } md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + continue; + } hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); if( hash == NULL ) { @@ -677,8 +681,9 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, ret = mbedtls_md( md_info, data, datalen, hash ); if( ret != 0 ) { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; mbedtls_free( hash ); - goto out; + continue; } ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, @@ -689,8 +694,6 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, if( ret == 0 ) break; - - signer = signer->next; } out: @@ -716,16 +719,21 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, } signer = &pkcs7->signed_data.signers; - while( signer ) + for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - goto out; + continue; } md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + continue; + } if( hashlen != mbedtls_md_get_size( md_info ) ) { @@ -739,8 +747,6 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, pkcs7->signed_data.signers.sig.len ); if( ret == 0 ) break; - - signer = signer->next; } out: From 34d5e931cf50a0647d13b05ac1577333b2c8a249 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 14:44:03 -0500 Subject: [PATCH 021/413] pkcs7: Use better return code for unimplemented specifications In response to feedback [1] [2], use MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE instead of MBEDTLS_ERR_PKCS7_INVALID_FORMAT for errors due to the pkcs7 implemntation being incomplete. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953649079 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953658276 Signed-off-by: Nick Child --- library/pkcs7.c | 6 +++--- tests/suites/test_suite_pkcs7.data | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 3178ddcabc..9dcbab26c4 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -168,7 +168,6 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, end = *p + len; - /** For now, it assumes there is only one digest algorithm specified **/ ret = mbedtls_asn1_get_alg_null( p, end, alg ); if( ret != 0 ) { @@ -176,8 +175,9 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, goto out; } + /** For now, it assumes there is only one digest algorithm specified **/ if ( *p != end ) - ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; out: return( ret ); @@ -231,7 +231,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, */ if (end_cert != end_set) { - ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; goto out; } diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index b26a16fb94..4f81b6f283 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -12,7 +12,7 @@ pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED PKCS7 Signed Data Parse Fail with multiple certs #4 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_INVALID_CERT +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Parse Fail with corrupted cert #5 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C From 8ce1b1afc87c7551e3cb5efa99c1b2fce6ef953d Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 14:51:23 -0500 Subject: [PATCH 022/413] pkcs7: Correct various syntatical mistakes Resond to feedback from the following comments: - use correct spacing [1-7] - remove unnecessary parenthesis [8] - fixup comments [9-11] - remove unnecessary init work [12] - use var instead of type for sizeof [13] [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953655691 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953661514 [3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953689929 [4] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953696384 [5] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697558 [6] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697793 [7] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697951 [8] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953699102 [9] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r971223775 [10] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967133905 [11] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967135932 [12] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967151430 [13] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967154159 Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 17 ++++++++--------- library/pkcs7.c | 10 +++++----- tests/suites/test_suite_pkcs7.function | 10 +++++----- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 7699b60d53..c56926fd53 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -22,23 +22,22 @@ */ /** - * Note: For the time being, this application of the PKCS7 cryptographic + * Note: For the time being, this implementation of the PKCS7 cryptographic * message syntax is a partial implementation of RFC 2315. * Differences include: * - The RFC specifies 6 different content types. The only type currently - * supported in MbedTLS is the signed data content type. + * supported in Mbed TLS is the signed data content type. * - The only supported PKCS7 Signed Data syntax version is version 1 - * - The RFC specifies support for BER. This application is limited to + * - The RFC specifies support for BER. This implementation is limited to * DER only. * - The RFC specifies that multiple digest algorithms can be specified - * in the Signed Data type. Only one digest algorithm is supported in MbedTLS. - * - The RFC specifies the Signed Data certificate format can be - * X509 or PKCS6. The only type currently supported in MbedTLS is X509. + * in the Signed Data type. Only one digest algorithm is supported in Mbed TLS. + * - The RFC specifies the Signed Data type can contain multiple X509 or PKCS6 + * certificates. In Mbed TLS, this list can only contain 0 or 1 certificates + * and they must be in X509 format. * - The RFC specifies the Signed Data type can contain - * certificate-revocation lists (crls). This application has no support + * certificate-revocation lists (crls). This implementation has no support * for crls so it is assumed to be an empty list. - * - The RFC specifies support for multiple signers. This application only - * supports the Signed Data type with a single signer. */ #ifndef MBEDTLS_PKCS7_H diff --git a/library/pkcs7.c b/library/pkcs7.c index 9dcbab26c4..5ec10891ca 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -58,8 +58,7 @@ */ void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) { - memset( pkcs7, 0, sizeof( mbedtls_pkcs7 ) ); - pkcs7->raw.p = NULL; + memset( pkcs7, 0, sizeof( *pkcs7 ) ); } static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, @@ -229,7 +228,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, * So, we support only the root certificate and the single signer. * The behaviour would be improved with addition of multiple signer support. */ - if (end_cert != end_set) + if ( end_cert != end_set ) { ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; goto out; @@ -702,7 +701,8 @@ out: int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, - const unsigned char *hash, size_t hashlen) + const unsigned char *hash, + size_t hashlen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_md_info_t *md_info; @@ -750,7 +750,7 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, } out: - return ( ret ); + return( ret ); } /* diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 8db3f3f53d..c5094bcca8 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -76,15 +76,15 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has datalen = st.st_size; data = mbedtls_calloc( datalen, 1 ); - TEST_ASSERT( data != NULL); + TEST_ASSERT( data != NULL ); buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); + TEST_ASSERT( buflen == datalen ); fclose( file ); if( do_hash_alg ) { - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg ); TEST_ASSERT( res == 0 ); TEST_ASSERT( md_alg == (mbedtls_md_type_t) do_hash_alg ); md_info = mbedtls_md_info_from_type( md_alg ); @@ -162,7 +162,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch if( do_hash_alg ) { - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg ); TEST_ASSERT( res == 0 ); TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); @@ -171,7 +171,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch res = mbedtls_md( md_info, data, datalen, hash ); TEST_ASSERT( res == 0 ); - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash) ); TEST_ASSERT( res == res_expect ); } else From 9512bde5c31b21c09697db5e3845e0375e38ef51 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 16 Sep 2022 09:49:06 -0500 Subject: [PATCH 023/413] pkcs7: Fix pkcs7 error code values Mbed TLS uses a two layer system for error codes. The least significant 7 bits should be used to signal low-level module errors. Since PKCS7 is a high level module, it should leave these bits unassigned. To do this, the least significant byte of PKCS7 error codes must either be 0x00 or 0x80. Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index c56926fd53..513b707d67 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -56,15 +56,15 @@ * \{ */ #define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */ -#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x53F0 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x5380 /**< Unavailable feature, e.g. anything other than signed data. */ #define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x54F0 /**< The PKCS7 content info invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x55F0 /**< The certificate tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ -#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x56F0 /**< Error parsing the signer's info */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ -#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x57F0 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ /* \} name */ From 2fdc7b3599f3eeb14391e925b6b859f9e3ab857c Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 21 Sep 2022 12:33:17 +0100 Subject: [PATCH 024/413] Return an error from mbedtls_ssl_handshake_step() if neither client nor server This prevents an infinite loop in mbedtls_ssl_handshake(). Fixes #6305. Signed-off-by: Tom Cosgrove --- library/ssl_tls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 12e1c1b03d..5ea8afadfc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3243,6 +3243,10 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ret != 0 ) goto cleanup; + /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or + * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { From 87d9c6c4d879d4cf32a9fbc101cb3be3abf05f77 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 22 Sep 2022 09:27:56 +0100 Subject: [PATCH 025/413] Ensure client mbedtls_ssl_handshake_step() returns success for HELLO_REQUEST Signed-off-by: Tom Cosgrove --- library/ssl_tls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5ea8afadfc..2d1ffbe040 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3257,6 +3257,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) { case MBEDTLS_SSL_HELLO_REQUEST: ssl->state = MBEDTLS_SSL_CLIENT_HELLO; + ret = 0; break; case MBEDTLS_SSL_CLIENT_HELLO: From 5f9456f3e36fcb5a45955eb632cf42ae2962e9c9 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 19 Sep 2022 10:01:25 -0500 Subject: [PATCH 026/413] pkcs7: Fix trailing whitespace Signed-off-by: Nick Child --- library/pkcs7.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5ec10891ca..c4d605e009 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -243,9 +243,9 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, *p = *p + len1; - /* + /* * Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. + * here implies we have parsed successfully, we return 1. */ ret = 1; @@ -701,7 +701,7 @@ out: int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, - const unsigned char *hash, + const unsigned char *hash, size_t hashlen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; From 47c7a732d28696b9ff4ebd90f45ba4d96d6cfd78 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:34:23 -0300 Subject: [PATCH 027/413] Print RFC 4108 hwSerialNum in hex format Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- library/x509_crt.c | 14 ++----- tests/suites/test_suite_x509parse.data | 8 ++-- tests/suites/test_suite_x509parse.function | 46 ++++++++++------------ 3 files changed, 28 insertions(+), 40 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index af1e487dbf..d17a952b7c 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1854,6 +1854,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, const char *prefix ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i; size_t n = *size; char *p = *buf; const mbedtls_x509_sequence *cur = subject_alt_name; @@ -1906,18 +1907,11 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; - if( other_name->value.hardware_module_name.val.len >= n ) + for( i = 0; i < other_name->value.hardware_module_name.val.len; i++ ) { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + ret = mbedtls_snprintf( p, n, "%02X", other_name->value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; } - - memcpy( p, other_name->value.hardware_module_name.val.p, - other_name->value.hardware_module_name.val.len ); - p += other_name->value.hardware_module_name.val.len; - - n -= other_name->value.hardware_module_name.val.len; - }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ } break; diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6263fba2cd..a4908a61e5 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -88,7 +88,7 @@ x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial n X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n" +x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -112,7 +112,7 @@ x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nseri X509 CRT information, Multiple different Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n dNSName \: example.net\n dNSName \: *.example.org\n" +x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -172,7 +172,7 @@ x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version \: X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\n" +x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -180,7 +180,7 @@ x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: exampl X509 SAN parsing Multiple different types depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" +x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" X509 SAN parsing, no subject alt name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 60e703a948..df4b03e0ec 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -246,36 +246,30 @@ int verify_parse_san( mbedtls_x509_subject_alternative_name *san, switch( san->type ) { - case( MBEDTLS_X509_SAN_OTHER_NAME ): - ret = mbedtls_snprintf( p, n, "\notherName :"); - MBEDTLS_X509_SAFE_SNPRINTF; + case( MBEDTLS_X509_SAN_OTHER_NAME ): + ret = mbedtls_snprintf( p, n, "\notherName :"); + MBEDTLS_X509_SAFE_SNPRINTF; - if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, - &san->san.other_name.value.hardware_module_name.oid ) != 0 ) - { - ret = mbedtls_snprintf( p, n, " hardware module name :" ); - MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_snprintf( p, n, " hardware type : " ); - MBEDTLS_X509_SAFE_SNPRINTF; + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, + &san->san.other_name.value.hardware_module_name.oid ) != 0 ) + { + ret = mbedtls_snprintf( p, n, " hardware module name :" ); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, " hardware type : " ); + MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_oid_get_numeric_string( p, n, - &san->san.other_name.value.hardware_module_name.oid ); - MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_oid_get_numeric_string( p, n, + &san->san.other_name.value.hardware_module_name.oid ); + MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); - MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); + MBEDTLS_X509_SAFE_SNPRINTF; - if( san->san.other_name.value.hardware_module_name.val.len >= n ) - { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); - } - - for( i=0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) - { - *p++ = san->san.other_name.value.hardware_module_name.val.p[i]; - } - n -= san->san.other_name.value.hardware_module_name.val.len; + for( i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) + { + ret = mbedtls_snprintf( p, n, "%02X", san->san.other_name.value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; + } } break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ case( MBEDTLS_X509_SAN_DNS_NAME ): From d0225afcb62573774df307389352c336b97a9e54 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:40:20 -0300 Subject: [PATCH 028/413] Add a new test with a binary hwSerialNum Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- tests/data_files/Makefile | 3 +++ tests/data_files/server5-nonprintable_othername.crt | 12 ++++++++++++ tests/data_files/test-ca.opensslconf | 7 +++++++ tests/suites/test_suite_x509parse.data | 8 ++++++++ 4 files changed, 30 insertions(+) create mode 100644 tests/data_files/server5-nonprintable_othername.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6187d17bc3..09a0689462 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -276,6 +276,9 @@ all_final += server5-ss-forgeca.crt server5-othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -out $@ +server5-nonprintable_othername.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -out $@ + server5-unsupported_othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@ diff --git a/tests/data_files/server5-nonprintable_othername.crt b/tests/data_files/server5-nonprintable_othername.crt new file mode 100644 index 0000000000..9470bbe9cc --- /dev/null +++ b/tests/data_files/server5-nonprintable_othername.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBwTCCAWagAwIBAgIBTTAKBggqhkjOPQQDAjBPMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxLTArBgNVBAMMJE1iZWQgVExTIG5vbi1wcmludGFibGUg +b3RoZXJuYW1lIFNBTjAeFw0yMjA5MDYxNTU2NDdaFw0zMjA5MDMxNTU2NDdaME8x +CzAJBgNVBAYTAlVLMREwDwYDVQQKDAhNYmVkIFRMUzEtMCsGA1UEAwwkTWJlZCBU +TFMgbm9uLXByaW50YWJsZSBvdGhlcm5hbWUgU0FOMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/ +6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6MzMDEwLwYDVR0RBCgwJqAkBggrBgEF +BQcIBKAYMBYGBysGAQQBEQMECzEyM4CBAIGAMzIxMAoGCCqGSM49BAMCA0kAMEYC +IQDATir07PTj5gtf+HAyI+nd27AH9+bdaWdOI2t2bAwUWgIhAO7kvdcsa++yfJdT +3vnWdvcHRIAdXA0kh+mcBMaXk9B0 +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 64347de830..3bb237903c 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -15,6 +15,9 @@ basicConstraints = CA:true [othername_san] subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name +[nonprintable_othername_san] +subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name + [unsupoported_othername_san] subjectAltName=otherName:1.2.3.4;UTF8:some other identifier @@ -34,6 +37,10 @@ subjectAltName=@alt_names hwtype = OID:1.3.6.1.4.1.17.3 hwserial = OCT:123456 +[nonprintable_hw_module_name] +hwtype = OID:1.3.6.1.4.1.17.3 +hwserial = FORMAT:HEX, OCT:3132338081008180333231 + [v3_any_policy_ca] basicConstraints = CA:true certificatePolicies = 2.5.29.32.0 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a4908a61e5..69f745f462 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -90,6 +90,10 @@ X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" +X509 CRT information EC, SHA256 Digest, binary hardware module name SAN +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" + X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" @@ -174,6 +178,10 @@ X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" +X509 SAN parsing binary otherName +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" + X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" From 00a02b1468e95e0c0bf66e513beb919733e78050 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:40:39 -0300 Subject: [PATCH 029/413] Add Changelog entry Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- ChangeLog.d/fix_x509_info_hwmodulename.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/fix_x509_info_hwmodulename.txt diff --git a/ChangeLog.d/fix_x509_info_hwmodulename.txt b/ChangeLog.d/fix_x509_info_hwmodulename.txt new file mode 100644 index 0000000000..8b227cec34 --- /dev/null +++ b/ChangeLog.d/fix_x509_info_hwmodulename.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable + bytes when parsing certificates containing a binary RFC 4108 + HardwareModuleName as a Subject Alternative Name extension. Hardware + serial numbers are now rendered in hex format. Fixes #6262. From 2df73ae7425b902fef8feffeccc47a8d1fd80c05 Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 1 Nov 2018 12:22:27 +0300 Subject: [PATCH 030/413] mbedtls: fix possible false success in ...check_tags() helpers We should report a error when the security check of the security tag was not made. In the other case false success is possible and is not observable by the software. Technically this could lead to a security flaw. Signed-off-by: Denis V. Lunev --- library/cipher.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 752d1fea2c..2f2e03ba18 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -505,7 +505,7 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, } #endif - return( 0 ); + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ @@ -1134,7 +1134,7 @@ int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, } #endif - return( 0 ); + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, @@ -1161,11 +1161,8 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ - /* Status to return on a non-authenticated algorithm. It would make sense - * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our - * unit tests assume 0. */ - ret = 0; + /* Status to return on a non-authenticated algorithm. */ + ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; #if defined(MBEDTLS_GCM_C) if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) From c621a6d38fa9bcb3e892136acdb4c34f8e3cdce4 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Fri, 30 Sep 2022 17:13:35 +0100 Subject: [PATCH 031/413] Update tests to account for CIPHER_FEATURE_UNAVAILABLE on non-authenticated alg Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_cipher.function | 44 +++++++++++++++++++------ 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 37468df71a..7f5b7e2901 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -453,8 +453,12 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) ); - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) ); + int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || + cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof(ad) - i ) ); + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof(ad) - i ) ); #endif block_size = mbedtls_cipher_get_block_size( &ctx_enc ); @@ -473,7 +477,7 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, total_len += outlen; #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) ); + TEST_EQUAL( expected, mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof(tag) ) ); #endif TEST_ASSERT( total_len == length || @@ -494,7 +498,7 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, total_len += outlen; #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) ); + TEST_EQUAL( expected, mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof(tag) ) ); #endif /* check result */ @@ -550,7 +554,11 @@ void enc_fail( int cipher_id, int pad_mode, int key_len, int length_val, TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, 16 ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, NULL, 0 ) ); + int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || + cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx, NULL, 0 ) ); #endif /* encode length number of bytes from inbuf */ @@ -612,7 +620,11 @@ void dec_empty_buf( int cipher, TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); + int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || + cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); #endif /* decode 0-byte string */ @@ -713,8 +725,12 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) ); + int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || + cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) ); #endif block_size = mbedtls_cipher_get_block_size( &ctx_enc ); @@ -798,7 +814,11 @@ void decrypt_test_vec( int cipher_id, int pad_mode, data_t * key, TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv->x, iv->len ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) ); + int expected = ( ctx.cipher_info->mode == MBEDTLS_MODE_GCM || + ctx.cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + + TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) ); #endif /* decode buffer and check tag->x */ @@ -809,7 +829,11 @@ void decrypt_test_vec( int cipher_id, int pad_mode, data_t * key, &outlen ) ); total_len += outlen; #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) - TEST_ASSERT( tag_result == mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) ); + int tag_expected = ( ctx.cipher_info->mode == MBEDTLS_MODE_GCM || + ctx.cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + + TEST_EQUAL( tag_expected, mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) ); #endif /* check plaintext only if everything went fine */ From 51a01638286cb0da13fbc79d553e6aa47f724113 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Fri, 30 Sep 2022 18:10:58 +0100 Subject: [PATCH 032/413] Add ChangeLog entry Signed-off-by: Tom Cosgrove --- ...fix-possible-false-success-in-mbedtls_cipher_check_tag.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt diff --git a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt new file mode 100644 index 0000000000..01492438aa --- /dev/null +++ b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt @@ -0,0 +1,4 @@ +Changes + * Calling AEAD tag-specific functions for non-AEAD algorithms (which should not + be done - they are documented for use only by AES-GCM and ChaCha20+Poly1305) + now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE instead of success (0). From 7dbe8528f38c393d76b2cbbd358c0b847b9cac11 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 30 Sep 2022 17:24:29 -0500 Subject: [PATCH 033/413] pkcs7: Import header files with included directory path not relative path In #include statements, rely on -I paths instead of relative paths. Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 513b707d67..9486c71535 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -47,9 +47,9 @@ #include "mbedtls/build_info.h" -#include "asn1.h" -#include "x509.h" -#include "x509_crt.h" +#include "mbedtls/asn1.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" /** * \name PKCS7 Module Error codes From edca207260d1570dec59b96eee00c82af5acbf1f Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Fri, 14 Oct 2022 12:10:40 +0100 Subject: [PATCH 034/413] MBEDTLS_CIPHER_CHACHA20_POLY1305 is an mbedtls_cipher_type_t not an mbedtls_cipher_mode_t Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_cipher.function | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 7f5b7e2901..708adb09b1 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -454,7 +454,7 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || - cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof(ad) - i ) ); @@ -555,7 +555,7 @@ void enc_fail( int cipher_id, int pad_mode, int key_len, int length_val, TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || - cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx, NULL, 0 ) ); @@ -621,7 +621,7 @@ void dec_empty_buf( int cipher, #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || - cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); @@ -726,7 +726,7 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int expected = ( cipher_info->mode == MBEDTLS_MODE_GCM || - cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) ); @@ -815,7 +815,7 @@ void decrypt_test_vec( int cipher_id, int pad_mode, data_t * key, TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) ); #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int expected = ( ctx.cipher_info->mode == MBEDTLS_MODE_GCM || - ctx.cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? 0 : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; TEST_EQUAL( expected, mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) ); @@ -830,7 +830,7 @@ void decrypt_test_vec( int cipher_id, int pad_mode, data_t * key, total_len += outlen; #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int tag_expected = ( ctx.cipher_info->mode == MBEDTLS_MODE_GCM || - ctx.cipher_info->mode == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? + ctx.cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) ? tag_result : MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; TEST_EQUAL( tag_expected, mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) ); From 17845b8f7119ee512ed98be423231ad87c61eccf Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Thu, 13 Oct 2022 17:21:01 +0100 Subject: [PATCH 035/413] Add driver wrapper function for raw key agreement, along with test call for transparent drivers. Signed-off-by: Aditya Deshpande --- library/psa_crypto.c | 58 +++++++++++---- library/psa_crypto_core.h | 58 +++++++++++++++ library/psa_crypto_driver_wrappers.h | 16 ++++ .../psa_crypto_driver_wrappers.c.jinja | 64 ++++++++++++++++ tests/include/test/drivers/key_agreement.h | 71 ++++++++++++++++++ tests/include/test/drivers/test_driver.h | 1 + tests/src/drivers/test_driver_key_agreement.c | 73 +++++++++++++++++++ 7 files changed, 328 insertions(+), 13 deletions(-) create mode 100644 tests/include/test/drivers/key_agreement.h create mode 100644 tests/src/drivers/test_driver_key_agreement.c diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2ce5e4320d..194d986b2f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5793,26 +5793,28 @@ exit: #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES -static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, - psa_key_slot_t *private_key, - const uint8_t *peer_key, - size_t peer_key_length, - uint8_t *shared_secret, - size_t shared_secret_size, - size_t *shared_secret_length ) +psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ) { switch( alg ) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) case PSA_ALG_ECDH: - if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) ) + if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( attributes->core.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); mbedtls_ecp_keypair *ecp = NULL; psa_status_t status = mbedtls_psa_ecp_load_representation( - private_key->attr.type, - private_key->attr.bits, - private_key->key.data, - private_key->key.bytes, + attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, &ecp ); if( status != PSA_SUCCESS ) return( status ); @@ -5825,7 +5827,9 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, return( status ); #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ default: - (void) private_key; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; (void) peer_key; (void) peer_key_length; (void) shared_secret; @@ -5835,6 +5839,34 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, } } +/** Internal function for raw key agreement + * Calls the driver wrapper which will hand off key agreement task + * to the driver's implementation if a driver is present. + * Fallback specified in the driver wrapper is built-in raw key agreement + * (psa_key_agreement_raw_builtin). + */ +static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, + psa_key_slot_t *private_key, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ) +{ + if( !PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) ) + return( PSA_ERROR_NOT_SUPPORTED ); + + psa_key_attributes_t attributes = { + .core = private_key->attr + }; + + return( psa_driver_wrapper_key_agreement( &attributes, private_key->key.data, + private_key->key.bytes, + alg, peer_key, peer_key_length, + shared_secret, shared_secret_size, + shared_secret_length ) ); +} + /* Note that if this function fails, you must call psa_key_derivation_abort() * to potentially free embedded data structures and wipe confidential data. */ diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 8c91b04d03..5bfdfb39ea 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -547,4 +547,62 @@ psa_status_t psa_verify_hash_builtin( */ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ); + +/** Perform a key agreement and return the raw shared secret, using + built-in raw key agreement functions. + * + * \note The signature of this function is that of a PSA driver + * key_agreement entry point. This function behaves as a key_agreement + * entry point as defined in the PSA driver interface specification for + * transparent drivers. + * + * \param[in] attributes The attributes of the key to use for + * the operation. + * \param[in] key_buffer The buffer containing the private key + * context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in + * bytes. + * \param[in] alg A key agreement algorithm that is + * compatible with the type of the key. + * \param[in] peer_key The buffer containing the key context + * of the peer's public key. + * \param[in] peer_key_length Size of the \p peer_key buffer in + * bytes. + * \param[out] shared_secret The buffer to which the shared secret + * is to be written. + * \param[in] shared_secret_size Size of the \p shared_secret buffer in + * bytes. + * \param[out] shared_secret_length On success, the number of bytes that + * make up the returned shared secret. + * \retval #PSA_SUCCESS + * Success. Shared secret successfully calculated. + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p alg is not a key agreement algorithm, or + * \p private_key is not compatible with \p alg, + * or \p peer_key is not valid for \p alg or not compatible with + * \p private_key. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p shared_secret_size is too small + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not a supported key agreement algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_COMMUNICATION_FAILURE + * \retval #PSA_ERROR_HARDWARE_FAILURE + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_BAD_STATE + */ +psa_status_t psa_key_agreement_raw_builtin( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ); + #endif /* PSA_CRYPTO_CORE_H */ diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index ee23b6f3fe..017a4b6c88 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -357,6 +357,22 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( size_t output_size, size_t *output_length ); +/* + * Raw Key Agreement + */ + + psa_status_t psa_driver_wrapper_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length + ); + #endif /* PSA_CRYPTO_DRIVER_WRAPPERS_H */ /* End of automatically generated file. */ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 8ef2e6d874..734b6b6861 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2452,4 +2452,68 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( } } +psa_status_t psa_driver_wrapper_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length + ) + { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); + + switch( location ) + { + case PSA_KEY_LOCATION_LOCAL_STORAGE: + /* Key is stored in the slot in export representation, so + * cycle through all known transparent accelerators */ + #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) + #if defined(PSA_CRYPTO_DRIVER_TEST) + status = + mbedtls_test_transparent_key_agreement( attributes, + key_buffer, + key_buffer_size, + alg, + peer_key, + peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ); + if( status != PSA_ERROR_NOT_SUPPORTED ) + return( status ); + #endif /* PSA_CRYPTO_DRIVER_TEST */ + #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ + + /* Software Fallback */ + status = psa_key_agreement_raw_builtin( attributes, + key_buffer, + key_buffer_size, + alg, + peer_key, + peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ); + return( status ); + + default: + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) peer_key; + (void) peer_key_length; + (void) shared_secret; + (void) shared_secret_size; + (void) shared_secret_length; + return( PSA_ERROR_NOT_SUPPORTED ); + + } + } + #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/tests/include/test/drivers/key_agreement.h b/tests/include/test/drivers/key_agreement.h new file mode 100644 index 0000000000..57de81ab1f --- /dev/null +++ b/tests/include/test/drivers/key_agreement.h @@ -0,0 +1,71 @@ +/* + * Test driver for key agreement functions. + */ +/* Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H +#define PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H + +#include "mbedtls/build_info.h" + +#if defined(PSA_CRYPTO_DRIVER_TEST) +#include + +typedef struct { + /* If non-null, on success, copy this to the output. */ + void *forced_output; + size_t forced_output_length; + /* If not PSA_SUCCESS, return this error code instead of processing the + * function call. */ + psa_status_t forced_status; + /* Count the amount of times one of the signature driver functions is called. */ + unsigned long hits; +} mbedtls_test_driver_key_agreement_hooks_t; + +#define MBEDTLS_TEST_DRIVER_KEY_AGREEMENT_INIT { NULL, 0, PSA_SUCCESS, 0 } +static inline mbedtls_test_driver_key_agreement_hooks_t + mbedtls_test_driver_key_agreement_hooks_init( void ) +{ + const mbedtls_test_driver_key_agreement_hooks_t + v = MBEDTLS_TEST_DRIVER_KEY_AGREEMENT_INIT; + return( v ); +} + +psa_status_t mbedtls_test_transparent_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ); + +psa_status_t mbedtls_test_opaque_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ); + +#endif /*PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H */ \ No newline at end of file diff --git a/tests/include/test/drivers/test_driver.h b/tests/include/test/drivers/test_driver.h index 098b21abff..0bfeb66b03 100644 --- a/tests/include/test/drivers/test_driver.h +++ b/tests/include/test/drivers/test_driver.h @@ -29,5 +29,6 @@ #include "test/drivers/key_management.h" #include "test/drivers/signature.h" #include "test/drivers/asymmetric_encryption.h" +#include "test/drivers/key_agreement.h" #endif /* PSA_CRYPTO_TEST_DRIVER_H */ diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c new file mode 100644 index 0000000000..40681c315b --- /dev/null +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -0,0 +1,73 @@ +/* + * Test driver for key agreement functions. + */ +/* Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "psa/crypto.h" +#include "psa_crypto_core.h" + +#include "test/drivers/key_agreement.h" +#include "test/drivers/test_driver.h" + +#include + +#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) + +mbedtls_test_driver_key_agreement_hooks_t + mbedtls_test_driver_key_agreement_hooks = MBEDTLS_TEST_DRIVER_KEY_AGREEMENT_INIT; + +psa_status_t mbedtls_test_transparent_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ) +{ + if( mbedtls_test_driver_key_agreement_hooks.forced_status != PSA_SUCCESS ) + return( mbedtls_test_driver_key_agreement_hooks.forced_status ); + + if( mbedtls_test_driver_key_agreement_hooks.forced_output != NULL ) + { + if( mbedtls_test_driver_key_agreement_hooks.forced_output_length > shared_secret_size ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + memcpy( shared_secret, mbedtls_test_driver_key_agreement_hooks.forced_output, + mbedtls_test_driver_key_agreement_hooks.forced_output_length ); + *shared_secret_length = mbedtls_test_driver_key_agreement_hooks.forced_output_length; + + return( PSA_SUCCESS ); + } + + return( psa_key_agreement_raw_builtin( + attributes, + key_buffer, + key_buffer_size, + alg, + peer_key, + peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ) ); +} + +#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ \ No newline at end of file From 40c05cc8e4ccc52c455481350fc33dcae7589eea Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Fri, 14 Oct 2022 16:41:40 +0100 Subject: [PATCH 036/413] Newlines at end of file + trim trailing whitespace Signed-off-by: Aditya Deshpande --- library/psa_crypto.c | 10 ++--- library/psa_crypto_core.h | 42 +++++++++---------- .../psa_crypto_driver_wrappers.c.jinja | 4 +- tests/include/test/drivers/key_agreement.h | 2 +- tests/src/drivers/test_driver_key_agreement.c | 4 +- 5 files changed, 31 insertions(+), 31 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 194d986b2f..86b84bf19a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5841,8 +5841,8 @@ psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attribut /** Internal function for raw key agreement * Calls the driver wrapper which will hand off key agreement task - * to the driver's implementation if a driver is present. - * Fallback specified in the driver wrapper is built-in raw key agreement + * to the driver's implementation if a driver is present. + * Fallback specified in the driver wrapper is built-in raw key agreement * (psa_key_agreement_raw_builtin). */ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, @@ -5861,9 +5861,9 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, }; return( psa_driver_wrapper_key_agreement( &attributes, private_key->key.data, - private_key->key.bytes, - alg, peer_key, peer_key_length, - shared_secret, shared_secret_size, + private_key->key.bytes, + alg, peer_key, peer_key_length, + shared_secret, shared_secret_size, shared_secret_length ) ); } diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 5bfdfb39ea..63d9b2916f 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -548,7 +548,7 @@ psa_status_t psa_verify_hash_builtin( psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ); -/** Perform a key agreement and return the raw shared secret, using +/** Perform a key agreement and return the raw shared secret, using built-in raw key agreement functions. * * \note The signature of this function is that of a PSA driver @@ -556,24 +556,24 @@ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, * entry point as defined in the PSA driver interface specification for * transparent drivers. * - * \param[in] attributes The attributes of the key to use for - * the operation. - * \param[in] key_buffer The buffer containing the private key - * context. - * \param[in] key_buffer_size Size of the \p key_buffer buffer in - * bytes. - * \param[in] alg A key agreement algorithm that is - * compatible with the type of the key. - * \param[in] peer_key The buffer containing the key context - * of the peer's public key. - * \param[in] peer_key_length Size of the \p peer_key buffer in - * bytes. - * \param[out] shared_secret The buffer to which the shared secret - * is to be written. - * \param[in] shared_secret_size Size of the \p shared_secret buffer in - * bytes. - * \param[out] shared_secret_length On success, the number of bytes that - * make up the returned shared secret. + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the private key + * context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in + * bytes. + * \param[in] alg A key agreement algorithm that is + * compatible with the type of the key. + * \param[in] peer_key The buffer containing the key context + * of the peer's public key. + * \param[in] peer_key_length Size of the \p peer_key buffer in + * bytes. + * \param[out] shared_secret The buffer to which the shared secret + * is to be written. + * \param[in] shared_secret_size Size of the \p shared_secret buffer in + * bytes. + * \param[out] shared_secret_length On success, the number of bytes that make + * up the returned shared secret. * \retval #PSA_SUCCESS * Success. Shared secret successfully calculated. * \retval #PSA_ERROR_INVALID_HANDLE @@ -594,7 +594,7 @@ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, * \retval #PSA_ERROR_STORAGE_FAILURE * \retval #PSA_ERROR_BAD_STATE */ -psa_status_t psa_key_agreement_raw_builtin( +psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, @@ -604,5 +604,5 @@ psa_status_t psa_key_agreement_raw_builtin( uint8_t *shared_secret, size_t shared_secret_size, size_t *shared_secret_length ); - + #endif /* PSA_CRYPTO_CORE_H */ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 734b6b6861..bef5197016 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2501,7 +2501,7 @@ psa_status_t psa_driver_wrapper_key_agreement( shared_secret_size, shared_secret_length ); return( status ); - + default: (void) attributes; (void) key_buffer; @@ -2512,7 +2512,7 @@ psa_status_t psa_driver_wrapper_key_agreement( (void) shared_secret_size; (void) shared_secret_length; return( PSA_ERROR_NOT_SUPPORTED ); - + } } diff --git a/tests/include/test/drivers/key_agreement.h b/tests/include/test/drivers/key_agreement.h index 57de81ab1f..b04bc59856 100644 --- a/tests/include/test/drivers/key_agreement.h +++ b/tests/include/test/drivers/key_agreement.h @@ -68,4 +68,4 @@ psa_status_t mbedtls_test_opaque_key_agreement( size_t *shared_secret_length ); #endif /*PSA_CRYPTO_DRIVER_TEST */ -#endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H */ \ No newline at end of file +#endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H */ diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index 40681c315b..884899ff2e 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -58,7 +58,7 @@ psa_status_t mbedtls_test_transparent_key_agreement( return( PSA_SUCCESS ); } - return( psa_key_agreement_raw_builtin( + return( psa_key_agreement_raw_builtin( attributes, key_buffer, key_buffer_size, @@ -70,4 +70,4 @@ psa_status_t mbedtls_test_transparent_key_agreement( shared_secret_length ) ); } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ \ No newline at end of file +#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ From cfb441d5eefc0d06f893109a81b0de2a63c88a9b Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Mon, 17 Oct 2022 13:53:35 +0100 Subject: [PATCH 037/413] Fix spacing and formatting Signed-off-by: Aditya Deshpande --- library/psa_crypto_driver_wrappers.h | 6 ++---- tests/include/test/drivers/key_agreement.h | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 017a4b6c88..a19d7ecaef 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -360,8 +360,7 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( /* * Raw Key Agreement */ - - psa_status_t psa_driver_wrapper_key_agreement( +psa_status_t psa_driver_wrapper_key_agreement( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, @@ -370,8 +369,7 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( size_t peer_key_length, uint8_t *shared_secret, size_t shared_secret_size, - size_t *shared_secret_length - ); + size_t *shared_secret_length ); #endif /* PSA_CRYPTO_DRIVER_WRAPPERS_H */ diff --git a/tests/include/test/drivers/key_agreement.h b/tests/include/test/drivers/key_agreement.h index b04bc59856..634cbac199 100644 --- a/tests/include/test/drivers/key_agreement.h +++ b/tests/include/test/drivers/key_agreement.h @@ -56,16 +56,16 @@ psa_status_t mbedtls_test_transparent_key_agreement( size_t shared_secret_size, size_t *shared_secret_length ); -psa_status_t mbedtls_test_opaque_key_agreement( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *peer_key, - size_t peer_key_length, - uint8_t *shared_secret, - size_t shared_secret_size, - size_t *shared_secret_length ); +// psa_status_t mbedtls_test_opaque_key_agreement( +// const psa_key_attributes_t *attributes, +// const uint8_t *key_buffer, +// size_t key_buffer_size, +// psa_algorithm_t alg, +// const uint8_t *peer_key, +// size_t peer_key_length, +// uint8_t *shared_secret, +// size_t shared_secret_size, +// size_t *shared_secret_length ); #endif /*PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H */ From d976673dd60ed3a0566419196f7e47d720ecc842 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Oct 2022 15:13:30 +0800 Subject: [PATCH 038/413] Add build version to the output of ssl_client2 Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index be474d4737..451e232643 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -25,6 +25,10 @@ #include "test/psa_crypto_helpers.h" #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_VERSION_C) +#include "mbedtls/build_info.h" +#endif /* MBEDTLS_VERSION_C */ + #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main( void ) { @@ -360,6 +364,14 @@ int main( void ) #define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_VERSION_C) +#define USAGE_BUILD_VERSION \ + " build_version=%%d default: none (disabled)\n" \ + " option: 1 (print the build version only a stop)\n" +#else +#define USAGE_BUILD_VERSION "" +#endif /* MBEDTLS_VERSION_C */ + /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -375,6 +387,7 @@ int main( void ) " application data message is sent followed by\n" \ " a second non-empty message before attempting\n" \ " to read a response from the server\n" \ + USAGE_BUILD_VERSION \ " debug_level=%%d default: 0 (disabled)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ @@ -984,6 +997,18 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } +#if defined(MBEDTLS_VERSION_C) + else if( strcmp( p, "build_version" ) == 0 ) + { + if( strcmp( q, "1" ) == 0 ) + { + mbedtls_printf( "build version: %s (build %u)\n", + MBEDTLS_VERSION_STRING, + MBEDTLS_VERSION_NUMBER ); + goto exit; + } + } +#endif /* MBEDTLS_VERSION_C */ else if( strcmp( p, "context_crt_cb" ) == 0 ) { opt.context_crt_cb = atoi( q ); @@ -2454,6 +2479,11 @@ int main( int argc, char *argv[] ) } } +#if defined(MBEDTLS_VERSION_C) + mbedtls_printf( "build version: %s (build %u)\n", + MBEDTLS_VERSION_STRING, MBEDTLS_VERSION_NUMBER ); +#endif /* MBEDTLS_VERSION_C */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) /* * 5. Verify the server certificate From ff4181e2460f6370d46caf16e2d1b3ecd729153a Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 18 Oct 2022 18:16:08 +0800 Subject: [PATCH 039/413] Fix build error in cmake while printing digital build version Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 451e232643..59a96d2126 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -27,6 +27,7 @@ #if defined(MBEDTLS_VERSION_C) #include "mbedtls/build_info.h" +#include "mbedtls/version.h" #endif /* MBEDTLS_VERSION_C */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) @@ -1004,7 +1005,7 @@ int main( int argc, char *argv[] ) { mbedtls_printf( "build version: %s (build %u)\n", MBEDTLS_VERSION_STRING, - MBEDTLS_VERSION_NUMBER ); + mbedtls_version_get_number() ); goto exit; } } @@ -2481,7 +2482,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_VERSION_C) mbedtls_printf( "build version: %s (build %u)\n", - MBEDTLS_VERSION_STRING, MBEDTLS_VERSION_NUMBER ); + MBEDTLS_VERSION_STRING, mbedtls_version_get_number() ); #endif /* MBEDTLS_VERSION_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) From 076b2d062f4e33776be5d05795386c341d71c4e1 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 21 Oct 2022 11:09:45 +0800 Subject: [PATCH 040/413] Improve the method of printing string build version Following changes are introduced with this commit: - Call mbedtls_version_get_string before printing string build version instead of printing macro directly - Output build version in the beginning of ssl_client2 program Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 59a96d2126..ae4bb57021 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -26,7 +26,6 @@ #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_VERSION_C) -#include "mbedtls/build_info.h" #include "mbedtls/version.h" #endif /* MBEDTLS_VERSION_C */ @@ -1003,9 +1002,11 @@ int main( int argc, char *argv[] ) { if( strcmp( q, "1" ) == 0 ) { + char version_str[10]; + memset( version_str, 0, 10 ); + mbedtls_version_get_string( version_str ); mbedtls_printf( "build version: %s (build %u)\n", - MBEDTLS_VERSION_STRING, - mbedtls_version_get_number() ); + version_str, mbedtls_version_get_number() ); goto exit; } } @@ -1722,6 +1723,14 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ +#if defined(MBEDTLS_VERSION_C) + char version_str[10]; + memset( version_str, 0, 10 ); + mbedtls_version_get_string( version_str ); + mbedtls_printf( "build version: %s (build %u)\n", + version_str, mbedtls_version_get_number() ); +#endif /* MBEDTLS_VERSION_C */ + /* * 0. Initialize the RNG and the session data */ @@ -2480,11 +2489,6 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_VERSION_C) - mbedtls_printf( "build version: %s (build %u)\n", - MBEDTLS_VERSION_STRING, mbedtls_version_get_number() ); -#endif /* MBEDTLS_VERSION_C */ - #if defined(MBEDTLS_X509_CRT_PARSE_C) /* * 5. Verify the server certificate From 01df9ddda758536f9020eb7c4dfaba9600e7b22b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 20 Oct 2022 14:21:21 +0200 Subject: [PATCH 041/413] Add test component: component_test_psa_crypto_config_reference_hash_use_psa Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 61d675f4fc..140166b8fe 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2110,6 +2110,34 @@ component_test_psa_crypto_config_accel_hash_use_psa () { fi } +component_test_psa_crypto_config_reference_hash_use_psa() { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + # start with full + scripts/config.py full + # use PSA config and disable driver-less algs as in the component + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + # disable options as in the component + # (no need to disable whole modules, we'll just skip their test suite) + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + make test + + # hidden option: when running outcome-analysis.sh, we can skip this + if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then + msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + tests/compat.sh + else + echo "skip ssl-opt.sh and compat.sh" + fi +} + component_test_psa_crypto_config_accel_cipher () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher" From 4e95590ae79ba9c026eec992f3e307f4cf16f8a4 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 21 Oct 2022 13:42:08 +0200 Subject: [PATCH 042/413] analyze_outcomes.py: Add test coverage regresion analyze for driver only builds Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 77 ++++++++++++++++++++++++++++--- 1 file changed, 71 insertions(+), 6 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index d06a0596f3..f5d2ac1313 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -60,6 +60,41 @@ def analyze_coverage(results, outcomes): # fixed this branch to have full coverage of test cases. results.warning('Test case not executed: {}', key) +def analyze_driver_vs_reference(outcomes, components, ignored_tests): + """Check that all tests executed in the reference component are also + executed in the corresponding driver component. + Skip test suits provided in ignored_tests list. + """ + driver_component = components[0] + reference_component = components[1] + available = check_test_cases.collect_available_test_cases() + result = True + + for key in available: + # Skip ignored test suites + test_suit = key.split(';')[0] # retrieve test suit name + test_suit = test_suit.split('.')[0] # retrieve main part of test suit name + if(test_suit in ignored_tests): + continue + # Continue if test was not executed by any component + hits = outcomes[key].hits() if key in outcomes else 0 + if(hits == 0): + continue + # Search for tests that run in reference component and not in driver component + driver_test_passed = False + reference_test_passed = False + for entry in outcomes[key].successes: + if(driver_component in entry): + driver_test_passed = True + if(reference_component in entry): + reference_test_passed = True + #if(driver_test_passed == True and reference_test_passed == False): + # print('{}: driver: passed; reference: skipped'.format(key)) + if(driver_test_passed == False and reference_test_passed == True): + print('{}: driver: skipped/failed; reference: passed'.format(key)) + result = False + return result + def analyze_outcomes(outcomes): """Run all analyses on the given outcome collection.""" results = Results() @@ -87,20 +122,50 @@ by a semicolon. outcomes[key].failures.append(setup) return outcomes -def analyze_outcome_file(outcome_file): - """Analyze the given outcome file.""" +def do_analyze_coverage(outcome_file): + """Perform coverage analyze.""" outcomes = read_outcome_file(outcome_file) - return analyze_outcomes(outcomes) + results = analyze_outcomes(outcomes) + return (True if results.error_count == 0 else False) + +def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests): + """Perform driver vs reference analyze.""" + # We need exactly 2 components to analyze (first driver and second reference) + if(len(components) != 2 or "accel" not in components[0] or "reference" not in components[1]): + print('Error: Wrong component list. Exactly 2 components are required (driver,reference). ') + return False + outcomes = read_outcome_file(outcome_file) + return analyze_driver_vs_reference(outcomes, components, ignored_tests) def main(): try: parser = argparse.ArgumentParser(description=__doc__) - parser.add_argument('outcomes', metavar='OUTCOMES.CSV', + parser.add_argument('--outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') + parser.add_argument('--task', + help='Analyze to be done: analyze_coverage or analyze_driver_vs_reference') + parser.add_argument('--components', + help='List of test components to compare. Must be exactly 2 in valid order: driver,reference. ' + 'Apply only for analyze_driver_vs_reference task.') + parser.add_argument('--ignore', + help='List of test suits to ignore. Apply only for analyze_driver_vs_reference task.') options = parser.parse_args() - results = analyze_outcome_file(options.outcomes) - if results.error_count > 0: + + result = False + + if(options.task == 'analyze_coverage'): + result = do_analyze_coverage(options.outcomes) + elif(options.task == 'analyze_driver_vs_reference'): + components_list = options.components.split(',') + ignored_tests_list = options.ignore.split(',') + ignored_tests_list = ['test_suite_' + x for x in ignored_tests_list] + result = do_analyze_driver_vs_reference(options.outcomes, components_list, ignored_tests_list) + else: + print('Error: Unknown task: {}'.format(options.task)) + + if(result == False): sys.exit(1) + print("SUCCESS :-)") except Exception: # pylint: disable=broad-except # Print the backtrace and exit explicitly with our chosen status. traceback.print_exc() From 58bbc23ca30794e109609948f4f64051615e9c39 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 24 Oct 2022 08:10:10 +0200 Subject: [PATCH 043/413] Use coverage analyze as default task Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index f5d2ac1313..1100086c1b 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -140,9 +140,9 @@ def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests): def main(): try: parser = argparse.ArgumentParser(description=__doc__) - parser.add_argument('--outcomes', metavar='OUTCOMES.CSV', + parser.add_argument('outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') - parser.add_argument('--task', + parser.add_argument('--task', default='analyze_coverage', help='Analyze to be done: analyze_coverage or analyze_driver_vs_reference') parser.add_argument('--components', help='List of test components to compare. Must be exactly 2 in valid order: driver,reference. ' From c86dedfdc183eb0a7681887416085be182e08101 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 24 Oct 2022 09:16:04 +0200 Subject: [PATCH 044/413] Fix code style Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 32 +++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 1100086c1b..3e95997305 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -74,23 +74,23 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests): # Skip ignored test suites test_suit = key.split(';')[0] # retrieve test suit name test_suit = test_suit.split('.')[0] # retrieve main part of test suit name - if(test_suit in ignored_tests): + if test_suit in ignored_tests: continue # Continue if test was not executed by any component hits = outcomes[key].hits() if key in outcomes else 0 - if(hits == 0): + if hits == 0: continue # Search for tests that run in reference component and not in driver component driver_test_passed = False reference_test_passed = False for entry in outcomes[key].successes: - if(driver_component in entry): + if driver_component in entry: driver_test_passed = True - if(reference_component in entry): + if reference_component in entry: reference_test_passed = True - #if(driver_test_passed == True and reference_test_passed == False): + #if(driver_test_passed is True and reference_test_passed is False): # print('{}: driver: passed; reference: skipped'.format(key)) - if(driver_test_passed == False and reference_test_passed == True): + if(driver_test_passed is False and reference_test_passed is True): print('{}: driver: skipped/failed; reference: passed'.format(key)) result = False return result @@ -126,7 +126,7 @@ def do_analyze_coverage(outcome_file): """Perform coverage analyze.""" outcomes = read_outcome_file(outcome_file) results = analyze_outcomes(outcomes) - return (True if results.error_count == 0 else False) + return results.error_count == 0 def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests): """Perform driver vs reference analyze.""" @@ -143,27 +143,31 @@ def main(): parser.add_argument('outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') parser.add_argument('--task', default='analyze_coverage', - help='Analyze to be done: analyze_coverage or analyze_driver_vs_reference') + help='Analyze to be done: analyze_coverage or ' + 'analyze_driver_vs_reference') parser.add_argument('--components', - help='List of test components to compare. Must be exactly 2 in valid order: driver,reference. ' + help='List of test components to compare. ' + 'Must be exactly 2 in valid order: driver,reference. ' 'Apply only for analyze_driver_vs_reference task.') parser.add_argument('--ignore', - help='List of test suits to ignore. Apply only for analyze_driver_vs_reference task.') + help='List of test suits to ignore. ' + 'Apply only for analyze_driver_vs_reference task.') options = parser.parse_args() result = False - if(options.task == 'analyze_coverage'): + if options.task == 'analyze_coverage': result = do_analyze_coverage(options.outcomes) - elif(options.task == 'analyze_driver_vs_reference'): + elif options.task == 'analyze_driver_vs_reference': components_list = options.components.split(',') ignored_tests_list = options.ignore.split(',') ignored_tests_list = ['test_suite_' + x for x in ignored_tests_list] - result = do_analyze_driver_vs_reference(options.outcomes, components_list, ignored_tests_list) + result = do_analyze_driver_vs_reference(options.outcomes, + components_list, ignored_tests_list) else: print('Error: Unknown task: {}'.format(options.task)) - if(result == False): + if result is False: sys.exit(1) print("SUCCESS :-)") except Exception: # pylint: disable=broad-except From ab0451bc2c28185608243273327d10aa92c34e90 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 24 Oct 2022 11:29:35 +0200 Subject: [PATCH 045/413] Fix build command in test_psa_crypto_config_reference_hash_use_psa Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 140166b8fe..d84ad85314 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2123,6 +2123,8 @@ component_test_psa_crypto_config_reference_hash_use_psa() { scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + make + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" make test From 4d13c833dad616601b5b1c8d78ee470fc6b28224 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 26 Oct 2022 16:11:26 +0200 Subject: [PATCH 046/413] analyze_outcomes.py: remove components and ignore parameters Use a dictionary to specify optional parameters for each task. If the task is not specified then all tasks are executed. Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 54 +++++++++++++++++++------------ 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 3e95997305..de52d776b4 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -122,14 +122,18 @@ by a semicolon. outcomes[key].failures.append(setup) return outcomes -def do_analyze_coverage(outcome_file): +def do_analyze_coverage(outcome_file, args): """Perform coverage analyze.""" + del args # unused outcomes = read_outcome_file(outcome_file) results = analyze_outcomes(outcomes) return results.error_count == 0 -def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests): +def do_analyze_driver_vs_reference(outcome_file, args): """Perform driver vs reference analyze.""" + components = args['components'].split(',') + ignored_tests = args['ignored'].split(',') + ignored_tests = ['test_suite_' + x for x in ignored_tests] # We need exactly 2 components to analyze (first driver and second reference) if(len(components) != 2 or "accel" not in components[0] or "reference" not in components[1]): print('Error: Wrong component list. Exactly 2 components are required (driver,reference). ') @@ -137,35 +141,43 @@ def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests): outcomes = read_outcome_file(outcome_file) return analyze_driver_vs_reference(outcomes, components, ignored_tests) +# List of tasks with function that can handle this task and additional arguments if required +# pylint: disable=line-too-long +TASKS = { + 'analyze_coverage': { + 'test_function': do_analyze_coverage, + 'args': {}}, + 'analyze_driver_vs_reference_hash': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'components': 'test_psa_crypto_config_accel_hash_use_psa,test_psa_crypto_config_reference_hash_use_psa', + 'ignored': 'md,mdx,shax,entropy,hmac_drbg,random,psa_crypto_init,hkdf'}} +} +# pylint: enable=line-too-long + def main(): try: parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') - parser.add_argument('--task', default='analyze_coverage', - help='Analyze to be done: analyze_coverage or ' - 'analyze_driver_vs_reference') - parser.add_argument('--components', - help='List of test components to compare. ' - 'Must be exactly 2 in valid order: driver,reference. ' - 'Apply only for analyze_driver_vs_reference task.') - parser.add_argument('--ignore', - help='List of test suits to ignore. ' - 'Apply only for analyze_driver_vs_reference task.') + parser.add_argument('--task', default='all', + help='Analyze to be done: all or analyze_coverage or ' + 'analyze_driver_vs_reference_hash') options = parser.parse_args() - result = False + result = True - if options.task == 'analyze_coverage': - result = do_analyze_coverage(options.outcomes) - elif options.task == 'analyze_driver_vs_reference': - components_list = options.components.split(',') - ignored_tests_list = options.ignore.split(',') - ignored_tests_list = ['test_suite_' + x for x in ignored_tests_list] - result = do_analyze_driver_vs_reference(options.outcomes, - components_list, ignored_tests_list) + if options.task == 'all': + for task in TASKS: + if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']): + result = False + elif options.task in TASKS: + if not TASKS[options.task]['test_function'](options.outcomes, + TASKS[options.task]['args']): + result = False else: print('Error: Unknown task: {}'.format(options.task)) + result = False if result is False: sys.exit(1) From 1df7070acc530560351a6fe6fdc7b9bef240fb9a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 26 Oct 2022 17:08:54 +0100 Subject: [PATCH 047/413] Fix all.sh dependency on DTLS connection ID Ensure MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is unset where MBEDTLS_SSL_DTLS_CONNECTION_ID is unset. Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e89108eb9f..55bdc14aa0 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1238,6 +1238,7 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO From 5f6f32a0addcfb3b70197f216a745da58d2cd92e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 27 Oct 2022 08:24:43 +0200 Subject: [PATCH 048/413] Remove hidden option to skip ssl-opt and compat tests Also remove compat tests from reference component as results from this run are not included in outcome file. Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d84ad85314..cecfb5d61e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2098,16 +2098,11 @@ component_test_psa_crypto_config_accel_hash_use_psa () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA" make test - # hidden option: when running outcome-analysis.sh, we can skip this - if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then - msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA" - tests/ssl-opt.sh + msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA" + tests/ssl-opt.sh - msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA" - tests/compat.sh - else - echo "skip ssl-opt.sh and compat.sh" - fi + msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + tests/compat.sh } component_test_psa_crypto_config_reference_hash_use_psa() { @@ -2128,16 +2123,8 @@ component_test_psa_crypto_config_reference_hash_use_psa() { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" make test - # hidden option: when running outcome-analysis.sh, we can skip this - if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then - msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" - tests/compat.sh - else - echo "skip ssl-opt.sh and compat.sh" - fi + msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + tests/ssl-opt.sh } component_test_psa_crypto_config_accel_cipher () { From 120ed8f8faf0128a9632917710059d27816001ec Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 27 Oct 2022 10:29:15 +0200 Subject: [PATCH 049/413] Add comments to explan the purpose of the reference component Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index cecfb5d61e..6a7501a978 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2041,6 +2041,9 @@ component_test_psa_crypto_config_accel_hash () { make test } +# Note that component_test_psa_crypto_config_reference_hash_use_psa +# is related to this component and both components need to be kept in sync. +# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. component_test_psa_crypto_config_accel_hash_use_psa () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA" @@ -2105,6 +2108,10 @@ component_test_psa_crypto_config_accel_hash_use_psa () { tests/compat.sh } +# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa +# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py +# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). +# Both components need to be kept in sync. component_test_psa_crypto_config_reference_hash_use_psa() { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" # start with full From 4e0fca3737161e32ceefbb0204c677d914cefeee Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Oct 2022 09:47:21 +0100 Subject: [PATCH 050/413] Fix test dependency on DTLS connection ID Ensure MBEDTLS_SSL_DTLS_CONNECTION_ID and MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT are unset when MBEDTLS_SSL_PROTO_DTLS is not set in tls13-only tests. Signed-off-by: Dave Rodgman --- tests/configs/tls13-only.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 0a22c544b7..751cdf8623 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -32,3 +32,5 @@ #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT From a380b06c26086e695345a04163c1d174c3eb7d20 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 27 Oct 2022 14:15:26 +0200 Subject: [PATCH 051/413] Add fake dependency to test CI Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_error.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data index dec5639ee0..65f0daa847 100644 --- a/tests/suites/test_suite_error.data +++ b/tests/suites/test_suite_error.data @@ -3,7 +3,7 @@ depends_on:MBEDTLS_AES_C error_strerror:-0x0020:"AES - Invalid key length" Single high error -depends_on:MBEDTLS_RSA_C +depends_on:MBEDTLS_RSA_C:MBEDTLS_ENTROPY_C error_strerror:-0x4080:"RSA - Bad input parameters to function" Low and high error From 84645e92c61d91e2ee8b40053cb83336a77e33a9 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 27 Oct 2022 10:17:09 +0800 Subject: [PATCH 052/413] Simplify code of adding output in ssl_client2 - print build version macro defined in build_info.h directly - Remove all the MBEDTLS_VERSION_C guards as build version information is always available in build_info.h Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index e74656ee78..e3fdb1f7c5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -25,10 +25,6 @@ #include "test/psa_crypto_helpers.h" #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_VERSION_C) -#include "mbedtls/version.h" -#endif /* MBEDTLS_VERSION_C */ - #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main( void ) { @@ -364,14 +360,6 @@ int main( void ) #define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_VERSION_C) -#define USAGE_BUILD_VERSION \ - " build_version=%%d default: none (disabled)\n" \ - " option: 1 (print the build version only a stop)\n" -#else -#define USAGE_BUILD_VERSION "" -#endif /* MBEDTLS_VERSION_C */ - /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -387,8 +375,9 @@ int main( void ) " application data message is sent followed by\n" \ " a second non-empty message before attempting\n" \ " to read a response from the server\n" \ - USAGE_BUILD_VERSION \ " debug_level=%%d default: 0 (disabled)\n" \ + " build_version=%%d default: none (disabled)\n" \ + " option: 1 (print build version only and stop)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ " event=%%d default: 0 (loop)\n" \ @@ -995,20 +984,16 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } -#if defined(MBEDTLS_VERSION_C) else if( strcmp( p, "build_version" ) == 0 ) { if( strcmp( q, "1" ) == 0 ) { - char version_str[10]; - memset( version_str, 0, 10 ); - mbedtls_version_get_string( version_str ); - mbedtls_printf( "build version: %s (build %u)\n", - version_str, mbedtls_version_get_number() ); + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, + MBEDTLS_VERSION_NUMBER ); goto exit; } } -#endif /* MBEDTLS_VERSION_C */ else if( strcmp( p, "context_crt_cb" ) == 0 ) { opt.context_crt_cb = atoi( q ); @@ -1721,13 +1706,8 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_VERSION_C) - char version_str[10]; - memset( version_str, 0, 10 ); - mbedtls_version_get_string( version_str ); - mbedtls_printf( "build version: %s (build %u)\n", - version_str, mbedtls_version_get_number() ); -#endif /* MBEDTLS_VERSION_C */ + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, MBEDTLS_VERSION_NUMBER ); /* * 0. Initialize the RNG and the session data From eaf46d1291d57ed36d31cf14ca61edf5505b9972 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 28 Oct 2022 10:38:37 +0800 Subject: [PATCH 053/413] Add output of build version in ssl_server2 Usage: - By default, build version is printed out in the beginning of ssl_server2 application. - ./ssl_server2 build_version=1 only prints build verison and stop Signed-off-by: Yanray Wang --- programs/ssl/ssl_server2.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1fd63d2d0d..7aead3ade0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -489,6 +489,8 @@ int main( void ) " server_addr=%%s default: (all interfaces)\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ + " build_version=%%d default: none (disabled)\n" \ + " option: 1 (print build version only and stop)\n" \ " buffer_size=%%d default: 200 \n" \ " (minimum: 1)\n" \ " response_size=%%d default: about 152 (basic response)\n" \ @@ -1745,6 +1747,16 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } + else if( strcmp( p, "build_version" ) == 0 ) + { + if( strcmp( q, "1" ) == 0 ) + { + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, + MBEDTLS_VERSION_NUMBER ); + goto exit; + } + } else if( strcmp( p, "nbio" ) == 0 ) { opt.nbio = atoi( q ); @@ -2576,6 +2588,9 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, MBEDTLS_VERSION_NUMBER ); + /* * 0. Initialize the RNG and the session data */ From 73621ef0f08951885b321f0b9964203ae04c9fb5 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 28 Oct 2022 11:23:15 -0500 Subject: [PATCH 054/413] pkcs7: Improve verify logic and rebuild test data Various responses to feedback regarding the pkcs7_verify_signed_data/hash functions. Mainly, merge these two functions into one to reduce redudant logic [1]. As a result, an identified bug about skipping over a signer is patched [2]. Additionally, add a conditional in the verify logic that checks if the given x509 validity period is expired [3]. During testing of this conditional, it turned out that all of the testing data was expired. So, rebuild all of the pkcs7 testing data to refresh timestamps. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r999652525 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r997090215 [3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967238206 Signed-off-by: Nick Child --- library/pkcs7.c | 87 +++++++----------- tests/data_files/pkcs7-rsa-sha256-1.crt | 32 +++---- tests/data_files/pkcs7-rsa-sha256-1.der | Bin 845 -> 845 bytes tests/data_files/pkcs7-rsa-sha256-1.key | 52 +++++------ tests/data_files/pkcs7-rsa-sha256-1.pem | 84 ++++++++--------- tests/data_files/pkcs7-rsa-sha256-2.crt | 32 +++---- tests/data_files/pkcs7-rsa-sha256-2.der | Bin 845 -> 845 bytes tests/data_files/pkcs7-rsa-sha256-2.key | 52 +++++------ tests/data_files/pkcs7-rsa-sha256-2.pem | 84 ++++++++--------- .../data_files/pkcs7_data_cert_encrypted.der | Bin 452 -> 452 bytes .../pkcs7_data_cert_signed_sha1.der | Bin 1276 -> 1276 bytes .../pkcs7_data_cert_signed_sha256.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signed_sha512.der | Bin 1284 -> 1284 bytes .../data_files/pkcs7_data_cert_signed_v2.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signeddata_sha256.der | Bin 1265 -> 1265 bytes .../pkcs7_data_multiple_certs_signed.der | Bin 2504 -> 2504 bytes .../data_files/pkcs7_data_multiple_signed.der | Bin 810 -> 810 bytes .../data_files/pkcs7_data_signed_badcert.der | Bin 1284 -> 1284 bytes .../pkcs7_data_signed_badsigner.der | Bin 1284 -> 1284 bytes .../pkcs7_data_without_cert_signed.der | Bin 435 -> 435 bytes .../pkcs7_signerInfo_issuer_invalid_size.der | Bin 1284 -> 1284 bytes .../pkcs7_signerInfo_serial_invalid_size.der | Bin 1284 -> 1284 bytes 22 files changed, 200 insertions(+), 223 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index c4d605e009..56b6bb6170 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -623,12 +623,12 @@ out: return( ret ); } -int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, - const mbedtls_x509_crt *cert, - const unsigned char *data, - size_t datalen ) +static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen, + const int is_data_hash ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *hash; mbedtls_pk_context pk_cxt = cert->pk; @@ -642,6 +642,14 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, goto out; } + if( mbedtls_x509_time_is_past( &cert->valid_to ) || + mbedtls_x509_time_is_future( &cert->valid_from )) + { + printf("EXPRED\n"); + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } + /* * Potential TODOs * Currently we iterate over all signers and return success if any of them @@ -676,8 +684,17 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; goto out; } - - ret = mbedtls_md( md_info, data, datalen, hash ); + if( is_data_hash ) + { + if( datalen != mbedtls_md_get_size( md_info )) + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + else + memcpy(hash, data, datalen); + } + else + { + ret = mbedtls_md( md_info, data, datalen, hash ); + } if( ret != 0 ) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; @@ -688,7 +705,6 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, mbedtls_md_get_size( md_info ), signer->sig.p, signer->sig.len ); - mbedtls_free( hash ); if( ret == 0 ) @@ -698,59 +714,20 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, out: return( ret ); } +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ) +{ + return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, data, datalen, 0 ) ); +} int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const mbedtls_md_info_t *md_info; - mbedtls_md_type_t md_alg; - mbedtls_pk_context pk_cxt; - mbedtls_pkcs7_signer_info *signer; - - pk_cxt = cert->pk; - - if( pkcs7->signed_data.no_of_signers == 0 ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - goto out; - } - - signer = &pkcs7->signed_data.signers; - for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) - { - ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); - if( ret != 0 ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - continue; - } - - md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - continue; - } - - if( hashlen != mbedtls_md_get_size( md_info ) ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - signer = signer->next; - continue; - } - - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); - if( ret == 0 ) - break; - } - -out: - return( ret ); + return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, hash, hashlen, 1 ) ); } /* diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt index ebbaf7cc6e..9e461cd0c6 100644 --- a/tests/data_files/pkcs7-rsa-sha256-1.crt +++ b/tests/data_files/pkcs7-rsa-sha256-1.crt @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSTCCAjGgAwIBAgIUMBERfOWtW1Y8Y661YJt3KlBYYZ0wDQYJKoZIhvcNAQEL +MIIDSTCCAjGgAwIBAgIUe97d0kRM0c3+XEGoECyJt98ubL8wDQYJKoZIhvcNAQEL BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT -NyBDZXJ0IDEwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +NyBDZXJ0IDEwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfqRyKXRqfkj/BThWvwcKfv -qsTiZmVOE6sIusfY86qae4Yv8R8AaBgA3eYbSOat/Xyr3VFgZGtv9Hc8iDM7K1h9 -U9WBKPGN1gGw12LzAxIbf+t5qkH21YtPNkr7liwJruhTh/JLypKE/SVW1XIS47PE -Ug92emsRMKfgsReO7x/EmB/c5cnXfwnrc+DKog2eB+6eIPhq2uq0g+/bV8hkx8+D -N50Qq1OMdy0s/RXeurlYG72jhpj978eOq467vUIIxyD4ggsh9f3ZMOEGFlGjSiZL -CXTgbIbwXnndamf3iqWWN5ZiDH6NVP1UTfCvxvX4HfBE928z0OXu4k7QxNaboEEC -AwEAAaNTMFEwHQYDVR0OBBYEFF1d36HSc95cdyWYy/SRZPsmWncJMB8GA1UdIwQY -MBaAFF1d36HSc95cdyWYy/SRZPsmWncJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI -hvcNAQELBQADggEBAIqAZJRQFPL8GFpxp0ZjF4vSiKX/D0/+LJB+vei4ZGZMaqRo -afT9LBAquK1JjXYXJ9wz56ueVxggouVLb6XTrAwsHISwVxKzxkmBde2egPZ9L7tw -EJdb2YPAkdoi3fY259N6KS8S0MwMMi/YmiXpVpQiPQ5tQFdbT9oSqewi/C7TudFc -hez1M7ToYfbMaZ1yQxf5otT8wKVKhLdEb9ncE2Jku6eH+5+lcVFsliLcNo28bd0c -joRYufduegaxmFluq4YWCozgET38AFKiG9Y8fK34He/qJIwHn7nWJ3cy3j+NAh3X -gpobw4JhCNXaInaNx/BZsoedjXnkunhgRijykOU= +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMi2z2mJnNHw67TKZFwF5w4N +Lv7dzGHQicvVFaOaNXm5I0O2HsdQBg+07TeHYzJADkJfHTdsfnXClzMU7fS7MMj4 +3QO5/P+VWiRdSRN61uYAVsrBlVKoZdUhhxh8wELJxJ4+OpwXpTS0U82rwMsRO09j +9bMXS57pkCsZENEUlqJ5p0Mmrc/uEL/Z5+uvuzd76bY5WRZdE91XURccra08HTra +xovIAR1htUz2AXi+NoOaiayRq0GePKN9a6iB0lUYxNtovKb3yDYC9pmoaxf7Hnc7 +y+dLuTpJslGuhkKLV0Dhhoux1vq54ocS6Y7DGa2Pyk1zAQxLCcS4BFiWHnzwg1MC +AwEAAaNTMFEwHQYDVR0OBBYEFIru5ZR8xnxd1RWnbip+zTHuUv3IMB8GA1UdIwQY +MBaAFIru5ZR8xnxd1RWnbip+zTHuUv3IMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAIIda5jNRX3r0rCBrKJ+vs1Pk6zIKEQ7Oeq/+p+k6eRUO0b8 +wx4rW0gXeQPeppaaxKLMZXBlA5DxsI1DpML5dcfti/M1bHIYOAISRRqPEd5GVTy8 +1ltCVN249mg06yHdoqjzO1geFIRVesoblO6JMd3xYDe3pxcTIakZNq/Cf/zjld51 +1fcMuLWu4F/1BwiNZa8eQ5Zs1Cy+b3+s+NrgVd2CIrFpZSFyP4EkUXhZXJha6Rf9 +SzmYdz4al7e9EAhURvQlm8wJpFSSkoLBuJtx7Vh6d14KPUU2NB9F2ulp6AbJb+/H +EGd3bAK6IhIrkZmxTAwowESHUJBwuX890tbZcnM= -----END CERTIFICATE----- diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der index 622df1e7a38899b4da3a3601badd4fb36a333238..0d799ea335a51b79ecc1f0b50037469ab0b69ade 100644 GIT binary patch delta 668 zcmV;N0%QHn2F(T|FoFX~FoFUxpaTK{0s<6!-rdqfOwrB$TtTQ1EQz<@E^NP%BT5=F zF)%VXF*Y$UH8xro4Kgz^FfuqXHZd?YHj#%|f5^7aX^EWC@awe7WLyR34h=5;-OORo ziOba$qnb5&xg$fi9>-7y547z!hhs884nkiYH*9`&!k04??ex1a$oSm@x%~f?S|nXb z6MEL>09MMul~Sl>)ggx%e857<#GXDnoEN1uv{TKiz{?RkPh<777fYV$kSiGw(G-@V ze|e`vCaurz5Wm^y>#w^vd+D}0Sr%Or-B(c;9IdT99Xi^^i^u^TVYN*50eHSPgPMt~ zk*h(TJfnSUsDaW|7{uFXyr%caHUjpUsB0Jd9(Oy-=S#UdNwQI{hC+*1K;edqvDW&z z;)fFHj>8$PkIGGR0SrqC#JB`lmL7cYOM_Da0|5X5qf;(a1+tfGFt%}}eU-MIE>H0vSVqNwvbSRNFF zReH)BlIx2G2qA*mTQufl))f8&+jb=CI_xV5g}U-btFjb*PMLzZmREWU4l ztoYjCRo#Ljv1w%?azBA2QFvKgm|E!<{YyERcRm`Ix4jSuR7UhAo6HHMRFaZ{!MK}o z?O1wuUJ5-$HZ&ha+UaTN2FY*l#}H?CYy!F>5-X9Ju}lmoz(j{okZ`$wJ<`_M0&;Vx C%{4m! delta 668 zcmV;N0%QHn2F(T|FoFX~FoFUxpaTK{0s<5;5fOalty@++W3IJen|CTuSYe%!BT5=D zF)=bUF*GqSF*#Zn4Kgt?F)}nUG%+wSIgy80f5+-aB9}&|a>IJ+gHeB$IpW|oe-;2jCU<8{T1H2xmX*$ zqlTFM@5hd-j=Q}=2*)7!f(s$_{n;?#1{P7HN+wGQbl_};@LqY{YG?O~rIt6AVhnzb zRQ*&<@UO=8_#N;>_ir=MNsV?FC)_jV ztDaXFAfn|7_$3@jXkuvZeZ#z}#7?Vf=4eJ{Ik5SLrogTRs6BHi{j=hJ#AFA~tq z3^Fg+nkDI0lp;M2Z9rFBPudcx>>~Uwf77|qT!rlQGqmVo_RMLWazhvSqSXArrAmai zL~q&L6Jlh$r-%EWrEyVgmLl9Xjl6B$9FBxox%X~*2CWRn`p9`k1(lnM_&)G{uK8UvQQ1q%$k4#Z z!qCjnz|<^CoY%-0!JXJ1QGar(>9mr6%Y}c*KMlFOui@X$DK5c&&jYT{sBtuUoUx+t zsmf%%>M1R@%DP+X=JE3zE%*HR_(_UK>F=G3z8w6lU?)-B_gMb0o$C3MB~rf%HExUE z-R@8*6lByjGuES5@y?5#(MR7`-L_K@EK^otR;k<9*c>shVC{ivg&YrJ88@=mA9{L& z;UT-+txo+y>xD_&$G2>&3%DnfJ(ugSm&NXh5oPhV8U`(ojWa(Sn{^~%&wX*82mIly z3_qoB+ji&!lV4=FbJl+0C%*rW92b09k^E-;=TznXq*p848ZIx-_q^O+x^VM1Q^~AX zjfc0~*^xN)+^#q29`+kbPtD^GUN(IpWBhUNHB*_G85tNC2O9($$g(kq%JQ*@v554! zhV72mXTI*@5_2;2*9y`6y7oK+d62X+i-dt#16Bo-HJDWEm!w|i5EOhjkMVY=XI%W| zhccJWuG*aG?zFo8!o(KEZH{a=rB;Wse^KHwV6W2LtI|GksjBUoHvS`wtt+}N8_c^Y z=i2ggex}(Ux#ZpQQ=a^&kXP83dADs)rdar(OAN_czfyN?u*XLhZlJUIu%w zM;tEc!Q6SGj1dZ#o$3qsm^dDNwZ{4K)AIJ&&8_*X4yn)8O4Cp`tj%$4nQ6}~FRlGM z^iSq%I~|>Ud$#u9ym|83C1oX(>;IY$Oxczun7(1-CYwS(hTz;q87E5l7StzwJ+xM< zBe|>p(_UpmU#ep`eve*dYMG=kecuWIcTFeT delta 668 zcmV;N0%QHn2F(T|FoFX~FoFUxpaTK{0s<6Cy!juc+$grNQ8zCP?2_`mKgV!rV%e4I{`4p#D%T)>6x_|cAxJle2yhu%qExiH ze?R~zl=8Xz@}BYYHKsME{8ia79|i+e9U}x7FcyFm*K)AFuurOgC=T%b=jj6_`}|eelPCfu zf1#4a8|W|LX$ykwi9P~}?sv$kb0I3eWW;!Qd9?&oqIMx~YMJfEKV;OB2$VeAX|+Tp z+`c=(Gm4s&G*?fPFNCIcQ=Wv^ic@Z|@%9yOk?Nx{Ua;lh%q>ZY$JHDpj9;>ijI5`s zUB+*qucfZUO7sD}D~MppfBs#Tzh(q1(AA!YaiCOLDH=h)%N5M4RgoDg z#eQmp#I diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key index 6226f8ad46..659c015666 100644 --- a/tests/data_files/pkcs7-rsa-sha256-2.key +++ b/tests/data_files/pkcs7-rsa-sha256-2.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi -Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ -jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo -IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR -j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi -b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 -H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE -8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL -MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK -lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 -QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI -MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 -0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu -G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO -sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O -4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P -A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh -dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF -gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH -9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi -55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm -ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z -Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG -EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE -kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng -Y2ncNnRJI7vczDETaW1vuoE= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of +5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5 +ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2 +IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK +OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp +eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX +oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM +NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7 +73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD +w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T +i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB +qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9 +ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH +slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo +in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D +NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w ++CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95 +0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG ++fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ +FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI +xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9 +1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3 +kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa +uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO +0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ +Qn6c/zyvMKSyrCVxo5pTd5Il -----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem index 0f03a43a04..b11a00a199 100644 --- a/tests/data_files/pkcs7-rsa-sha256-2.pem +++ b/tests/data_files/pkcs7-rsa-sha256-2.pem @@ -1,48 +1,48 @@ -----BEGIN CERTIFICATE----- -MIIDSTCCAjGgAwIBAgIUSbz5H6XcKL1urGmyF9I9v63PwccwDQYJKoZIhvcNAQEL +MIIDSTCCAjGgAwIBAgIUVk1VQCWvWZ4ycHmycg7wDfN8+3wwDQYJKoZIhvcNAQEL BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT -NyBDZXJ0IDIwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +NyBDZXJ0IDIwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4tAEi8b+ZE3OIuv91WduiU -qQQXPqMNndTj3Q3hxd5CvYCZ3dAoYQOdPOtGWxLe89zpqUI/Sp8hSpCOw0ucgxCe -96ahpx/BVvMG6BabtxSXWYmGv0rJmFE3LwzskvK9P8dwaGLZler+9CgjKtcgfhTc -zbwhSDeHCHAZWqJUtLpAACiU8rn78p7x8zWoUUsntUiTCyw1SCHvIhGPeCbT4QVX -YNxIP2H52s7waHqtHLpGtJSsSxTxfbxcmbMQlrDaY/8ArLxo2VKqvGJv90IDjbGy -ORHRMOuxxxjowC9+yH4xtVRl821dsJFSSnmAEBXas3hkneFVBxiR7vUf61Wv760C -AwEAAaNTMFEwHQYDVR0OBBYEFNdysL6wT6p/KA7w/efpAyX7/FXZMB8GA1UdIwQY -MBaAFNdysL6wT6p/KA7w/efpAyX7/FXZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI -hvcNAQELBQADggEBAKGSxRvoL+FpC4LtiT4Cie53yKlzISq+ZMR4eHm1BFSidiFv -apntxj9k1JIIlDzbabVEJdy+O8EzipqUNFdPky+EpnZTnoTXilNusPH2FW+R6qMx -XrDl4MwtSYnH1RwkjF+yjYysp6pdxm+gr6k7lS4biHq6VfUYSvQBvSuIYMn+XZa/ -ZgQs0NWeh3GgVFkpGkG/yxXMq1WRGSrFfmqExLVpMeNXTINQsK5PH/JMaj44c4T7 -+qbq9Rf4U4ezkTUXHsQQsA3dFpPiL5Lv6RS+31VKLpXYJQ9j/Z+IWBFjTf/utt5T -VA2cEFCZIkNYUoX8RVs23cQr/ZNBxxgO/7JYNSE= +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmVNZZ0/qcT+h/lVNO+gP65 +lERTTudQ15h8QTLjaKhx5SSTLnuUhD0jLbR+ng8PMqdJ8ePkZEh1+7mi9MHzID4Y +c47jH8M+Jc/JdBr6cSjbFd23QHESUjKKmV1IjSHc6Llbxe962z4gEXYjJAMkfr6B +g1iecK3AlnEI4F0BsQfC5dgA4Qce2okvcTuhYgvHtLZ+UN4ca50Kw0o4u5FYdl89 +KDCE4zNp8MaaxGC83xcM4A9XqjHyZ7a2wvACTlmLQ2q/E+RN/8THEel4Y+yv82Uj +j2LqqEaA06dvSdOPdaGz9jUZauqBw7TcuGGVzrrsZ0g/sHXKng9TppehAV/HrJUC +AwEAAaNTMFEwHQYDVR0OBBYEFI5FVrtfLwPXRERcyVX6qBVvfoduMB8GA1UdIwQY +MBaAFI5FVrtfLwPXRERcyVX6qBVvfoduMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKRl0wgREe6eAduJSV5fs+Ec0s2qs2lHQqt/0JGEIbZBBtka +q1UH9CIMMAd6Kb0kh5GlJT2shg/EAYWoitMwntkeRYTln2k2/B5jux+U5Ph4HyC+ +ad2GqmsoXWDru79rltT7Pv1hS1ofJyQ4Jv88vQA/SuIIRGdTC24VAVgg00JxvDRB +xeqsQ9Pld4ebg4VvqsInnSpmKCcxfWxFhJk/Ax8bK/tV/GnrPiwsvry1j9nZyebS +IyI01/6DwJS2ZhFnsLGyPHFOAFNtomjIdQ6gf2L1wq0qiGOKj/K9IzFNCpCz82a+ +gMgqFzCT5TCZC16kUG2NA2pXAx9O4uppKjRk97U= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi -Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ -jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo -IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR -j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi -b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 -H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE -8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL -MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK -lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 -QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI -MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 -0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu -G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO -sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O -4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P -A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh -dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF -gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH -9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi -55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm -ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z -Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG -EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE -kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng -Y2ncNnRJI7vczDETaW1vuoE= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of +5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5 +ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2 +IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK +OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp +eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX +oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM +NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7 +73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD +w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T +i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB +qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9 +ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH +slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo +in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D +NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w ++CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95 +0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG ++fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ +FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI +xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9 +1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3 +kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa +uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO +0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ +Qn6c/zyvMKSyrCVxo5pTd5Il -----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der index 0d0706931e625b35b37466511e87ea4da5a731ba..763057d9e5eb7be478369ddaba4f227fbe94afee 100644 GIT binary patch delta 366 zcmV-!0g?X11H=Q6Uw?bv-O@x%(aru`L8uTciMQV_Y`-uK1_>&LNQUo z07}fdUAVJ>X*kQqd%D*rLG$nqctJVMX|%rz8CJY0cOZ|=bocqC8hzAniNN`=Iq zg~|@O?Gp`C`nG6LWNiH}uQV;lvC7Iq>~EVGRC&qVB&h7M3V&(J7{f#jt%@Bd*gWd- zMfq+qY7!9F!t%(f_B#}$tOR! z>kStU9iTuzl0dPYpx!o0?a6Pq&oW{hS6&LNQUo z01MTcgrxL5dy@l*VL5lRlyDm?g)3;67Ot5m=D4eHp1yroHeJsaMz@eznL)aHdzF@W z`L^fGvI-n8JF6vSG~uiUuSN4WLRZ=kt<}U1PsMO$_m}q5!GDh1{Wy+Mhg(GKA%rl- z@sdwGUn!=!UWY{X&uig>@}@2 zJ%Sql=M9|xz+Dk5zXs@I7r*vWg|S{en$X5uW@;P%+#7~y7P7vpi>sgYFC-PxwAqbz z<;2LE_6QQLgJ<*+BYG42=5sl(_A1-;UC7e7B@5w%zz5lxjUF+0XkuP5GJ_9Tl6gEZ zJO&9WhDe6@4FLxMFdYU7V1`HmWdj5ODg+QZckg~VIky`(o)-umhz_rS5NV*BB$WjF MN+nIx-1da?hxulsi~s-t diff --git a/tests/data_files/pkcs7_data_cert_signed_sha1.der b/tests/data_files/pkcs7_data_cert_signed_sha1.der index a888525244b49ec910b7e4b46c338fd3e74f9d37..b6f95998fc3eb91ccb47856b79f61d06bac9af24 100644 GIT binary patch delta 943 zcmeyv`G<3YyGZrDyO&&iE}s1tQ8JtpV>L*;)mB;PNl@KKIh}r`*-(D;)TxBS49`kGOgUH?7U6xcmNy!mbd2Z z$wm%*PVutlId!FnrW=dA{j%HO#E-koJOBKj8l@8JDO`2!8AI5qgHwZ6q+V5Qm#8`5 zbn?hNJF7Y3OHH-}pIv?6w4k+r^4HDc-t%5g(3TXqC^BtPedTgzwYBHp3GBc5{Pp_X z=G8B^Sw@P*3f~P66qi}M)<)Lq*0JsrjIxPaeZDbP>@#bg)wyQkYR7pti)*u2G+qjo zIC48<&$90)%$UB-T#+sQTdv&t^mFf>R-T&z*R?ryhdVrM>)v?n*Um@nLNEIcORnud zxtb5&&B08}j0}v6gAD==WZ9TQW%*ddSVX$sJ)Kf>tS0uV=<+ zO7#oga|^ZEb1m8_^J#Q0!LwzR!-cGR4a?_?E>*%FK|h)wyr>{&K#v zO0TH7BiE{VP5s&dZYFHWYV~!qjNYrS3awXLROQ_lqRV#OR{5Y);L~01pKU(!8U|hd z5UIrb$WD$F4qc(NSr${+Dpp7(9p=l(8SQd&@xJ#*T@jT zowz@u{`f0*rRi?VpY(qSZq5Esu>Ae1BahNj{e)L@>^gqq^Qu|ZZTcVO88Rdo?mm2`Sn6U&?JdjIFgJYJ;yfYJBXy#<<~n(r0EN>H61|s~o>w?e;hG`aMmD zbKQ&J_D|lYCbj%k4ZB(-^my};ApWwdY(azN4>pSTy_c^)GDH5()05ZhIbRn)IJJm( z9{am_3O}-Lz1q_J{&x6@l;h`{&F2cN4(=(})%h!WZ`aNU>Aj2FX8e7Byl-{i?!8VN z#}$4waVviPd(+?{n^@ptFEww@k_S0$AL1(SW~G1cS~|^qS`trPZ^+*e-w*4Lef=T( z!R33t@r9@F9{F83a&5Nv0!JohMh3>k!3Kc_vTV$uvV1IJEF!V7_ZMC&z86!jI^*=0 zi7CI;qRKf9}Aa<^ph?n@m@|MUC*)0t4W z_r;EsG@q;`8JS=H>Ii7ZnF8Md_2q&fNUf%wD{?fw0oM}pT z%zF3a-j(TViP-r)uZnHsjL5vzZDL$K4+L%hFa#}y=j*8;ig26tGATOdXImI+|)j|xAMuZiUc=}PfQb@PHts(#hMr=-(!}mXLO0S zbr0kgJrXY4*qo;&+Nji@-1J?Br8?i#h_kG95l`&L*`;-BL8_ zZI8IOUe32WPgq+_?dCLV7uC6nF diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der index 3f2dfb5ace1ae4c6571da3551fac2c2c0d65d89a..778fb7b4246a314999cac675ef2bf0147f8439b8 100644 GIT binary patch delta 947 zcmZqSYT=sTEmD2&?j;wWi)a7EIIa-T>D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMlc}h9awoGZ)&x2E5wlW# ziDvax!;Gx`PFtoX#JOreFxl##^dO+n_E1T`!4W^xuFPt?&6Q1c_pc^rUDl%8FXvcTFD$w6>aN+Em+4aYgGUb%(XQ+o1sP_eMdd{4edE>G% zV`giN`oXe0F?QX`aTCA3ROp?(=Wq6wt#5W#CG9uRxXHBhdgLtWb)gPLH4SEuyg6!q zZoDMIT3cke#QCM~BrUI?ds1w3pYg&S}7u@`!$Odgze4i OE(e_cEcJv*F$MrvY`x2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHROOcS0??qqhwnjj}XVpghm z+kL3@>*2TIooQc|i9Zy1B2aVd`Dz}Ycl_G(w(f9Ft?pua*m*Nd^v2|wp(}0*9u-PH zxxXfW^Kk#tCd)sDAzpqRmC4b(p_h{uCbtN5B;LDr>lv@Y^4?>{N}Qjm51hoMt7OcJ-;(w=WC6YS5)OlX2d>br){eIQ6dd z&ib?J?a2`nG}M3xwuTvO$oJhis_q-C+|jqDzQy(#{0`(`dNS#oY0 Pw^pJzTPjx?lOqoRq+iEN diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der index bf143a56f0b499929747df519279532d86354d61..41849a943e54d4d08d0d1fdf9926f2c362fc986b 100644 GIT binary patch delta 947 zcmZqSYT=sTEmD2&?j;wWi)a7EIIa-T>D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMlc}h9awoGZ)&x2E5wlXg zUDKZ{D|r+8ul;Jgp?mAZnm&(}-(|n7;+t^I|0i1*&&QfqVhnEfDzTO&KLu<4?AoQr z&6a7pj47`3r@*0G@83KN-+VkaHT#!B(BfO^mfj!F-g3@(BUMs+k)^YeJ?y0S!8a%G z#2Brt$Tc;JnPT|m_jZwsTyI$97=7;udG;TRIa%MHzp6a>l9^dqy>{s99~mVq*X!mL zyuR1&6?gE@=cuLXasMV&1W2s)&A08pqb9EQe%*rGmOHJNtU7$K$hfCVZiNKf#e(~@ z1g5;d#B$)}<~VbqRg?Ecn|`T%xGM4Vnczc0r&z9U`+MIp{AuY_d;jK+cN{8fW*5ER QDG*~-KO;icmTBgH01S=CAOHXW delta 947 zcmZqSYT=sTEn*-jSo3skbeK)@x~&Pb%e4X`66a2g_mVa+G&C|XG%++Vw2TtxH8Mov zPRui(_*2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHROOcS0??qqhwnjj}XVpgi> z7k{95aZ*_J!lkb`S_M|W9x`-NmRxqWrcOSgXK$bUOMw}?}4ckXKQ z?RVSveiU54_l5>bce$S9fj{!A7T$a7oqn17>e5QKtmhpK0p9mNG)6vno6oyl!MHEP z)nN{!xulzt!=*QU>)*7MuzpBZh)CDGue8Z&RsB?fut3d&OCO&&`1|S4mN(Z7Z}Ta< zcO7|dsT+6rJ0vmMGM>?9W$@lvD%|nT+w%-Zjg(i{KvMvewvG?Eh}C; PBYi=!>z)7pOyZ{i)pf~# diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der index 1a24a8a2e3b72232f8ec4c2a1b2a45df051a2444..befd17c190253d2fc76833b5f6cc60b6a2742a2c 100644 GIT binary patch delta 960 zcmZqSYT=q7$;o8MZ@|mOnb0;-NmHcy-rY+sJ{Qmai*Z~bpwqeizFyA$iSb_2MurAP z7KUbq2Bv0F;=D%2NZg5e<`aJ_)SuXPKC^Sq#SgEyoJxsdea^?L_wVkR#0#CLuZk|7 zWm>sY*?F7X@c=gdEpN@+lZ_nsoZ@B8bLvVDO*a;K`(?Mmi63{FcmDZ5HA*GcQ@HBd zGlsBJ2d4(DNWH4qE>Uy9>Ew}lc2;x5mzrz|KD+wBX+dlMz3080pe-qIQDoYp z`pV_bYHQEG6WD+A`Rnz&&8uH-vy2pr6}}rDC@!;ht&ObJtz+FM7-bW;`g~)o*k{%} zt8>l7)sFLQ7T0F4XuK3EapZQ!o@L)pm@$2uxguNqw_LgP>F3@%tvojcu4{AZ4tIFi z*1hrCubq$Dg^GE818-d(ifvvq`=NK0tdDd{Qi zIt}lBOfcWRTwGXjrKH*VL-l{^A5Xnkdi6Wcj;-q+#D8Vy=uKTO=R7Uviq5|L`ZYgp zJqW$qq_i%?Iu%E z@#IcsSF8zg@*`%Y`V!6RtA-g_`<=E-O^9>VeqgfIKj}e0q3xlPeuE=^rd^rUcAG1k z>h51n&bqSWthZp@t@$4B0(5Rld?=4^V-PxW|38z;=3h(aXv|})-7@X)hSw%d)*p&R z)pE^Un^0 z((6JUifS6n9(i-r{M>j+gtfNFaEbFv-$`0tLHDHC=059J4qnv}Ros5ner2)z%1;_H bleJPrPWNjTD+t@0*If=c{aNY>lVS`2W9h&O delta 960 zcmZqSYT=q7$*G%~rw~(NV8k_1NmIl?P_X9d+UPKwp$6H>DCzm(f_7+Y&c)CON|)cDwYjd8>Eq|eMk z()F(^S2=#W+U;-V^?RBQ=eifc?Vr3)O=|h88g{iv=<((wLHuP^*@6bkA8ZuwdoN#q zWQP2mrzfx1bG|NqaB30nJob0<6nK zv?QLo-jKf`z8}^f`}#xngUk1P;|ovUJ@UJ70L%ZtQsXENs&Ig9^Xbmh;1rCu%DUGi_< z5l%|ky}bSR{H29~In$KxnDy?-y(`n#60!4pUKQKM8IgIb+r+qf9thh0VF+3zea)t3 z?GM@auT*;2=kL6xUT$>HzL!b%debcF!%c}CS8pkm^&bBaxv70_Z{?F+6$x${pO_{* zo!rUniZww_e#ER)@3#9;>(|3?!#mTyEE9hy@! zZzkisdFw9Ru5s#J>7Dgw)!UODGV#xX<~)=Q__NWFk#TKwd9?L5-H_yr&sm=qOuu^h zpuGEWdpFPEkhQu0?j4rAv|Lr;xrS!b#E^un$l06h?}#ihG`XhAIeBVr_eslQ*BjYA c0((>Z-}cR1VzT7iHg2s%Z?;sfG$uzL03W2vUH||9 diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der index 7c631f9d7495886951dc80a63dc299421620b8de..85ea9f9fc1f29c7a68936a17ddf3825f10e9636f 100644 GIT binary patch delta 943 zcmey!`H^#ig-G?iyO&&iE}s1tQ8JtpV>L*;)mB;PNl@KKIh}r`*-(D;)TxBS49`kGOgUH?7U6xcmNy!mbd2Z z$wm%*PVutlId!FnrW=dA{j%HO#E-koJOBKj8l@8JDO`2!8AI5qgHwZ6q+V5Qm#8`5 zbn?hNJF7Y3OHH-}pIv?6w4k+r^4HDc-t%5g(3TXqC^BtPedTgzwYBHp3GBc5{Pp_X z=G8B^Sw@P*3f~P66qi}M)<)Lq*0JsrjIxPaeZDbP>@#bg)wyQkYR7pti)*u2G+qjo zIC48<&$90)%$UB-T#+sQTdv&t^mFf>R-T&z*R?ryhdVrM>)v?n*Um@nLNEIcORnud zxtb5&&B08}j0}v6gAD==WZ9TQW%*ddSVX$sJ)Kf>tS0uV=<+ zO7#oga|^ZEb1m8_kq}EYPsgF%@UUi6vdzZ%1jqi zxW>5auK7pqSL+&jj%desyeiP&aB$)5o7wfpk}~C#>u0Ek6sY$FaC*+1mwDr|F=J+H zjQYW{J27_M%5f9FzEtR)z2|TCmaT7gRweB>(74I8^Lpeg>2;wFMKuj(kGwf*er~)Z z!dhEoxWxIT?<6g+pnFnmbD#Aq2e0agDsI1Ozp_|<n;bJ L{w(!`NihZhmT0`V delta 943 zcmey!`H^#ig@}QmV9nFD(P1{p>$WD$F4qc(NSr&-$4kn<(9p=l(8SQd&@xJ#*T@jT zowy;Q{`f0*rRi?VpY(qSZq5Esu>Ae1BahNj{e)L@>^gqq^Qu|ZZTcVO88Rdo?mm2`Sn6U&?JdjIFgJYJ;yfYJBXy#<<~n(r0EN>H61|s~o>w?e;hG`aMmD zbKQ&J_D|lYCbj%k4ZB(-^my};ApWwdY(azN4>pSTy_c^)GDH5()05ZhIbRn)IJJm( z9{am_3O}-Lz1q_J{&x6@l;h`{&F2cN4(=(})%h!WZ`aNU>Aj2FX8e7Byl-{i?!8VN z#}$4waVviPd(+?{n^@ptFEww@k_S0$AL1(SW~G1cS~|^qS`trPZ^+*e-w*4Lef=T( z!R33t@r9@F9{F83a&5Nv0!JohMh3>k!3Kc_vTV$uvV1IJEF!V7_ZMC&z86!jI^*=0 zi7CI;qRKf9}Aa<^ph?n@m@|MUC*)0t4W z_r;EsG@q;`8JS=H>Ii7ZnF8Md_2q&fNUf%wD{?fw0oM}pT z%zF3a-j(TViP-r)uZnHsjL5vzZDL$K4+L%hFa#}y=j*8;ig26tGATOdXImI+|)j|xAMuZiUc=}PfQb@PA+41#hMr=pJ!I8ciVla z_3Poc;hkw;mWe+Uc_L7A>-lOPpLhJ)^S17APOa`@df0h0O!UU&nV~Cg3LX_oKDoap zfb($w(k9D4h9O>l9hJ$^yrGwq7ACg{bR^!pcIz3h!t&l@#!5do@t)XVzp2w{Z>sv# zwTGU6@byyO))BM8WV=?!m5s%%Dx78|ns)W6*S9YVzG~2=Hg~x6nfPZxa~{eD{Ml&8$hbDTJlcAjZb)**=d4c)reD2$P~QExy_;un$lBb0_YO;5 zTCS?_Ttl;IVn{+(y7LlfxRjIZ~JC0F&j#v=lKK)k+X5#cdNci zQnPMvrO`_pTYFKeHCm&*_wGOMymOrQ=XbvEukZZ6Z&-L(IMY-la)v!&c=PS}k&|Af zpki{{>=pl>ELRh8B@|Lg9i@sws;D|b&MIB|ugnqTRL$CxCJ(p1!6iR_ySYXi^>jM* zng8sSBlhb%eR_Kr=mjG>DEzv_smtWsiLd~BP+W+X9$oh5%a`-13 zL_a*vbChv57LJ(w#Bpo1FVDKtizSsPM(oueVNlW6A48rg(`?48d&j_<79Kmz5L4<( zrowr_w<7taEOdSSD+-bSF z3wY428dsEDlU1!p)hdhftBjeziZMR;bUyzvtP0#Mtn`B%K*Kc0KAY078#h_iCFrNx z>CPvlHcsx-7ZQb5(g)7hW{jEz1Ncl&Guk=r^P$8|(>NO-2*3d-vq4%RCAdIX34YFV zoFXY3%ellsqBBdhB0!!rj@q#PHH?J)$A)u?A>4|FH?eJux{Y8x)L;1sNk_fvBe-AOHvyxn+jc zm92N6D&fPMg7`PjZV?ZNS+0gTn;@?LkEcC(Bu^zjz0krI!kr45H z0^)-xyG@rMWUZ7^=xmfG_3z$`mG&It9hVFF(Pl9zs1jV7W^_AHXELaqNUDKZLW}T1Ssx{<{P8uRErW zFgY3ZOUGJW96BZoJciyjyaA#Bdr77~nb4`M_iDAqfVmu&NQrwGSk*6AEPodvhl=vY z#24y-U>6h)u!p!cw4!2nXG_M^)X1j^xU};7qqyGO*1KTuhQ=l>f;orHy;7gyQ2wW6 z_nrP)`6Q2&jPG4=l-Zfg=B>Nk(Zli(WX>|Okk_T$@?ILq*A4_TUs%P-D|>SNXhFpS zH*&0a&=3^x#LvvR$}LR}xg5zt`S|we)AHP0FbZ?ZEf(%`mIUqokPIZlTqOk;iEa*$ zCC#!teBZT?n}SKxPmDG!6{o~D!(08t@e#~wJ!Rf3In2ZfUh6WLB z3#qt2nb!cghfZ>R_dhzJQ{gUIJ1dfDl+Is%w3aXQ2=^W&VhTuq?@)B14yzkPj8psoaW ziX(jhvT@H`&k5FB833>_AOcU&109sxKocWkR2m*A`lq|fp!5) zoYjrw#SnZrUT0p)%fNkBl%~aL&AMg2>DO+)9h@DxRc8YiEGtw~m{e(qE;dxxSh6@u z8Dm8|zpQ?$MO;4^!5o75v@C8SPe delta 1910 zcmaKsX*3&%0)LC8?$3RBNd*B&{uprI=d6khY>#YZ0}Eii%jPLak#- z8`Ro_cBn8+YpAt}L2D^R?2KsNd-La=caHOZ-gED-d%k=7N^AydEN+VghU`suR~7+;%To%D);XDVnJ?K^;vBX81S$2Mqe;Z9sG?Ij>Kt0)-ps8O{?Ac7!Y_O2 zm3bHPe5K0&k!&kkmIQCK-KHw^$A~0zCNDrjb#;~J=Lo~UDi*a}|iwn~rRjfKAq0p)v4CcdIh!FanSizCt6aJivD>GSZ3#~Pnqa$uKE-nMY{ zaF~*-`2rIdkVe}7^i2M;WB6jpXLm5D`0f?RLD_r3t4dT-t2J?wEANYcS)F=VQhCSe zRvwINLSfzJDQ70RweJN-i#8Ov2iK)2N@mQ+UJ?j7mnn^z#W40&)|by_h?TUDX-1r% zHm3ko#uFYZbtm|Uk50kDDIC6gV`?!a>QhIgw~f}OM%Fwc0ceLv03b_&0ATkL4gX@DDA;Xut81G(ls5h)>e4yz6$J328tuJKDA}&~S=M1`dF5yc#H6oD9REat&E3+H@BoRd4t9n|k`r2hnbV;$O z6`b#$mePglFL1g5m;REy$u{SN1o}?qE`QzDI-@hL76<13!BV%qkSZQ>`g$4mMF+`3 zNGoTv{cw}Mv1RkkZg-D*Gp5rGW!odIgW`i$gYJ{kLv=F{#d| zsCbaVR8u6rcoruHrLOI$uHc@d*BQsLIewSf$#keCX`SRBEq(@S913ug|HI~Sfq&S1 zn*By;2|gPnm9Uz28IZOX(N`0yuG5L{iHwYD7QvQr@tu?rv z7hfBuKh807b)dnMs=_h!r15l2Fmq#9fk<60NB+#5pBdD*OXG|xpUt?@NXe+LuJ!6A zmOih!m}{U!j_$ziKvCPmY+bTY5g?T?Ls1e*(o!E!Ih2T|1>qZ*IHde?J{Cn>Oj9 zFhMKC{W>Z8M$WIlE5=cx`%z_rsQ`&Z*^{IEJY;YqzEAyVkl#0iCZClsxu<=ZCc8f z#8^>k&;&v4YCl=|#)9*cSrtb?15#L+;Su3+u|*&27q~^(EX^Msd9C^r$K1vagJsnVQa?DIJb(+sju&TIJQ{A3n^~UD9X*Q%v^%Xj%KJu^<-J;4j z6UCF><=-{-g8^AJiwv+>OzW+`m&HnO&|gl6t2mYF(#uci!E@&%>5J%+c>7ZIVjnwE RH{h*eiL5Z=eSp)-eH44%-O@x%(aru`L8uTciMQV_Y`>9_B7bx#d(|;$YQI9Xm0(^) zE8sM>Ph#LuaXrFxk1)heHHv9_KC^j(e&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC z0wlBgrJN|927R=a!?5c#f;;eY6((&rMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj z>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpv zYqYiOxq4#1Feupqxz|~m8?IGAa(sX`;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#& zs)$;1ht)r+b04YlC>)b2WE9JfDRUqbKR15UP|Ncg-eH1Ve5q#yXTUI<{uC-vBcPda=VV#kYB7a7^!iDw2?N^Cr^rjc# z6yy+m+UKhbOzsaWp0&6`WqXPO;fdK+71)!RRjAn!#S&x5zkE;$!;htcIs7qHN=}G* zV_OYX(_*1xgb;{f-qzaY4IrnD#xo-MvJJ?vKeCBJy=5nrt-|NoK7VD`x299oFp4gj0iK?&(A#`Mjj2m&{HpEAh#X($Qk>x(Q2enm0RgRB zcUwEQEmUJ@^J?;-m(|n3A4kVOMoCjtt!@6^!x_@2B_QW0DT0wyU}{;LvOnAuq%kzs zB?*(2eT&ICb4A!|j1awKPwkGGq%@??whJm@O9o{MW&%MBkvu*ZG6EDyy!juc+$g2jZ}SvN zew6kYK$D{Mvb+g}T=7X{EDI8WgADk*0D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4Hg>6vN4Cs^0A1qh;+SsI;G}VP3%?C z<#}3lXAR#4{XJnI50X}9kuVTzz^Y(!3X^JmlWg{kv#zzTFKuXCv#4(0S^vpvPH4DT zTfW-=YyOg#PeQES{v4Lmj`k3*WWKj-+N>js&ZHKkGEexpq1SoIp`WG4-*$gC%_)+w zU=nhb>KDA{7HYHSTC`Kh-5uXDOkOMAU9{q}b%dNqOK8<8=_&6z4ex$TFyFphTv&0X zq}lpI^?&LgPrX-q^*hgwt?M4de`V+BOL{)hlm#wRriM;Er zmzgivPUgQqE|6ZH!?a6DNPFVUjXpdY2VB|%CKT+fx4m@jCR0)IgCl;XU76K(n=6~@?q5yLy0YV}w_x3^ z`5x~AbZ$y~D35Pr5IS=IKap~rhY8uQQd2`hK z+;~ZZwYJD`iStX}Nm^b(_oUe7KI>NwUeys*+2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUM*_cCRm02VV#2TG9^Id(;tbb!sTws;@y`zmj37W z|EDvdZtsg7DQP}gOENOQ{M8ZA+OgKNw@h69j`8!=^TH(*7CrUOUwU~BkB&^shH#DYm8QPXg)=-x`Zs2&z6_h9WXqT95FYJ+ zOK9aAr9XQ0mv>%_X?^q6c*~2#Z)Y;+7CDRmTy*8nfu&w8+gBCKl99M5CmGvI~5V@&+Zg1t2T@?v#8lRXZJe}Oh?20u(PJYC! zRPVO?Q0v#jZ^Jv&zAO`eDDp(0=GODoJU;LEwdZZ!;hb9C#q_ZAW|-)W$umP&+!Q=2 zlzei3O#tWN{-sTpe+)ys{5mR=qj^IwCoN2F5$H&~ckR|QUWMho$BdPJZsI+$!G2Sx z)816|scR2C|KRJTysaZ6BTU9vCN;K{2Q?GAd7JSv9OK&FQym{*`+^%uz zUFn_mXVu%29WwFHg62Gw4fwOskdbk1ba}M(HrD+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMQ=q8Wu!*tUpoy`ViILI3 zXW_(rQ!ys2>2vZUW~KTP&FZU$8CmUro-svg53`VBM|x9`6ElZc2P8k8fiTI&%L%lgj2_OXq0JW2@aV?eK=zCQa5K zibd6O&0U)%E)^(>KmC=NE~apeao1h*kKC`;HS`?Oj_-I?pugeZ!r3>o>yIU6$|={+ zP!B0k?+f7coH;M^#${v1%+?t7gJpMO?7EfXCVqXX&^vq2-|Q`0-|VbP+Hat7lWFJm z$XU|sLLG`~8q6MfbJYCYcu9n{w#aaa^Gn}JT3$i-q}b*@>sJn5)e%+Pe${?uvHZ$U d8Zwi$QbbPoYZfaA+nd*24mkZ;>Isu#3;=4#!At-E delta 969 zcmZqSYT=sTEn*-jSo3skbeK)@x~&Pb%e4X`66a2g_mVa+G&C|XG%++Vw2TtxH8Mov zPRui(_*2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHRO5)+;pHZhhPG%*%4F)|wX z=%(f=#8f02a!sDktdBLBPJYC!RPVO?Q0v#jZ^Jv&zAO`eDDp(0=GODoJU;LEwdZZ! z;hb9C#q_ZAW|-)W$umP&+!Q=2lzei3O#tWN{-sTpe+)ys{5mR=qj^IwCoN2F5$H&~ zckR|QUWMho$BdPJZsI+$!G2Sx)816|scR2C|KRJTysaZ6BTU9vCN;K{2 zQ?GAd7JSv9OK&FQym{*`+^%uzUFn_mXVu%29WwFHg62Gw4fwOskdbk1ba}M(Hr9_B7bx#d(|;$YQI9Xm0(^) zE8sM>Ph#LuaXrFxk1)heHHv9_KC^j(e&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC z0wlBgrJN|927R=a!?5c#f;;eY6((&rMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj z>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpv zYqYiOxq4#1Feupqxz|~m8?IGAa(sX`;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#& ns)$;1ht)r+b04YlC>)b2WE9JfDRUqbKR15UP|Ncg}{ delta 289 zcmV++0p9+z1G58=eH1Ve5q#yXTUI<{uC-vBcPda=VV#kYB7a7^!iDw2?N^Cr^rjc# z6yy+m+UKhbOzsaWp0&6`WqXPO;fdK+71)!RRjAn!#S&x5zkE;$!;htcIs7qHN=}G* zV_OYX(_*1xgb;{f-qzaY4IrnD#xo-MvJJ?vKeCBJy=5nrt-|NoK7VD`x299oFp4gj0iK?&(A#`Mjj2m&{HpEAh#X($Qk>x(Q2enm0RgRB zcUwEQEmUJ@^J?;-m(|n3A4kVOMoCjtt!@6^!x_@2B_QW0DT0wyU}{;LvOnAuq%kzs nB?*(2eT&ICb4A!|j1awKPwkGGq%@??whJm@O9o{MW&%MBQ09sM diff --git a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der index cfaac2fa78e46fa9db2efe9fbf1bb71b6519d4ab..2973ccd7e50b2f7e667d651e76d939d01fc0f287 100644 GIT binary patch delta 963 zcmZqSYT=sTEmD2&?j;wWi)a7EIIa-T>D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMQ?RJmu!*tUpoy`ViILI3 z$G~)Afr%Is)&x5F5wlW#iDvax!;Gx`PFtoX#JOreFxl##^dO+n_E1T`!4W^xuFPt? z&6Q1c_pc^rUDl%8FXvcTFD$w6>aN+Em+4aYgGUb%( zXQ+o1sP_eMdd{4edE>G%V`giN`oXe0F?QX`aTCA3ROp?(=Wq6wt#5W#CG9uRxXHBh zdgLtWb)gPLH4SEuyg6!qZoDMIT3cke#QCM~BrUI?ds1w3pYg&S}7u@`!$Odgze4iE(e_cEcJv*F$Mr&G{F%7 delta 970 zcmZqSYT=sTEn*-jSo3skbeK)@x~&Pb%e4X`66a2g_mVa+G&C|XG%++Vw2TtxH8Mov zPRui(_*2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHROk`ta9HZhhPG%*%4F)|wX z80eC-Np2<^JbXnjma}ZSKJglDwKS3e@y`A;r^vfmVXRGy!<*UlcRY*r_Qk?8Ulx4Tpi6HiRsub^=H-FlN~bg&w}PWlnwZ^(U6gGZFG6G^)}s* zrph^a mYHjyP%VO6X**yY#Q~cld&0J!#D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMlc}h9awoHks3^7+Ir$N@ zQhkYL^;N@+to=?~rY6L>YCka9>Ywx=pwRYENx#7nKhv(vYP-#qO?CILCTCsQan@U~ z?$&&dcL6##B|enLw=oDEx&NO@W%IA4b2R3$)oz(~c*ARxChHHyqH4M3uFVpc3KYek z{>n@jQ@F;s>#q4n?pNy?dX8wvcf2al-*9l@?3>y3$C5JTl5q#yXTUI<{uC-vBcPda=VV#j*N*gdSF)}nUG%+wSIa(JD zGBGhRGBhzXF)%SXT9Ixyk^3Nj$LdESmqw@LkML84Yw&QV@2bS&W@Szjs|dQs*z>BI zdxkIZ9{^|=0Nv&rNan5me5>72U}S4=^mjanGdn9-eN)weDDjQf0kGF%^8*qaf9rXw zLH5;)Pc};XmMjUb=u?OCOUjaj{Uuh_auVaS#8MA-dTS9dr{J*{j_)6T#F!u4<;mB7 z3F~v<%AyUP2kxFA_-fkfw1e;4SIA_?&x1Fe5UW#+cP%Xa72dkJSR1{ghM4{D$BwIx zyS+jP#~}EE3nBIW*)ZV-7Ez;0CQAu);B1EQUU}VWXZMPwmN%AS41SGN{Zvixug3NG z9q>f=Z!^&4?&40+#MYZjpg{ry0RRD`Q!r659R>qc9S#H*1QcCe-=WfT-duMjn9KB$ zWcwyscL^{b1_Mv$kqUB3( zrPHhoEF6TeR}!(S_-S#%;(|Rc{641;HGB4PgCFxd_ zB0UamKv!E&+7hYkBK$6Y)49=Hh3xe+wCG{>%xRr+Ll^m?)cnAuN`$vWZ`s@vVr09g zhx?zUaZzlRBHT8Oylveaj)Yjb_ilOyv6xwItA-W|jNlPH`~Xs-8`eC0t@s`9>LiQ@ zpSjj2cQW2TjRGClf|?t{f?){N+9Gz1$M9LQhn20 ziY}P}o}RAI+k8TesY`17s_n^$9AD;AoZ%f%{IM|s0j*niTRXNbRAXrKYVx3$)ziTr zN5?-#NmEp Date: Sun, 26 Jun 2022 19:32:09 -0400 Subject: [PATCH 055/413] Shared code to free x509 structs Signed-off-by: Glenn Strauss --- ChangeLog.d/mbedtls_asn1_type_free.txt | 2 + include/mbedtls/asn1.h | 9 +++ library/asn1parse.c | 10 +++ library/ssl_tls12_client.c | 10 +-- library/x509.c | 15 +--- library/x509_crl.c | 24 +------ library/x509_crt.c | 80 ++-------------------- library/x509_csr.c | 12 +--- tests/suites/test_suite_x509parse.function | 24 +------ 9 files changed, 37 insertions(+), 149 deletions(-) create mode 100644 ChangeLog.d/mbedtls_asn1_type_free.txt diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt new file mode 100644 index 0000000000..87ac5ec5bb --- /dev/null +++ b/ChangeLog.d/mbedtls_asn1_type_free.txt @@ -0,0 +1,2 @@ +Features + * Shared code to free x509 structs like mbedtls_x509_named_data diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index be2cae7b5a..5d274950ae 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -625,6 +625,15 @@ void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry ); */ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ); +/** + * \brief Free all shallow entries in a mbedtls_asn1_named_data list, + * but do not free internal pointer targets. + * + * \param name Head of the list of named data entries to free. + * This function calls mbedtls_free() on each list element. + */ +void mbedtls_asn1_free_named_data_list_shallow( mbedtls_asn1_named_data *name ); + /** \} name Functions to parse ASN.1 data structures */ /** \} addtogroup asn1_module */ diff --git a/library/asn1parse.c b/library/asn1parse.c index d874fff469..12a378cf31 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -455,6 +455,16 @@ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ) } } +void mbedtls_asn1_free_named_data_list_shallow( mbedtls_asn1_named_data *name ) +{ + for( mbedtls_asn1_named_data *next; name != NULL; name = next ) + { + next = name->next; + mbedtls_platform_zeroize( name, sizeof( *name ) ); + mbedtls_free( name ); + } +} + const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( const mbedtls_asn1_named_data *list, const char *oid, size_t len ) { diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 5360b3cb7f..1c53a09903 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2680,7 +2680,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) { unsigned char *p = dn + i + 2; mbedtls_x509_name name; - mbedtls_x509_name *name_cur, *name_prv; size_t asn1_len; char s[MBEDTLS_X509_MAX_DN_NAME_SIZE]; memset( &name, 0, sizeof( name ) ); @@ -2700,14 +2699,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "DN hint: %.*s", mbedtls_x509_dn_gets( s, sizeof(s), &name ), s ) ); - name_cur = name.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( name.next ); } #endif diff --git a/library/x509.c b/library/x509.c index c5b0161e71..362e036766 100644 --- a/library/x509.c +++ b/library/x509.c @@ -472,7 +472,6 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, size_t set_len; const unsigned char *end_set; mbedtls_x509_name *head = cur; - mbedtls_x509_name *prev, *allocated; /* don't use recursion, we'd risk stack overflow if not optimized */ while( 1 ) @@ -530,18 +529,8 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end, error: /* Skip the first element as we did not allocate it */ - allocated = head->next; - - while( allocated != NULL ) - { - prev = allocated; - allocated = allocated->next; - - mbedtls_platform_zeroize( prev, sizeof( *prev ) ); - mbedtls_free( prev ); - } - - mbedtls_platform_zeroize( head, sizeof( *head ) ); + mbedtls_asn1_free_named_data_list_shallow( head->next ); + head->next = NULL; return( ret ); } diff --git a/library/x509_crl.c b/library/x509_crl.c index 2a3fac7900..d830fcd05f 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -705,28 +705,16 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) { mbedtls_x509_crl *crl_cur = crl; mbedtls_x509_crl *crl_prv; - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; mbedtls_x509_crl_entry *entry_cur; mbedtls_x509_crl_entry *entry_prv; - if( crl == NULL ) - return; - - do + while( crl_cur != NULL ) { #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) mbedtls_free( crl_cur->sig_opts ); #endif - name_cur = crl_cur->issuer.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( crl_cur->issuer.next ); entry_cur = crl_cur->entry.next; while( entry_cur != NULL ) @@ -744,13 +732,6 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) mbedtls_free( crl_cur->raw.p ); } - crl_cur = crl_cur->next; - } - while( crl_cur != NULL ); - - crl_cur = crl; - do - { crl_prv = crl_cur; crl_cur = crl_cur->next; @@ -758,7 +739,6 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) if( crl_prv != crl ) mbedtls_free( crl_prv ); } - while( crl_cur != NULL ); } #endif /* MBEDTLS_X509_CRL_PARSE_C */ diff --git a/library/x509_crt.c b/library/x509_crt.c index c4f97bbe2b..81186fa0c0 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -685,16 +685,7 @@ static int x509_get_subject_alt_name( unsigned char **p, */ if( ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) { - mbedtls_x509_sequence *seq_cur = subject_alt_name->next; - mbedtls_x509_sequence *seq_prv; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } + mbedtls_asn1_sequence_free( subject_alt_name->next ); subject_alt_name->next = NULL; return( ret ); } @@ -3300,15 +3291,8 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) { mbedtls_x509_crt *cert_cur = crt; mbedtls_x509_crt *cert_prv; - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; - mbedtls_x509_sequence *seq_cur; - mbedtls_x509_sequence *seq_prv; - if( crt == NULL ) - return; - - do + while( cert_cur != NULL ) { mbedtls_pk_free( &cert_cur->pk ); @@ -3316,53 +3300,11 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) mbedtls_free( cert_cur->sig_opts ); #endif - name_cur = cert_cur->issuer.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } - - name_cur = cert_cur->subject.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } - - seq_cur = cert_cur->ext_key_usage.next; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } - - seq_cur = cert_cur->subject_alt_names.next; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } - - seq_cur = cert_cur->certificate_policies.next; - while( seq_cur != NULL ) - { - seq_prv = seq_cur; - seq_cur = seq_cur->next; - mbedtls_platform_zeroize( seq_prv, - sizeof( mbedtls_x509_sequence ) ); - mbedtls_free( seq_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( cert_cur->issuer.next ); + mbedtls_asn1_free_named_data_list_shallow( cert_cur->subject.next ); + mbedtls_asn1_sequence_free( cert_cur->ext_key_usage.next ); + mbedtls_asn1_sequence_free( cert_cur->subject_alt_names.next ); + mbedtls_asn1_sequence_free( cert_cur->certificate_policies.next ); if( cert_cur->raw.p != NULL && cert_cur->own_buffer ) { @@ -3370,13 +3312,6 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) mbedtls_free( cert_cur->raw.p ); } - cert_cur = cert_cur->next; - } - while( cert_cur != NULL ); - - cert_cur = crt; - do - { cert_prv = cert_cur; cert_cur = cert_cur->next; @@ -3384,7 +3319,6 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) if( cert_prv != crt ) mbedtls_free( cert_prv ); } - while( cert_cur != NULL ); } #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) diff --git a/library/x509_csr.c b/library/x509_csr.c index dee0ea62d7..f9462added 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -375,9 +375,6 @@ void mbedtls_x509_csr_init( mbedtls_x509_csr *csr ) */ void mbedtls_x509_csr_free( mbedtls_x509_csr *csr ) { - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; - if( csr == NULL ) return; @@ -387,14 +384,7 @@ void mbedtls_x509_csr_free( mbedtls_x509_csr *csr ) mbedtls_free( csr->sig_opts ); #endif - name_cur = csr->subject.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); - mbedtls_free( name_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( csr->subject.next ); if( csr->raw.p != NULL ) { diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index a3606f29b5..3369a8a3f5 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -825,7 +825,6 @@ void mbedtls_x509_get_name( char * rdn_sequence, int exp_ret ) unsigned char *p; size_t name_len; mbedtls_x509_name head; - mbedtls_x509_name *allocated, *prev; int ret; memset( &head, 0, sizeof( head ) ); @@ -835,17 +834,7 @@ void mbedtls_x509_get_name( char * rdn_sequence, int exp_ret ) ret = mbedtls_x509_get_name( &p, ( name + name_len ), &head ); if( ret == 0 ) - { - allocated = head.next; - - while( allocated != NULL ) - { - prev = allocated; - allocated = allocated->next; - - mbedtls_free( prev ); - } - } + mbedtls_asn1_free_named_data_list_shallow( head.next ); TEST_EQUAL( ret, exp_ret ); @@ -859,7 +848,7 @@ void mbedtls_x509_dn_get_next( char * name_str, int next_merged, char * expected int ret = 0, i; size_t len = 0, out_size; mbedtls_asn1_named_data *names = NULL; - mbedtls_x509_name parsed, *parsed_cur, *parsed_prv; + mbedtls_x509_name parsed, *parsed_cur; // Size of buf is maximum required for test cases unsigned char buf[80], *out = NULL, *c; const char *short_name; @@ -913,14 +902,7 @@ void mbedtls_x509_dn_get_next( char * name_str, int next_merged, char * expected exit: mbedtls_free( out ); mbedtls_asn1_free_named_data_list( &names ); - - parsed_cur = parsed.next; - while( parsed_cur != 0 ) - { - parsed_prv = parsed_cur; - parsed_cur = parsed_cur->next; - mbedtls_free( parsed_prv ); - } + mbedtls_asn1_free_named_data_list_shallow( parsed.next ); } /* END_CASE */ From 7db3124c00afe5162c595c1e73eeec21438c1a23 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 1 Jul 2022 13:22:45 -0400 Subject: [PATCH 056/413] Skip asn1 zeroize if freeing shallow pointers This skips zeroizing additional pointers to data. (Note: actual sensitive data should still be zeroized when freed.) Signed-off-by: Glenn Strauss --- library/asn1parse.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/library/asn1parse.c b/library/asn1parse.c index 12a378cf31..4bc17710c0 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -314,7 +314,6 @@ void mbedtls_asn1_sequence_free( mbedtls_asn1_sequence *seq ) while( seq != NULL ) { mbedtls_asn1_sequence *next = seq->next; - mbedtls_platform_zeroize( seq, sizeof( *seq ) ); mbedtls_free( seq ); seq = next; } @@ -450,7 +449,8 @@ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ) while( ( cur = *head ) != NULL ) { *head = cur->next; - mbedtls_asn1_free_named_data( cur ); + mbedtls_free( cur->oid.p ); + mbedtls_free( cur->val.p ); mbedtls_free( cur ); } } @@ -460,7 +460,6 @@ void mbedtls_asn1_free_named_data_list_shallow( mbedtls_asn1_named_data *name ) for( mbedtls_asn1_named_data *next; name != NULL; name = next ) { next = name->next; - mbedtls_platform_zeroize( name, sizeof( *name ) ); mbedtls_free( name ); } } From bb82ab764f064495cb5890493d2519e313ce55d0 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 28 Oct 2022 12:28:54 -0500 Subject: [PATCH 057/413] pkcs7: Respond to feeback on parsing logic After recieving review on the pkcs7 parsing functions, attempt to use better API's, increase consisitency and use better documentation. The changes are in response to the following comments: - use mbedtls_x509_crt_parse_der instead of mbedtls_x509_crt_parse [1] - make lack of support for authenticatedAttributes more clear [2] - increment pointer in pkcs7_get_content_info_type rather than after [3] - rename `start` to `p` for consistency in mbedtls_pkcs7_parse_der [4] [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992509630 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992562450 [3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992741877 [4] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992754103 Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 3 +++ library/pkcs7.c | 27 ++++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 9486c71535..2a557bfad3 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -38,6 +38,9 @@ * - The RFC specifies the Signed Data type can contain * certificate-revocation lists (crls). This implementation has no support * for crls so it is assumed to be an empty list. + * - The RFC allows for SignerInfo structure to optionally contain + * unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is + * assumed these fields are empty. */ #ifndef MBEDTLS_PKCS7_H diff --git a/library/pkcs7.c b/library/pkcs7.c index 56b6bb6170..ab7bebdf2f 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -126,6 +126,7 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, pkcs7->tag = MBEDTLS_ASN1_OID; pkcs7->len = len; pkcs7->p = *p; + *p += len; out: return( ret ); @@ -197,8 +198,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len1 = 0; size_t len2 = 0; - unsigned char *end_set, *end_cert; - unsigned char *start = *p; + unsigned char *end_set, *end_cert, *start; if( ( ret = mbedtls_asn1_get_tag( p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) @@ -235,7 +235,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, } *p = start; - if( ( ret = mbedtls_x509_crt_parse( certs, *p, len1 ) ) < 0 ) + if( ( ret = mbedtls_x509_crt_parse_der( certs, *p, len1 ) ) < 0 ) { ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; goto out; @@ -289,6 +289,8 @@ out: * [1] IMPLICIT Attributes OPTIONAL, * Returns 0 if the signerInfo is valid. * Return negative error code for failure. + * Structure must not contain vales for authenticatedAttributes + * and unauthenticatedAttributes. **/ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signer ) @@ -335,6 +337,8 @@ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, if( ret != 0 ) goto out; + /* Asssume authenticatedAttributes is nonexistent */ + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); if( ret != 0 ) goto out; @@ -510,8 +514,6 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, goto out; } - p = p + signed_data->content.oid.len; - /* Look for certificates, there may or may not be any */ mbedtls_x509_crt_init( &signed_data->certs ); ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); @@ -548,7 +550,7 @@ out: int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, const size_t buflen ) { - unsigned char *start; + unsigned char *p; unsigned char *end; size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -561,17 +563,17 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } /* make an internal copy of the buffer for parsing */ - pkcs7->raw.p = start = mbedtls_calloc( 1, buflen ); + pkcs7->raw.p = p = mbedtls_calloc( 1, buflen ); if( pkcs7->raw.p == NULL ) { ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; goto out; } - memcpy( start, buf, buflen ); + memcpy( p, buf, buflen ); pkcs7->raw.len = buflen; - end = start + buflen; + end = p + buflen; - ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); + ret = pkcs7_get_content_info_type( &p, end, &pkcs7->content_type_oid ); if( ret != 0 ) { len = buflen; @@ -596,14 +598,13 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } isoidset = 1; - start = start + pkcs7->content_type_oid.len; - ret = pkcs7_get_next_content_len( &start, end, &len ); + ret = pkcs7_get_next_content_len( &p, end, &len ); if( ret != 0 ) goto out; try_data: - ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + ret = pkcs7_get_signed_data( p, len, &pkcs7->signed_data ); if ( ret != 0 ) goto out; From 5f39767495331edc29417c52e55f06a0ab665d41 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 28 Oct 2022 12:38:41 -0500 Subject: [PATCH 058/413] pkcs7: Fix imports Respond to feedback about duplicate imports[1] and new import style [2]. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r991355485 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#pullrequestreview-1138745361 Signed-off-by: Nick Child --- library/pkcs7.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index ab7bebdf2f..7976a0b3a9 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -34,17 +34,8 @@ #include #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #include "mbedtls/platform_util.h" -#else -#include -#include -#define mbedtls_free free -#define mbedtls_calloc calloc -#define mbedtls_printf printf -#define mbedtls_snprintf snprintf -#endif #if defined(MBEDTLS_HAVE_TIME) #include "mbedtls/platform_time.h" From 471dee5a128a33da461eaf7e546188b99572f7bb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 16:33:14 +0800 Subject: [PATCH 059/413] Add debug helpers to track extensions Signed-off-by: Jerry Yu --- library/ssl_debug_helpers.h | 21 ++++++ library/ssl_tls13_generic.c | 126 ++++++++++++++++++++++++++++++++++++ library/ssl_tls13_server.c | 60 +---------------- 3 files changed, 150 insertions(+), 57 deletions(-) diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 9f1df736bd..07e8c7103f 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -45,4 +45,25 @@ const char *mbedtls_ssl_named_group_to_str( uint16_t in ); #endif /* MBEDTLS_DEBUG_C */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_DEBUG_C) + +const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ); + +void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + const char *hs_msg_name, + uint32_t extensions_present ); + +#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) \ + mbedtls_ssl_tls13_print_extensions( \ + ssl, level, __FILE__, __LINE__, hs_msg_name, extensions_present ) +#else + +#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) + +#endif + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + #endif /* SSL_DEBUG_HELPERS_H */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 48e3675820..662e6f4c81 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1485,4 +1485,130 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ +#if defined(MBEDTLS_DEBUG_C) +const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ) +{ + switch( extension_type ) + { + case MBEDTLS_TLS_EXT_SERVERNAME: + return( "server_name" ); + + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + return( "max_fragment_length" ); + + case MBEDTLS_TLS_EXT_STATUS_REQUEST: + return( "status_request" ); + + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + return( "supported_groups" ); + + case MBEDTLS_TLS_EXT_SIG_ALG: + return( "signature_algorithms" ); + + case MBEDTLS_TLS_EXT_USE_SRTP: + return( "use_srtp" ); + + case MBEDTLS_TLS_EXT_HEARTBEAT: + return( "heartbeat" ); + + case MBEDTLS_TLS_EXT_ALPN: + return( "application_layer_protocol_negotiation" ); + + case MBEDTLS_TLS_EXT_SCT: + return( "signed_certificate_timestamp" ); + + case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: + return( "client_certificate_type" ); + + case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: + return( "server_certificate_type" ); + + case MBEDTLS_TLS_EXT_PADDING: + return( "padding" ); + + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + return( "pre_shared_key" ); + + case MBEDTLS_TLS_EXT_EARLY_DATA: + return( "early_data" ); + + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + return( "supported_versions" ); + + case MBEDTLS_TLS_EXT_COOKIE: + return( "cookie" ); + + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + return( "psk_key_exchange_modes" ); + + case MBEDTLS_TLS_EXT_CERT_AUTH: + return( "certificate_authorities" ); + + case MBEDTLS_TLS_EXT_OID_FILTERS: + return( "oid_filters" ); + + case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: + return( "post_handshake_auth" ); + + case MBEDTLS_TLS_EXT_SIG_ALG_CERT: + return( "signature_algorithms_cert" ); + + case MBEDTLS_TLS_EXT_KEY_SHARE: + return( "key_share" ); + }; + + return( "unknown" ); +} + +void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + const char *hs_msg_name, + uint32_t extensions_present ) +{ + static const struct{ + uint32_t extension_mask; + const char *extension_name; + } mask_to_str_table[] = { + { MBEDTLS_SSL_EXT_SERVERNAME, "server_name" }, + { MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH, "max_fragment_length" }, + { MBEDTLS_SSL_EXT_STATUS_REQUEST, "status_request" }, + { MBEDTLS_SSL_EXT_SUPPORTED_GROUPS, "supported_groups" }, + { MBEDTLS_SSL_EXT_SIG_ALG, "signature_algorithms" }, + { MBEDTLS_SSL_EXT_USE_SRTP, "use_srtp" }, + { MBEDTLS_SSL_EXT_HEARTBEAT, "heartbeat" }, + { MBEDTLS_SSL_EXT_ALPN, "application_layer_protocol_negotiation" }, + { MBEDTLS_SSL_EXT_SCT, "signed_certificate_timestamp" }, + { MBEDTLS_SSL_EXT_CLI_CERT_TYPE, "client_certificate_type" }, + { MBEDTLS_SSL_EXT_SERV_CERT_TYPE, "server_certificate_type" }, + { MBEDTLS_SSL_EXT_PADDING, "padding" }, + { MBEDTLS_SSL_EXT_PRE_SHARED_KEY, "pre_shared_key" }, + { MBEDTLS_SSL_EXT_EARLY_DATA, "early_data" }, + { MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS, "supported_versions" }, + { MBEDTLS_SSL_EXT_COOKIE, "cookie" }, + { MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES, "psk_key_exchange_modes" }, + { MBEDTLS_SSL_EXT_CERT_AUTH, "certificate_authorities" }, + { MBEDTLS_SSL_EXT_OID_FILTERS, "oid_filters" }, + { MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH, "post_handshake_auth" }, + { MBEDTLS_SSL_EXT_SIG_ALG_CERT, "signature_algorithms_cert" }, + { MBEDTLS_SSL_EXT_KEY_SHARE, "key_share" } }; + + mbedtls_debug_print_msg( ssl, level, file, line, + "extension list of %s:", hs_msg_name ); + + for( unsigned i = 0; + i < sizeof( mask_to_str_table ) / sizeof( mask_to_str_table[0] ); + i++ ) + { + const char *extension_name = mask_to_str_table[i].extension_name; + uint32_t is_present = extensions_present & + mask_to_str_table[i].extension_mask; + + mbedtls_debug_print_msg( ssl, level, file, line, + "- %s extension ( %s )", extension_name, + is_present ? "true" : "false" ); + } +} + +#endif /* MBEDTLS_DEBUG_C */ + #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3762393b96..b24aa4a8c5 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -926,56 +926,6 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C */ -#if defined(MBEDTLS_DEBUG_C) -static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl ) -{ - ((void) ssl); - - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- KEY_SHARE_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ? - "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- PRE_SHARED_KEY_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SUPPORTED_GROUPS_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ? - "TRUE" : "FALSE" ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SUPPORTED_VERSION_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ? - "TRUE" : "FALSE" ) ); -#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION ) - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- SERVERNAME_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ? - "TRUE" : "FALSE" ) ); -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined ( MBEDTLS_SSL_ALPN ) - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "- ALPN_EXTENSION ( %s )", - ( ( ssl->handshake->extensions_present - & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ? - "TRUE" : "FALSE" ) ); -#endif /* MBEDTLS_SSL_ALPN */ -} -#endif /* MBEDTLS_DEBUG_C */ - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl, int exts_mask ) @@ -1655,18 +1605,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, default: MBEDTLS_SSL_DEBUG_MSG( 3, - ( "unknown extension found: %ud ( ignoring )", - extension_type ) ); + ( "client hello: received %s(%u) extension ( ignored )", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); } p += extension_data_len; } -#if defined(MBEDTLS_DEBUG_C) - /* List all the extensions we have received */ - ssl_tls13_debug_print_client_hello_exts( ssl ); -#endif /* MBEDTLS_DEBUG_C */ - mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, p - buf ); From e18dc7eb9ac8d4d4161dace796c436cb6a2ef225 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 16:29:22 +0800 Subject: [PATCH 060/413] Add forbidden extensions check for ClientHello Signed-off-by: Jerry Yu --- library/ssl_misc.h | 173 ++++++++++++++++++++++++++++++++++++- library/ssl_tls13_server.c | 57 +++++++++--- 2 files changed, 216 insertions(+), 14 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 41bb9c514d..cf3010a8fa 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -103,6 +103,93 @@ #define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 ) #define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 ) +/* Except ServerHello, other message should ignore unrecognized extension. + * + * RFC 8446 page 31 + * + * The ServerHello MUST only include extensions which are required to establish + * the cryptographic context and negotiate the protocol version. + * + * RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and which is + * not specified for the message in which it appears, it MUST abort the handshake + * with an "illegal_parameter" alert. + */ +#define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 ) + +/* RFC 8446 page 36. Allowed extensions for ClienHello */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ + ( MBEDTLS_SSL_EXT_SERVERNAME | \ + MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ + MBEDTLS_SSL_EXT_STATUS_REQUEST | \ + MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \ + MBEDTLS_SSL_EXT_SIG_ALG | \ + MBEDTLS_SSL_EXT_USE_SRTP | \ + MBEDTLS_SSL_EXT_HEARTBEAT | \ + MBEDTLS_SSL_EXT_ALPN | \ + MBEDTLS_SSL_EXT_SCT | \ + MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ + MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ + MBEDTLS_SSL_EXT_PADDING | \ + MBEDTLS_SSL_EXT_KEY_SHARE | \ + MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ + MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES | \ + MBEDTLS_SSL_EXT_EARLY_DATA | \ + MBEDTLS_SSL_EXT_COOKIE | \ + MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \ + MBEDTLS_SSL_EXT_CERT_AUTH | \ + MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH | \ + MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ + MBEDTLS_SSL_EXT_UNRECOGNIZED ) + +/* RFC 8446 page 36. Allowed extensions for EncryptedExtensions */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ + ( MBEDTLS_SSL_EXT_SERVERNAME | \ + MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ + MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \ + MBEDTLS_SSL_EXT_USE_SRTP | \ + MBEDTLS_SSL_EXT_HEARTBEAT | \ + MBEDTLS_SSL_EXT_ALPN | \ + MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ + MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ + MBEDTLS_SSL_EXT_EARLY_DATA | \ + MBEDTLS_SSL_EXT_UNRECOGNIZED ) + +/* RFC 8446 page 36. Allowed extensions for CertificateRequest */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ + ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ + MBEDTLS_SSL_EXT_SIG_ALG | \ + MBEDTLS_SSL_EXT_SCT | \ + MBEDTLS_SSL_EXT_CERT_AUTH | \ + MBEDTLS_SSL_EXT_OID_FILTERS | \ + MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ + MBEDTLS_SSL_EXT_UNRECOGNIZED ) + +/* RFC 8446 page 36. Allowed extensions for Certificate */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ + ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ + MBEDTLS_SSL_EXT_SCT | \ + MBEDTLS_SSL_EXT_UNRECOGNIZED ) + +/* RFC 8446 page 36. Allowed extensions for ServerHello */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ + ( MBEDTLS_SSL_EXT_KEY_SHARE | \ + MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ + MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) + +/* RFC 8446 page 36. Allowed extensions for HelloRetryRequest */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ + ( MBEDTLS_SSL_EXT_KEY_SHARE | \ + MBEDTLS_SSL_EXT_COOKIE | \ + MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \ + MBEDTLS_SSL_EXT_UNRECOGNIZED ) + +/* RFC 8446 page 36. Allowed extensions for NewSessionTicket */ +#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ + ( MBEDTLS_SSL_EXT_EARLY_DATA | \ + MBEDTLS_SSL_EXT_UNRECOGNIZED ) + /* * Helper macros for function call with return check. */ @@ -858,7 +945,7 @@ struct mbedtls_ssl_handshake_params #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - int extensions_present; /*!< extension presence; Each bitfield + uint32_t extensions_present; /*!< extension presence; Each bitfield represents an extension and defined as \c MBEDTLS_SSL_EXT_XXX */ @@ -1838,6 +1925,90 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ +/* + * Helper functions to check if the extension is allowed or forbiden + */ +static inline int mbedtls_ssl_tls13_has_extensions( mbedtls_ssl_context *ssl, + int extensions_mask ) +{ + int masked = ssl->handshake->extensions_present & extensions_mask; + return( masked != 0 ); +} + +static inline int mbedtls_tls13_get_extension_mask( uint16_t extension_type ) +{ + switch( extension_type ) + { + case MBEDTLS_TLS_EXT_SERVERNAME: + return( MBEDTLS_SSL_EXT_SERVERNAME ); + + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ); + + case MBEDTLS_TLS_EXT_STATUS_REQUEST: + return( MBEDTLS_SSL_EXT_STATUS_REQUEST ); + + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ); + + case MBEDTLS_TLS_EXT_SIG_ALG: + return( MBEDTLS_SSL_EXT_SIG_ALG ); + + case MBEDTLS_TLS_EXT_USE_SRTP: + return( MBEDTLS_SSL_EXT_USE_SRTP ); + + case MBEDTLS_TLS_EXT_HEARTBEAT: + return( MBEDTLS_SSL_EXT_HEARTBEAT ); + + case MBEDTLS_TLS_EXT_ALPN: + return( MBEDTLS_SSL_EXT_ALPN ); + + case MBEDTLS_TLS_EXT_SCT: + return( MBEDTLS_SSL_EXT_SCT ); + + case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: + return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: + return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_PADDING: + return( MBEDTLS_SSL_EXT_PADDING ); + + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY ); + + case MBEDTLS_TLS_EXT_EARLY_DATA: + return( MBEDTLS_SSL_EXT_EARLY_DATA ); + + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ); + + case MBEDTLS_TLS_EXT_COOKIE: + return( MBEDTLS_SSL_EXT_COOKIE ); + + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ); + + case MBEDTLS_TLS_EXT_CERT_AUTH: + return( MBEDTLS_SSL_EXT_CERT_AUTH ); + + case MBEDTLS_TLS_EXT_OID_FILTERS: + return( MBEDTLS_SSL_EXT_OID_FILTERS ); + + case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: + return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ); + + case MBEDTLS_TLS_EXT_SIG_ALG_CERT: + return( MBEDTLS_SSL_EXT_SIG_ALG_CERT ); + + case MBEDTLS_TLS_EXT_KEY_SHARE: + return( MBEDTLS_SSL_EXT_KEY_SHARE ); + }; + + return( MBEDTLS_SSL_EXT_UNRECOGNIZED ); +} + /* * Helper functions to check the selected key exchange mode. */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index b24aa4a8c5..32f64d73c9 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1239,6 +1239,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, const unsigned char *cipher_suites_end; size_t extensions_len; const unsigned char *extensions_end; + uint32_t extensions_present; int hrr_required = 0; #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -1247,7 +1248,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, const unsigned char *pre_shared_key_ext_end = NULL; #endif - ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; + extensions_present = MBEDTLS_SSL_EXT_NONE; /* * ClientHello layout: @@ -1431,7 +1432,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, * Servers MUST check that it is the last extension and otherwise fail * the handshake with an "illegal_parameter" alert. */ - if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) + if( extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key is not last extension." ) ); @@ -1449,6 +1450,27 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; + /* RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and which + * is not specified for the message in which it appears, it MUST abort the + * handshake with an "illegal_parameter" alert. + */ + extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "client hello : received %s(%u) extension", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "forbidden extension received." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + switch( extension_type ) { #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -1462,7 +1484,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, 1, "mbedtls_ssl_parse_servername_ext", ret ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME; break; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ @@ -1485,7 +1506,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS; break; #endif /* MBEDTLS_ECDH_C */ @@ -1515,7 +1535,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; break; #endif /* MBEDTLS_ECDH_C */ @@ -1530,7 +1549,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ( "ssl_tls13_parse_supported_versions_ext" ), ret ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS; break; #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -1546,13 +1564,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES; break; #endif case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); - if( ( ssl->handshake->extensions_present & + if( ( extensions_present & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 ) { MBEDTLS_SSL_PEND_FATAL_ALERT( @@ -1567,8 +1584,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, */ pre_shared_key_ext = p; pre_shared_key_ext_end = extension_data_end; -#endif - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ break; #if defined(MBEDTLS_SSL_ALPN) @@ -1582,7 +1598,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN; break; #endif /* MBEDTLS_SSL_ALPN */ @@ -1599,7 +1614,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ret ) ); return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; break; #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ @@ -1613,6 +1627,22 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "ClientHello", extensions_present ); + + /* RFC 8446 page 102 + * - "supported_versions" is REQUIRED for all ClientHello, ServerHello, and + * HelloRetryRequest messages. + */ + if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "client hello: supported_versions not found" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, p - buf ); @@ -1636,7 +1666,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, cipher_suites_end ); if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) { - ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; } else if( ret != 0 ) { @@ -1651,6 +1681,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ssl->handshake->update_checksum( ssl, buf, p - buf ); } + ssl->handshake->extensions_present = extensions_present; ret = ssl_tls13_determine_key_exchange_mode( ssl ); if( ret < 0 ) return( ret ); From cbd082f396eabdba054c03215b6636c254275d87 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 16:55:10 +0800 Subject: [PATCH 061/413] Add extension check for EncryptedExtensions Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 40 +++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index ac19f63081..db0eb44d75 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -32,6 +32,7 @@ #include "ssl_misc.h" #include "ssl_client.h" #include "ssl_tls13_keys.h" +#include "ssl_debug_helpers.h" /* Write extensions */ @@ -1969,6 +1970,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, size_t extensions_len; const unsigned char *p = buf; const unsigned char *extensions_end; + uint32_t extensions_present; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -1978,6 +1980,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; + extensions_present = MBEDTLS_SSL_EXT_NONE; + while( p < extensions_end ) { unsigned int extension_type; @@ -1996,10 +2000,27 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - /* The client MUST check EncryptedExtensions for the - * presence of any forbidden extensions and if any are found MUST abort - * the handshake with an "unsupported_extension" alert. + /* RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and which + * is not specified for the message in which it appears, it MUST abort the + * handshake with an "illegal_parameter" alert. */ + extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "encrypted extensions : received %s(%u) extension", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "forbidden extension received." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + switch( extension_type ) { case MBEDTLS_TLS_EXT_SERVERNAME: @@ -2024,17 +2045,18 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_SSL_ALPN */ default: - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "unsupported extension found: %u ", extension_type) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "encrypted extensions: received %s(%u) extension ( ignored )", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + break; } p += extension_data_len; } + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "EncrypedExtensions", extensions_present ); + /* Check that we consumed all the message. */ if( p != end ) { From c55a6af9eb9749cba60c67954b4d077e21e9d0ac Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 17:01:21 +0800 Subject: [PATCH 062/413] Add extensions check for CertificateRequest Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 66 +++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index db0eb44d75..599f488be5 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2162,7 +2162,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, size_t certificate_request_context_len = 0; size_t extensions_len = 0; const unsigned char *extensions_end; - unsigned char sig_alg_ext_found = 0; + uint32_t extensions_present; /* ... * opaque certificate_request_context<0..2^8-1> @@ -2202,10 +2202,13 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; + extensions_present = MBEDTLS_SSL_EXT_NONE; + while( p < extensions_end ) { unsigned int extension_type; size_t extension_data_len; + uint32_t extension_mask; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -2214,6 +2217,38 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); + /* RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and which + * is not specified for the message in which it appears, it MUST abort the + * handshake with an "illegal_parameter" alert. + */ + extension_mask = mbedtls_tls13_get_extension_mask( extension_type ); + + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "encrypted extensions : received %s(%u) extension", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + if( ( extension_mask & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "forbidden extension received." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + if( extensions_present & extension_mask ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "Duplicate %s extensions found", + mbedtls_tls13_get_extension_name( extension_type ) ) ); + goto decode_error; + + } + extensions_present |= extension_mask; + switch( extension_type ) { case MBEDTLS_TLS_EXT_SIG_ALG: @@ -2223,25 +2258,22 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, p + extension_data_len ); if( ret != 0 ) return( ret ); - if( ! sig_alg_ext_found ) - sig_alg_ext_found = 1; - else - { - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Duplicate signature algorithms extensions found" ) ); - goto decode_error; - } + break; default: - MBEDTLS_SSL_DEBUG_MSG( - 3, - ( "unknown extension found: %u ( ignoring )", - extension_type ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "certificate request: received %s(%u) extension ( ignored )", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); break; } + p += extension_data_len; } + + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "CertificateRequest", extensions_present ); + /* Check that we consumed all the message. */ if( p != end ) { @@ -2249,8 +2281,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, ( "CertificateRequest misaligned" ) ); goto decode_error; } - /* Check that we found signature algorithms extension */ - if( ! sig_alg_ext_found ) + + /* RFC 8446 page 60 + * + * The "signature_algorithms" extension MUST be specified + */ + if( ( extensions_present & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithms extension found" ) ); From 2eaa76044b13e6ced8d828438629718c3221cc2f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 17:28:15 +0800 Subject: [PATCH 063/413] Add extension check for Certificate Signed-off-by: Jerry Yu --- library/ssl_tls13_generic.c | 59 ++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 662e6f4c81..bd56666a97 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -447,6 +447,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, while( p < certificate_list_end ) { size_t cert_data_len, extensions_len; + const unsigned char *extensions_end; + uint32_t extensions_present; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 ); cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 ); @@ -504,7 +506,62 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); - p += extensions_len; + + extensions_end = p + extensions_len; + extensions_present = MBEDTLS_SSL_EXT_NONE; + + while( p < extensions_end ) + { + unsigned int extension_type; + size_t extension_data_len; + + /* + * struct { + * ExtensionType extension_type; (2 bytes) + * opaque extension_data<0..2^16-1>; + * } Extension; + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); + extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); + extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); + p += 4; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); + + /* RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and + * which is not specified for the message in which it appears, it MUST + * abort the handshake with an "illegal_parameter" alert. + */ + extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "encrypted extensions : received %s(%u) extension", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "forbidden extension received." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + switch( extension_type ) + { + default: + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "Certificate: received %s(%u) extension ( ignored )", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + break; + } + + p += extension_data_len; + } + + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "Certificate", extensions_present ); } exit: From 2c5363e58b92c245e03dd0ad3997622d6bedf320 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 17:42:49 +0800 Subject: [PATCH 064/413] Add extension check for ServerHello and HRR Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 50 +++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 599f488be5..f42e591bdc 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1496,6 +1496,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, mbedtls_ssl_handshake_params *handshake = ssl->handshake; size_t extensions_len; const unsigned char *extensions_end; + uint32_t extensions_present, allowed_extension_mask; uint16_t cipher_suite; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; int fatal_alert = 0; @@ -1641,6 +1642,11 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); + extensions_present = MBEDTLS_SSL_EXT_NONE; + allowed_extension_mask = is_hrr ? + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR : + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH; + while( p < extensions_end ) { unsigned int extension_type; @@ -1655,6 +1661,24 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; + /* RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and which + * is not specified for the message in which it appears, it MUST abort the + * handshake with an "illegal_parameter" alert. + */ + extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "%s: received %s(%u) extension", + is_hrr ? "hello retry request" : "server hello", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + if( ( extensions_present & allowed_extension_mask ) == 0 ) + { + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; + goto cleanup; + } + switch( extension_type ) { case MBEDTLS_TLS_EXT_COOKIE: @@ -1727,18 +1751,32 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, break; default: - MBEDTLS_SSL_DEBUG_MSG( - 3, - ( "unknown extension found: %u ( ignoring )", + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "%s: ignore %s(%u) extension", + is_hrr ? "hello retry request" : "server hello", + mbedtls_tls13_get_extension_name( extension_type ), extension_type ) ); - - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; - goto cleanup; + break; } p += extension_data_len; } + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( + 3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present ); + + /* RFC 8446 page 102 + * - "supported_versions" is REQUIRED for all ClientHello, ServerHello, and + * HelloRetryRequest messages. + */ + if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "%s: supported_versions not found", + is_hrr ? "hello retry request" : "server hello" ) ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; + } + cleanup: if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ) From 6ba9f1c959cdcb30e0da23c1a7ced1ceb85e73a6 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 4 Aug 2022 17:53:25 +0800 Subject: [PATCH 065/413] Add extension check for NewSessionTicket Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index f42e591bdc..1abe09e5ed 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2565,9 +2565,12 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, const unsigned char *end ) { const unsigned char *p = buf; + uint32_t extensions_present; ((void) ssl); + extensions_present = MBEDTLS_SSL_EXT_NONE; + while( p < end ) { unsigned int extension_type; @@ -2580,6 +2583,27 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len ); + /* RFC 8446 page 35 + * + * If an implementation receives an extension which it recognizes and which + * is not specified for the message in which it appears, it MUST abort the + * handshake with an "illegal_parameter" alert. + */ + extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "NewSessionTicket : received %s(%u) extension", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); + if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "forbidden extension received." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + switch( extension_type ) { case MBEDTLS_TLS_EXT_EARLY_DATA: @@ -2587,11 +2611,18 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, break; default: + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "NewSessionTicket : received %s(%u) extension ( ignored )", + mbedtls_tls13_get_extension_name( extension_type ), + extension_type ) ); break; } + p += extension_data_len; } + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "NewSessionTicket", extensions_present ); + return( 0 ); } From d15992d3ce5aba001a843b0b832cbbf3a4cd8da5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 29 Aug 2022 10:58:31 +0800 Subject: [PATCH 066/413] fix wrong setting of unrecognized ext Signed-off-by: Jerry Yu --- library/ssl_misc.h | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cf3010a8fa..aaa910fc81 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -103,14 +103,18 @@ #define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 ) #define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 ) -/* Except ServerHello, other message should ignore unrecognized extension. +/* For request messages, we should just ignore unrecognized extension when + * parsing messages. For response messages, we should not ignore unrecognized + * extension when parsing messages. Request messages include ClientHello, + * Certificate and NewSessionTicket. Response messages include ServerHello, + * EncryptExtensions, Certificate and HelloRetryRequest. * - * RFC 8446 page 31 + * RFC 8446 section 4.1.3 * * The ServerHello MUST only include extensions which are required to establish * the cryptographic context and negotiate the protocol version. * - * RFC 8446 page 35 + * RFC 8446 section 4.2 * * If an implementation receives an extension which it recognizes and which is * not specified for the message in which it appears, it MUST abort the handshake @@ -118,7 +122,7 @@ */ #define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 ) -/* RFC 8446 page 36. Allowed extensions for ClienHello */ +/* RFC 8446 section 4.2. Allowed extensions for ClienHello */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ ( MBEDTLS_SSL_EXT_SERVERNAME | \ MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ @@ -143,7 +147,7 @@ MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ MBEDTLS_SSL_EXT_UNRECOGNIZED ) -/* RFC 8446 page 36. Allowed extensions for EncryptedExtensions */ +/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ ( MBEDTLS_SSL_EXT_SERVERNAME | \ MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ @@ -153,10 +157,9 @@ MBEDTLS_SSL_EXT_ALPN | \ MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ - MBEDTLS_SSL_EXT_EARLY_DATA | \ - MBEDTLS_SSL_EXT_UNRECOGNIZED ) + MBEDTLS_SSL_EXT_EARLY_DATA ) -/* RFC 8446 page 36. Allowed extensions for CertificateRequest */ +/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ MBEDTLS_SSL_EXT_SIG_ALG | \ @@ -166,26 +169,24 @@ MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ MBEDTLS_SSL_EXT_UNRECOGNIZED ) -/* RFC 8446 page 36. Allowed extensions for Certificate */ +/* RFC 8446 section 4.2. Allowed extensions for Certificate */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ - MBEDTLS_SSL_EXT_SCT | \ - MBEDTLS_SSL_EXT_UNRECOGNIZED ) + MBEDTLS_SSL_EXT_SCT ) -/* RFC 8446 page 36. Allowed extensions for ServerHello */ +/* RFC 8446 section 4.2. Allowed extensions for ServerHello */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ ( MBEDTLS_SSL_EXT_KEY_SHARE | \ MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) -/* RFC 8446 page 36. Allowed extensions for HelloRetryRequest */ +/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ ( MBEDTLS_SSL_EXT_KEY_SHARE | \ MBEDTLS_SSL_EXT_COOKIE | \ - MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \ - MBEDTLS_SSL_EXT_UNRECOGNIZED ) + MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) -/* RFC 8446 page 36. Allowed extensions for NewSessionTicket */ +/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ ( MBEDTLS_SSL_EXT_EARLY_DATA | \ MBEDTLS_SSL_EXT_UNRECOGNIZED ) From 43ff252688c77568d3a19f43e75efa96effbee60 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 29 Aug 2022 12:58:05 +0800 Subject: [PATCH 067/413] Remove unnecessary checks. Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 1abe09e5ed..5b7a14a289 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1683,12 +1683,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, { case MBEDTLS_TLS_EXT_COOKIE: - if( !is_hrr ) - { - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; - goto cleanup; - } - ret = ssl_tls13_parse_cookie_ext( ssl, p, extension_data_end ); if( ret != 0 ) @@ -1711,11 +1705,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); - if( is_hrr ) - { - fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; - goto cleanup; - } if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext( ssl, p, extension_data_end ) ) != 0 ) @@ -1765,18 +1754,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present ); - /* RFC 8446 page 102 - * - "supported_versions" is REQUIRED for all ClientHello, ServerHello, and - * HelloRetryRequest messages. - */ - if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "%s: supported_versions not found", - is_hrr ? "hello retry request" : "server hello" ) ); - fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; - } - cleanup: if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ) @@ -2277,14 +2254,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - if( extensions_present & extension_mask ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Duplicate %s extensions found", - mbedtls_tls13_get_extension_name( extension_type ) ) ); - goto decode_error; - - } extensions_present |= extension_mask; switch( extension_type ) From 9872eb2d691602f51fae5629c2ff606666c25f80 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 29 Aug 2022 13:42:01 +0800 Subject: [PATCH 068/413] change return type for unexpected extension Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5b7a14a289..2e0599d008 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1740,12 +1740,13 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, break; default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "%s: ignore %s(%u) extension", + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "%s: unexpected extension (%s(%u)) received .", is_hrr ? "hello retry request" : "server hello", mbedtls_tls13_get_extension_name( extension_type ), extension_type ) ); - break; + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto cleanup; } p += extension_data_len; From ffa15827933a9fcc5af5fb39155a4650e56bb48d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 29 Aug 2022 15:19:42 +0800 Subject: [PATCH 069/413] move get_extension mask Signed-off-by: Jerry Yu --- library/ssl_misc.h | 81 +------------------------------------ library/ssl_tls13_generic.c | 74 +++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 79 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index aaa910fc81..10ebfff988 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1927,88 +1927,11 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ /* - * Helper functions to check if the extension is allowed or forbiden + * Helper functions for extensions checking and convert. */ -static inline int mbedtls_ssl_tls13_has_extensions( mbedtls_ssl_context *ssl, - int extensions_mask ) -{ - int masked = ssl->handshake->extensions_present & extensions_mask; - return( masked != 0 ); -} -static inline int mbedtls_tls13_get_extension_mask( uint16_t extension_type ) -{ - switch( extension_type ) - { - case MBEDTLS_TLS_EXT_SERVERNAME: - return( MBEDTLS_SSL_EXT_SERVERNAME ); +uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type ); - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ); - - case MBEDTLS_TLS_EXT_STATUS_REQUEST: - return( MBEDTLS_SSL_EXT_STATUS_REQUEST ); - - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ); - - case MBEDTLS_TLS_EXT_SIG_ALG: - return( MBEDTLS_SSL_EXT_SIG_ALG ); - - case MBEDTLS_TLS_EXT_USE_SRTP: - return( MBEDTLS_SSL_EXT_USE_SRTP ); - - case MBEDTLS_TLS_EXT_HEARTBEAT: - return( MBEDTLS_SSL_EXT_HEARTBEAT ); - - case MBEDTLS_TLS_EXT_ALPN: - return( MBEDTLS_SSL_EXT_ALPN ); - - case MBEDTLS_TLS_EXT_SCT: - return( MBEDTLS_SSL_EXT_SCT ); - - case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: - return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE ); - - case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: - return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE ); - - case MBEDTLS_TLS_EXT_PADDING: - return( MBEDTLS_SSL_EXT_PADDING ); - - case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY ); - - case MBEDTLS_TLS_EXT_EARLY_DATA: - return( MBEDTLS_SSL_EXT_EARLY_DATA ); - - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ); - - case MBEDTLS_TLS_EXT_COOKIE: - return( MBEDTLS_SSL_EXT_COOKIE ); - - case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: - return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ); - - case MBEDTLS_TLS_EXT_CERT_AUTH: - return( MBEDTLS_SSL_EXT_CERT_AUTH ); - - case MBEDTLS_TLS_EXT_OID_FILTERS: - return( MBEDTLS_SSL_EXT_OID_FILTERS ); - - case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: - return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ); - - case MBEDTLS_TLS_EXT_SIG_ALG_CERT: - return( MBEDTLS_SSL_EXT_SIG_ALG_CERT ); - - case MBEDTLS_TLS_EXT_KEY_SHARE: - return( MBEDTLS_SSL_EXT_KEY_SHARE ); - }; - - return( MBEDTLS_SSL_EXT_UNRECOGNIZED ); -} /* * Helper functions to check the selected key exchange mode. diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index bd56666a97..5eac1f1b14 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1542,6 +1542,80 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ +uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type ) +{ + switch( extension_type ) + { + case MBEDTLS_TLS_EXT_SERVERNAME: + return( MBEDTLS_SSL_EXT_SERVERNAME ); + + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ); + + case MBEDTLS_TLS_EXT_STATUS_REQUEST: + return( MBEDTLS_SSL_EXT_STATUS_REQUEST ); + + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ); + + case MBEDTLS_TLS_EXT_SIG_ALG: + return( MBEDTLS_SSL_EXT_SIG_ALG ); + + case MBEDTLS_TLS_EXT_USE_SRTP: + return( MBEDTLS_SSL_EXT_USE_SRTP ); + + case MBEDTLS_TLS_EXT_HEARTBEAT: + return( MBEDTLS_SSL_EXT_HEARTBEAT ); + + case MBEDTLS_TLS_EXT_ALPN: + return( MBEDTLS_SSL_EXT_ALPN ); + + case MBEDTLS_TLS_EXT_SCT: + return( MBEDTLS_SSL_EXT_SCT ); + + case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: + return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: + return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_PADDING: + return( MBEDTLS_SSL_EXT_PADDING ); + + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY ); + + case MBEDTLS_TLS_EXT_EARLY_DATA: + return( MBEDTLS_SSL_EXT_EARLY_DATA ); + + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ); + + case MBEDTLS_TLS_EXT_COOKIE: + return( MBEDTLS_SSL_EXT_COOKIE ); + + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ); + + case MBEDTLS_TLS_EXT_CERT_AUTH: + return( MBEDTLS_SSL_EXT_CERT_AUTH ); + + case MBEDTLS_TLS_EXT_OID_FILTERS: + return( MBEDTLS_SSL_EXT_OID_FILTERS ); + + case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: + return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ); + + case MBEDTLS_TLS_EXT_SIG_ALG_CERT: + return( MBEDTLS_SSL_EXT_SIG_ALG_CERT ); + + case MBEDTLS_TLS_EXT_KEY_SHARE: + return( MBEDTLS_SSL_EXT_KEY_SHARE ); + }; + + return( MBEDTLS_SSL_EXT_UNRECOGNIZED ); +} + #if defined(MBEDTLS_DEBUG_C) const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ) { From 0c354a211bed62b86e8c00b6eb806e16e0dc563a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 29 Aug 2022 15:25:36 +0800 Subject: [PATCH 070/413] introduce sent/recv extensions field And remove `extensions_present` Signed-off-by: Jerry Yu --- library/ssl_client.c | 24 ++++- library/ssl_debug_helpers.h | 6 +- library/ssl_misc.h | 17 +++- library/ssl_tls.c | 8 +- library/ssl_tls13_client.c | 189 +++++++++++++++--------------------- library/ssl_tls13_generic.c | 118 +++++++++++++++++----- library/ssl_tls13_server.c | 64 ++++-------- 7 files changed, 235 insertions(+), 191 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index d9c6781592..b0d2dcf3ca 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -106,6 +106,14 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, *olen = hostname_len + 9; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_SERVERNAME ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_SERVERNAME ) ) ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ @@ -177,6 +185,14 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */ MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_ALPN ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_ALPN ) ) ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); } #endif /* MBEDTLS_SSL_ALPN */ @@ -296,7 +312,11 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS; + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) ) ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); @@ -557,7 +577,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Keeping track of the included extensions */ - handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; + handshake->sent_extensions = MBEDTLS_SSL_EXT_NONE; #endif /* First write extensions, then the total length */ diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 07e8c7103f..6b97bc6523 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -52,12 +52,12 @@ const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ); void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, int level, const char *file, int line, - const char *hs_msg_name, + int hs_msg_type, uint32_t extensions_present ); -#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) \ +#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_type, extensions_present ) \ mbedtls_ssl_tls13_print_extensions( \ - ssl, level, __FILE__, __LINE__, hs_msg_name, extensions_present ) + ssl, level, __FILE__, __LINE__, hs_msg_type, extensions_present ) #else #define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 10ebfff988..b7f1440bb8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -946,9 +946,8 @@ struct mbedtls_ssl_handshake_params #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - uint32_t extensions_present; /*!< extension presence; Each bitfield - represents an extension and defined - as \c MBEDTLS_SSL_EXT_XXX */ + uint32_t sent_extensions; /*!< extensions sent by endpoint */ + uint32_t received_extensions; /*!< extensions received by endpoint */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) unsigned char certificate_request_context_len; @@ -1932,6 +1931,18 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type ); +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl, + int hs_msg_type, + uint32_t extension_type, + uint32_t allowed_mask ); + +static inline void mbedtls_tls13_set_sent_ext_mask( mbedtls_ssl_context *ssl, + uint16_t extension_type ) +{ + ssl->handshake->sent_extensions |= + mbedtls_tls13_get_extension_mask( extension_type ); +} /* * Helper functions to check the selected key exchange mode. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a49f774ed1..9947d39d82 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8713,8 +8713,14 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_SIG_ALG ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_SIG_ALG ) ) ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + return( 0 ); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 2e0599d008..c29b90ee33 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -89,7 +89,12 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl, } *out_len = 5 + versions_len; - + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) ) ); return( 0 ); } @@ -360,7 +365,13 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len ); - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_KEY_SHARE ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_KEY_SHARE ) ) ); cleanup: @@ -513,7 +524,6 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl, else return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; return( ret ); } @@ -601,6 +611,13 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, *out_len = handshake->hrr_cookie_len + 6; + + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_COOKIE ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_COOKIE ) ) ); return( 0 ); } @@ -670,7 +687,13 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, buf[4] = ke_modes_len; *out_len = p - buf; - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES; + + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ) ) ); return ( 0 ); } @@ -982,8 +1005,6 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf ); - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; - return( 0 ); } @@ -1038,6 +1059,13 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf ); + mbedtls_tls13_set_sent_ext_mask( ssl, + MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); + MBEDTLS_SSL_DEBUG_MSG( + 4, ( "sent %s extension", + mbedtls_tls13_get_extension_name( + MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) ) ); + return( 0 ); } @@ -1110,8 +1138,6 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, return( ret ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; - return( 0 ); } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ @@ -1389,7 +1415,7 @@ static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl, ssl->session_negotiate->tls_version = ssl->tls_version; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ - handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; ret = ssl_server_hello_is_hrr( ssl, buf, end ); switch( ret ) @@ -1496,10 +1522,10 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, mbedtls_ssl_handshake_params *handshake = ssl->handshake; size_t extensions_len; const unsigned char *extensions_end; - uint32_t extensions_present, allowed_extension_mask; uint16_t cipher_suite; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; int fatal_alert = 0; + uint32_t allowed_extensions_mask; /* * Check there is space for minimal fields @@ -1642,8 +1668,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); - extensions_present = MBEDTLS_SSL_EXT_NONE; - allowed_extension_mask = is_hrr ? + ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + allowed_extensions_mask = is_hrr ? MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR : MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH; @@ -1661,23 +1687,14 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; - /* RFC 8446 page 35 - * - * If an implementation receives an extension which it recognizes and which - * is not specified for the message in which it appears, it MUST abort the - * handshake with an "illegal_parameter" alert. - */ - extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "%s: received %s(%u) extension", - is_hrr ? "hello retry request" : "server hello", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); - if( ( extensions_present & allowed_extension_mask ) == 0 ) - { - fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; - goto cleanup; - } + ret = mbedtls_tls13_check_received_extensions( + ssl, + is_hrr ? + -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO, + extension_type, + allowed_extensions_mask ); + if( ret != 0 ) + return( ret ); switch( extension_type ) { @@ -1740,11 +1757,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, break; default: - MBEDTLS_SSL_DEBUG_MSG( 2, - ( "%s: unexpected extension (%s(%u)) received .", - is_hrr ? "hello retry request" : "server hello", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; goto cleanup; } @@ -1753,7 +1765,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present ); + 3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO, + ssl->handshake->received_extensions ); cleanup: @@ -1803,7 +1816,7 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) * 3) If only the key_share extension was received then the key * exchange mode is EPHEMERAL-only. */ - switch( handshake->extensions_present & + switch( handshake->received_extensions & ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) ) { /* Only the pre_shared_key extension was received */ @@ -1986,7 +1999,6 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, size_t extensions_len; const unsigned char *p = buf; const unsigned char *extensions_end; - uint32_t extensions_present; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -1996,7 +2008,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; - extensions_present = MBEDTLS_SSL_EXT_NONE; + ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { @@ -2016,26 +2028,11 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - /* RFC 8446 page 35 - * - * If an implementation receives an extension which it recognizes and which - * is not specified for the message in which it appears, it MUST abort the - * handshake with an "illegal_parameter" alert. - */ - extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "encrypted extensions : received %s(%u) extension", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); - if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "forbidden extension received." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + ret = mbedtls_tls13_check_received_extensions( + ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ); + if( ret != 0 ) + return( ret ); switch( extension_type ) { @@ -2071,7 +2068,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "EncrypedExtensions", extensions_present ); + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + ssl->handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2178,7 +2176,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, size_t certificate_request_context_len = 0; size_t extensions_len = 0; const unsigned char *extensions_end; - uint32_t extensions_present; /* ... * opaque certificate_request_context<0..2^8-1> @@ -2218,13 +2215,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; - extensions_present = MBEDTLS_SSL_EXT_NONE; + ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { unsigned int extension_type; size_t extension_data_len; - uint32_t extension_mask; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -2233,29 +2229,11 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - /* RFC 8446 page 35 - * - * If an implementation receives an extension which it recognizes and which - * is not specified for the message in which it appears, it MUST abort the - * handshake with an "illegal_parameter" alert. - */ - extension_mask = mbedtls_tls13_get_extension_mask( extension_type ); - - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "encrypted extensions : received %s(%u) extension", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); - if( ( extension_mask & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "forbidden extension received." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - extensions_present |= extension_mask; + ret = mbedtls_tls13_check_received_extensions( + ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ); + if( ret != 0 ) + return( ret ); switch( extension_type ) { @@ -2280,7 +2258,9 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "CertificateRequest", extensions_present ); + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, + MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, + ssl->handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2290,11 +2270,11 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, goto decode_error; } - /* RFC 8446 page 60 + /* RFC 8446 section 4.3.2 * * The "signature_algorithms" extension MUST be specified */ - if( ( extensions_present & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 ) + if( ( ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithms extension found" ) ); @@ -2535,16 +2515,15 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, const unsigned char *end ) { const unsigned char *p = buf; - uint32_t extensions_present; - ((void) ssl); - extensions_present = MBEDTLS_SSL_EXT_NONE; + ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < end ) { unsigned int extension_type; size_t extension_data_len; + int ret; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -2553,26 +2532,11 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len ); - /* RFC 8446 page 35 - * - * If an implementation receives an extension which it recognizes and which - * is not specified for the message in which it appears, it MUST abort the - * handshake with an "illegal_parameter" alert. - */ - extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "NewSessionTicket : received %s(%u) extension", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); - if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "forbidden extension received." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + ret = mbedtls_tls13_check_received_extensions( + ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ); + if( ret != 0 ) + return( ret ); switch( extension_type ) { @@ -2591,7 +2555,8 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "NewSessionTicket", extensions_present ); + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->received_extensions ); return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 5eac1f1b14..7b66be1c73 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -448,7 +448,6 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, { size_t cert_data_len, extensions_len; const unsigned char *extensions_end; - uint32_t extensions_present; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 ); cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 ); @@ -508,7 +507,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); extensions_end = p + extensions_len; - extensions_present = MBEDTLS_SSL_EXT_NONE; + ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { @@ -528,26 +527,12 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - /* RFC 8446 page 35 - * - * If an implementation receives an extension which it recognizes and - * which is not specified for the message in which it appears, it MUST - * abort the handshake with an "illegal_parameter" alert. - */ - extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "encrypted extensions : received %s(%u) extension", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); - if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "forbidden extension received." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + ret = mbedtls_tls13_check_received_extensions( + ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ); + if( ret != 0 ) + return( ret ); + switch( extension_type ) { default: @@ -561,7 +546,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "Certificate", extensions_present ); + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->received_extensions ); } exit: @@ -1691,9 +1677,31 @@ const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ) return( "unknown" ); } +static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type ) +{ + switch( hs_msg_type ) + { + case MBEDTLS_SSL_HS_CLIENT_HELLO: + return( "ClientHello" ); + case MBEDTLS_SSL_HS_SERVER_HELLO: + return( "ServerHello" ); + case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value. + return( "HelloRetryRequest" ); + case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: + return( "NewSessionTicket" ); + case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: + return( "EncryptedExtensions" ); + case MBEDTLS_SSL_HS_CERTIFICATE: + return( "Certificate" ); + case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: + return( "CertificateRequest" ); + } + return( NULL ); +} + void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, int level, const char *file, int line, - const char *hs_msg_name, + int hs_msg_type, uint32_t extensions_present ) { static const struct{ @@ -1724,7 +1732,8 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, { MBEDTLS_SSL_EXT_KEY_SHARE, "key_share" } }; mbedtls_debug_print_msg( ssl, level, file, line, - "extension list of %s:", hs_msg_name ); + "extension list of %s:", + ssl_tls13_get_hs_msg_name( hs_msg_type ) ); for( unsigned i = 0; i < sizeof( mask_to_str_table ) / sizeof( mask_to_str_table[0] ); @@ -1742,4 +1751,63 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, #endif /* MBEDTLS_DEBUG_C */ +/* RFC 8446 section 4.2 + * + * If an implementation receives an extension which it recognizes and which is + * not specified for the message in which it appears, it MUST abort the handshake + * with an "illegal_parameter" alert. + * + */ + +int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl, + int hs_msg_type, + uint32_t extension_type, + uint32_t allowed_mask ) +{ + uint32_t extension_mask; + +#if defined(MBEDTLS_DEBUG_C) + const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type ); +#endif + + extension_mask = mbedtls_tls13_get_extension_mask( extension_type ); + + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "%s : received %s(%x) extension", + hs_msg_name, + mbedtls_tls13_get_extension_name( extension_type ), + (unsigned int)extension_type ) ); + + if( ( extension_mask & allowed_mask ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "%s : forbidden extension received.", hs_msg_name ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + ssl->handshake->received_extensions |= extension_mask; + switch( hs_msg_type ) + { + case MBEDTLS_SSL_HS_SERVER_HELLO: + case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value. + case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: + case MBEDTLS_SSL_HS_CERTIFICATE: + if( ( ~ssl->handshake->sent_extensions & extension_mask ) == 0 ) + return( 0 ); + break; + default: + return( 0 ); + } + + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "%s : forbidden extension received.", hs_msg_name ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); +} + #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 32f64d73c9..4fdd6ade8e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -930,7 +930,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl, int exts_mask ) { - int masked = ssl->handshake->extensions_present & exts_mask; + int masked = ssl->handshake->received_extensions & exts_mask; return( masked == exts_mask ); } @@ -1239,7 +1239,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, const unsigned char *cipher_suites_end; size_t extensions_len; const unsigned char *extensions_end; - uint32_t extensions_present; int hrr_required = 0; #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -1248,8 +1247,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, const unsigned char *pre_shared_key_ext_end = NULL; #endif - extensions_present = MBEDTLS_SSL_EXT_NONE; - /* * ClientHello layout: * 0 . 1 protocol version @@ -1419,20 +1416,23 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len ); + ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + while( p < extensions_end ) { unsigned int extension_type; size_t extension_data_len; const unsigned char *extension_data_end; - /* RFC 8446, page 57 + /* RFC 8446, section 4.2.11 * * The "pre_shared_key" extension MUST be the last extension in the * ClientHello (this facilitates implementation as described below). * Servers MUST check that it is the last extension and otherwise fail * the handshake with an "illegal_parameter" alert. */ - if( extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) + if( ssl->handshake->received_extensions & + mbedtls_tls13_get_extension_mask( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key is not last extension." ) ); @@ -1450,26 +1450,11 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; - /* RFC 8446 page 35 - * - * If an implementation receives an extension which it recognizes and which - * is not specified for the message in which it appears, it MUST abort the - * handshake with an "illegal_parameter" alert. - */ - extensions_present |= mbedtls_tls13_get_extension_mask( extension_type ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "client hello : received %s(%u) extension", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); - if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "forbidden extension received." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + ret = mbedtls_tls13_check_received_extensions( + ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ); + if( ret != 0 ) + return( ret ); switch( extension_type ) { @@ -1569,7 +1554,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); - if( ( extensions_present & + if( ( ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 ) { MBEDTLS_SSL_PEND_FATAL_ALERT( @@ -1622,26 +1607,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ( "client hello: received %s(%u) extension ( ignored )", mbedtls_tls13_get_extension_name( extension_type ), extension_type ) ); + break; } p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "ClientHello", extensions_present ); - - /* RFC 8446 page 102 - * - "supported_versions" is REQUIRED for all ClientHello, ServerHello, and - * HelloRetryRequest messages. - */ - if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "client hello: supported_versions not found" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + MBEDTLS_SSL_TLS1_3_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->received_extensions ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, @@ -1655,7 +1628,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, /* If we've settled on a PSK-based exchange, parse PSK identity ext */ if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && - ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) + ( ssl->handshake->received_extensions & + MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) { ssl->handshake->update_checksum( ssl, buf, pre_shared_key_ext - buf ); @@ -1666,7 +1640,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, cipher_suites_end ); if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) { - extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + ssl->handshake->received_extensions &= + ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; } else if( ret != 0 ) { @@ -1681,7 +1656,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ssl->handshake->update_checksum( ssl, buf, p - buf ); } - ssl->handshake->extensions_present = extensions_present; ret = ssl_tls13_determine_key_exchange_mode( ssl ); if( ret < 0 ) return( ret ); From 03112ae0228e2031eb01c8fc70a0df371ddb2191 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 30 Aug 2022 16:27:17 +0800 Subject: [PATCH 071/413] change input extension_type Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- library/ssl_tls13_generic.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index b7f1440bb8..dad1c82a12 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1929,7 +1929,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) * Helper functions for extensions checking and convert. */ -uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type ); +uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type ); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl, diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 7b66be1c73..2fbcdf063c 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1528,7 +1528,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ -uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type ) +uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type ) { switch( extension_type ) { From c4bf5d658e47f6b0d6b73e4ab851a074b92681ae Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 29 Oct 2022 09:08:47 +0800 Subject: [PATCH 072/413] fix various issues - Signature of - mbedtls_tls13_set_hs_sent_ext_mask - check_received_extension and issues - Also fix comment issue. - improve readablity. Signed-off-by: Jerry Yu --- library/ssl_client.c | 9 ++---- library/ssl_misc.h | 24 ++++++++------- library/ssl_tls.c | 3 +- library/ssl_tls13_client.c | 58 +++++++++++++++---------------------- library/ssl_tls13_generic.c | 50 +++++++++++++++++--------------- library/ssl_tls13_server.c | 34 ++++++++++------------ 6 files changed, 84 insertions(+), 94 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index b0d2dcf3ca..16cef0204a 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -107,8 +107,7 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, *olen = hostname_len + 9; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_SERVERNAME ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SERVERNAME ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( @@ -186,8 +185,7 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 ); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_ALPN ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( @@ -312,8 +310,7 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) ) ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index dad1c82a12..3aeab0cd84 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -103,11 +103,12 @@ #define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 ) #define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 ) -/* For request messages, we should just ignore unrecognized extension when - * parsing messages. For response messages, we should not ignore unrecognized - * extension when parsing messages. Request messages include ClientHello, - * Certificate and NewSessionTicket. Response messages include ServerHello, - * EncryptExtensions, Certificate and HelloRetryRequest. +/* In messages containing extension requests, we should ignore unrecognized + * extensions. In messages containing extension responses, unrecognized + * extensions should result in handshake abortion. Messages containing + * extension requests include ClientHello, CertificateRequest and + * NewSessionTicket. Messages containing extension responses include + * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. * * RFC 8446 section 4.1.3 * @@ -1932,13 +1933,14 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type ); MBEDTLS_CHECK_RETURN_CRITICAL -int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl, - int hs_msg_type, - uint32_t extension_type, - uint32_t allowed_mask ); +int mbedtls_ssl_tls13_check_received_extension( + mbedtls_ssl_context *ssl, + int hs_msg_type, + unsigned int received_extension_type, + uint32_t hs_msg_allowed_extensions_mask ); -static inline void mbedtls_tls13_set_sent_ext_mask( mbedtls_ssl_context *ssl, - uint16_t extension_type ) +static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( + mbedtls_ssl_context *ssl, unsigned int extension_type ) { ssl->handshake->sent_extensions |= mbedtls_tls13_get_extension_mask( extension_type ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9947d39d82..3678ec0bd6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8713,8 +8713,7 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_SIG_ALG ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SIG_ALG ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c29b90ee33..27747a2097 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -89,8 +89,8 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl, } *out_len = 5 + versions_len; - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( @@ -365,8 +365,7 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len ); - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_KEY_SHARE ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", @@ -612,8 +611,7 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, *out_len = handshake->hrr_cookie_len + 6; - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_COOKIE ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( @@ -688,8 +686,8 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( @@ -1059,8 +1057,8 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf ); - mbedtls_tls13_set_sent_ext_mask( ssl, - MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", mbedtls_tls13_get_extension_name( @@ -1668,7 +1666,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); - ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; allowed_extensions_mask = is_hrr ? MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR : MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH; @@ -1687,7 +1685,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; - ret = mbedtls_tls13_check_received_extensions( + ret = mbedtls_ssl_tls13_check_received_extension( ssl, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO, @@ -1766,7 +1764,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO, - ssl->handshake->received_extensions ); + handshake->received_extensions ); cleanup: @@ -1999,6 +1997,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, size_t extensions_len; const unsigned char *p = buf; const unsigned char *extensions_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -2008,7 +2007,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; - ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { @@ -2028,7 +2027,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - ret = mbedtls_tls13_check_received_extensions( + ret = mbedtls_ssl_tls13_check_received_extension( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type, MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ); if( ret != 0 ) @@ -2036,16 +2035,6 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, switch( extension_type ) { - case MBEDTLS_TLS_EXT_SERVERNAME: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) ); - - /* The server_name extension should be an empty extension */ - - break; - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) ); - break; - #if defined(MBEDTLS_SSL_ALPN) case MBEDTLS_TLS_EXT_ALPN: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); @@ -2069,7 +2058,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, - ssl->handshake->received_extensions ); + handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2176,6 +2165,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, size_t certificate_request_context_len = 0; size_t extensions_len = 0; const unsigned char *extensions_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; /* ... * opaque certificate_request_context<0..2^8-1> @@ -2191,7 +2181,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context", p, certificate_request_context_len ); - mbedtls_ssl_handshake_params *handshake = ssl->handshake; handshake->certificate_request_context = mbedtls_calloc( 1, certificate_request_context_len ); if( handshake->certificate_request_context == NULL ) @@ -2215,7 +2204,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; - ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { @@ -2229,7 +2218,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - ret = mbedtls_tls13_check_received_extensions( + ret = mbedtls_ssl_tls13_check_received_extension( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type, MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ); if( ret != 0 ) @@ -2260,7 +2249,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, - ssl->handshake->received_extensions ); + handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2274,7 +2263,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, * * The "signature_algorithms" extension MUST be specified */ - if( ( ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 ) + if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithms extension found" ) ); @@ -2514,10 +2503,11 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) { + mbedtls_ssl_handshake_params *handshake = ssl->handshake; const unsigned char *p = buf; - ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < end ) { @@ -2532,7 +2522,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len ); - ret = mbedtls_tls13_check_received_extensions( + ret = mbedtls_ssl_tls13_check_received_extension( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ); if( ret != 0 ) @@ -2556,7 +2546,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->received_extensions ); + 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, handshake->received_extensions ); return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 2fbcdf063c..21644ede43 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -398,6 +398,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, size_t certificate_list_len = 0; const unsigned char *p = buf; const unsigned char *certificate_list_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 ); certificate_request_context_len = p[0]; @@ -507,7 +508,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); extensions_end = p + extensions_len; - ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { @@ -527,9 +528,9 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - ret = mbedtls_tls13_check_received_extensions( - ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, - MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ); + ret = mbedtls_ssl_tls13_check_received_extension( + ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ); if( ret != 0 ) return( ret ); @@ -547,7 +548,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->received_extensions ); + 3, MBEDTLS_SSL_HS_CERTIFICATE, handshake->received_extensions ); } exit: @@ -555,7 +556,7 @@ exit: if( p != end ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } @@ -1759,43 +1760,46 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, * */ -int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl, - int hs_msg_type, - uint32_t extension_type, - uint32_t allowed_mask ) +int mbedtls_ssl_tls13_check_received_extension( + mbedtls_ssl_context *ssl, + int hs_msg_type, + unsigned int received_extension_type, + uint32_t hs_msg_allowed_extensions_mask ) { - uint32_t extension_mask; - #if defined(MBEDTLS_DEBUG_C) const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type ); #endif - - extension_mask = mbedtls_tls13_get_extension_mask( extension_type ); + uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s : received %s(%x) extension", hs_msg_name, - mbedtls_tls13_get_extension_name( extension_type ), - (unsigned int)extension_type ) ); + mbedtls_tls13_get_extension_name( received_extension_type ), + (unsigned int)received_extension_type ) ); - if( ( extension_mask & allowed_mask ) == 0 ) + if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s : forbidden extension received.", hs_msg_name ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } ssl->handshake->received_extensions |= extension_mask; + /* + * If it is a message containing extension responses, check that we + * previously sent the extension. + */ switch( hs_msg_type ) { case MBEDTLS_SSL_HS_SERVER_HELLO: case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value. case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: case MBEDTLS_SSL_HS_CERTIFICATE: - if( ( ~ssl->handshake->sent_extensions & extension_mask ) == 0 ) + /* Check if the received extension is sent by peer message.*/ + if( ( ssl->handshake->sent_extensions & extension_mask ) != 0 ) return( 0 ); break; default: @@ -1803,11 +1807,11 @@ int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_DEBUG_MSG( - 3, ( "%s : forbidden extension received.", hs_msg_name ) ); + 3, ( "%s : unexpected extension received.", hs_msg_name ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); } #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 4fdd6ade8e..f0f06b81a7 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1239,6 +1239,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, const unsigned char *cipher_suites_end; size_t extensions_len; const unsigned char *extensions_end; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; int hrr_required = 0; #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -1304,7 +1305,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); - memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); + memcpy( &handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; /* ... @@ -1374,13 +1375,13 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, continue; ssl->session_negotiate->ciphersuite = cipher_suite; - ssl->handshake->ciphersuite_info = ciphersuite_info; + handshake->ciphersuite_info = ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s", cipher_suite, ciphersuite_info->name ) ); } - if( ssl->handshake->ciphersuite_info == NULL ) + if( handshake->ciphersuite_info == NULL ) { MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); @@ -1416,7 +1417,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len ); - ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; while( p < extensions_end ) { @@ -1431,8 +1432,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, * Servers MUST check that it is the last extension and otherwise fail * the handshake with an "illegal_parameter" alert. */ - if( ssl->handshake->received_extensions & - mbedtls_tls13_get_extension_mask( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) ) + if( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key is not last extension." ) ); @@ -1450,7 +1450,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); extension_data_end = p + extension_data_len; - ret = mbedtls_tls13_check_received_extensions( + ret = mbedtls_ssl_tls13_check_received_extension( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ); if( ret != 0 ) @@ -1554,13 +1554,13 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); - if( ( ssl->handshake->received_extensions & + if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 ) { MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* Delay processing of the PSK identity once we have @@ -1614,7 +1614,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->received_extensions ); + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->received_extensions ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, @@ -1628,10 +1628,9 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, /* If we've settled on a PSK-based exchange, parse PSK identity ext */ if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && - ( ssl->handshake->received_extensions & - MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) + ( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) { - ssl->handshake->update_checksum( ssl, buf, + handshake->update_checksum( ssl, buf, pre_shared_key_ext - buf ); ret = ssl_tls13_parse_pre_shared_key_ext( ssl, pre_shared_key_ext, @@ -1640,8 +1639,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, cipher_suites_end ); if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) { - ssl->handshake->received_extensions &= - ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + handshake->received_extensions &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; } else if( ret != 0 ) { @@ -1653,14 +1651,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, else #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ { - ssl->handshake->update_checksum( ssl, buf, p - buf ); + handshake->update_checksum( ssl, buf, p - buf ); } ret = ssl_tls13_determine_key_exchange_mode( ssl ); if( ret < 0 ) return( ret ); - mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info ); + mbedtls_ssl_optimize_checksum( ssl, handshake->ciphersuite_info ); return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK ); } From 7a485c1fdf02b6370c1a96eec44700243c31dcee Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 13:08:18 +0800 Subject: [PATCH 073/413] Add ext id and utilities - Remove `MBEDTLS_SSL_EXT_*` - Add macros and functions for translating iana identifer. - Add internal identity for extension Signed-off-by: Jerry Yu --- library/ssl_misc.h | 67 +++++++++++++++----------- library/ssl_tls.c | 95 +++++++++++++++++++++++++++++++++++++ library/ssl_tls13_generic.c | 74 ----------------------------- 3 files changed, 134 insertions(+), 102 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 3aeab0cd84..8bd98b3c44 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -75,33 +75,46 @@ #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ /* - * Mask of TLS 1.3 handshake extensions used in extensions_present - * of mbedtls_ssl_handshake_params. + * Inernal identity of handshake extensions */ -#define MBEDTLS_SSL_EXT_NONE 0 +#define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 +#define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 +#define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 +#define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 +#define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 +#define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 +#define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 +#define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 +#define MBEDTLS_SSL_EXT_ID_ALPN 8 +#define MBEDTLS_SSL_EXT_ID_SCT 9 +#define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 +#define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 +#define MBEDTLS_SSL_EXT_ID_PADDING 12 +#define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 +#define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 +#define MBEDTLS_SSL_EXT_ID_COOKIE 16 +#define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 +#define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 +#define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 +#define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 +#define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 +#define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 +#define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 +#define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 +#define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 +#define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 +#define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 -#define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 ) -#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 ) -#define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 ) -#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 ) -#define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 ) -#define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 ) -#define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 ) -#define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 ) -#define MBEDTLS_SSL_EXT_SCT ( 1 << 8 ) -#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 ) -#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 ) -#define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 ) -#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 ) -#define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 ) -#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 ) -#define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 ) -#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 ) -#define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 ) -#define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 ) -#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 ) -#define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 ) -#define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 ) +/* Utility for translating IANA extension type. */ +uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type ); +uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); +/* Macros used to define mask constants */ +#define MBEDTLS_SSL_EXT_MASK( id ) ( 1ULL << ( MBEDTLS_SSL_EXT_ID_##id ) ) +/* Reset value of extension mask */ +#define MBEDTLS_SSL_EXT_MASK_NONE 0 /* In messages containing extension requests, we should ignore unrecognized * extensions. In messages containing extension responses, unrecognized @@ -1930,8 +1943,6 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) * Helper functions for extensions checking and convert. */ -uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type ); - MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_check_received_extension( mbedtls_ssl_context *ssl, @@ -1943,7 +1954,7 @@ static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( mbedtls_ssl_context *ssl, unsigned int extension_type ) { ssl->handshake->sent_extensions |= - mbedtls_tls13_get_extension_mask( extension_type ); + mbedtls_ssl_get_extension_mask( extension_type ); } /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3678ec0bd6..b3210c4155 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -521,6 +521,101 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type ) +{ + switch( extension_type ) + { + case MBEDTLS_TLS_EXT_SERVERNAME: + return( MBEDTLS_SSL_EXT_ID_SERVERNAME ); + + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + return( MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH ); + + case MBEDTLS_TLS_EXT_STATUS_REQUEST: + return( MBEDTLS_SSL_EXT_ID_STATUS_REQUEST ); + + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + return( MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS ); + + case MBEDTLS_TLS_EXT_SIG_ALG: + return( MBEDTLS_SSL_EXT_ID_SIG_ALG ); + + case MBEDTLS_TLS_EXT_USE_SRTP: + return( MBEDTLS_SSL_EXT_ID_USE_SRTP ); + + case MBEDTLS_TLS_EXT_HEARTBEAT: + return( MBEDTLS_SSL_EXT_ID_HEARTBEAT ); + + case MBEDTLS_TLS_EXT_ALPN: + return( MBEDTLS_SSL_EXT_ID_ALPN ); + + case MBEDTLS_TLS_EXT_SCT: + return( MBEDTLS_SSL_EXT_ID_SCT ); + + case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: + return( MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: + return( MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE ); + + case MBEDTLS_TLS_EXT_PADDING: + return( MBEDTLS_SSL_EXT_ID_PADDING ); + + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + return( MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY ); + + case MBEDTLS_TLS_EXT_EARLY_DATA: + return( MBEDTLS_SSL_EXT_ID_EARLY_DATA ); + + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + return( MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS ); + + case MBEDTLS_TLS_EXT_COOKIE: + return( MBEDTLS_SSL_EXT_ID_COOKIE ); + + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + return( MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES ); + + case MBEDTLS_TLS_EXT_CERT_AUTH: + return( MBEDTLS_SSL_EXT_ID_CERT_AUTH ); + + case MBEDTLS_TLS_EXT_OID_FILTERS: + return( MBEDTLS_SSL_EXT_ID_OID_FILTERS ); + + case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: + return( MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH ); + + case MBEDTLS_TLS_EXT_SIG_ALG_CERT: + return( MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT ); + + case MBEDTLS_TLS_EXT_KEY_SHARE: + return( MBEDTLS_SSL_EXT_ID_KEY_SHARE ); + + case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: + return( MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC ); + + case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: + return( MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS ); + + case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: + return( MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC ); + + case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: + return( MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET ); + + case MBEDTLS_TLS_EXT_SESSION_TICKET: + return( MBEDTLS_SSL_EXT_ID_SESSION_TICKET ); + + } + + return( MBEDTLS_SSL_EXT_ID_UNRECOGNIZED ); +} + +uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ) +{ + return( 1 << mbedtls_ssl_get_extension_id( extension_type ) ); +} + void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) { diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 21644ede43..a52b4ca696 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1529,80 +1529,6 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ -uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type ) -{ - switch( extension_type ) - { - case MBEDTLS_TLS_EXT_SERVERNAME: - return( MBEDTLS_SSL_EXT_SERVERNAME ); - - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ); - - case MBEDTLS_TLS_EXT_STATUS_REQUEST: - return( MBEDTLS_SSL_EXT_STATUS_REQUEST ); - - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ); - - case MBEDTLS_TLS_EXT_SIG_ALG: - return( MBEDTLS_SSL_EXT_SIG_ALG ); - - case MBEDTLS_TLS_EXT_USE_SRTP: - return( MBEDTLS_SSL_EXT_USE_SRTP ); - - case MBEDTLS_TLS_EXT_HEARTBEAT: - return( MBEDTLS_SSL_EXT_HEARTBEAT ); - - case MBEDTLS_TLS_EXT_ALPN: - return( MBEDTLS_SSL_EXT_ALPN ); - - case MBEDTLS_TLS_EXT_SCT: - return( MBEDTLS_SSL_EXT_SCT ); - - case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: - return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE ); - - case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: - return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE ); - - case MBEDTLS_TLS_EXT_PADDING: - return( MBEDTLS_SSL_EXT_PADDING ); - - case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY ); - - case MBEDTLS_TLS_EXT_EARLY_DATA: - return( MBEDTLS_SSL_EXT_EARLY_DATA ); - - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ); - - case MBEDTLS_TLS_EXT_COOKIE: - return( MBEDTLS_SSL_EXT_COOKIE ); - - case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: - return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ); - - case MBEDTLS_TLS_EXT_CERT_AUTH: - return( MBEDTLS_SSL_EXT_CERT_AUTH ); - - case MBEDTLS_TLS_EXT_OID_FILTERS: - return( MBEDTLS_SSL_EXT_OID_FILTERS ); - - case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: - return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ); - - case MBEDTLS_TLS_EXT_SIG_ALG_CERT: - return( MBEDTLS_SSL_EXT_SIG_ALG_CERT ); - - case MBEDTLS_TLS_EXT_KEY_SHARE: - return( MBEDTLS_SSL_EXT_KEY_SHARE ); - }; - - return( MBEDTLS_SSL_EXT_UNRECOGNIZED ); -} - #if defined(MBEDTLS_DEBUG_C) const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ) { From 3951a4f3ada028d08e50d32ab837f0a226afd0b0 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 31 Oct 2022 09:17:15 -0500 Subject: [PATCH 074/413] pkcs7: Use better error codes Remove an unnecessary debug print (whoops). Use new error code for when the x509 is expired. When there are no signers return invalid certificate. Signed-off-by: Nick Child Co-authored-by: Dave Rodgman Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 1 + library/pkcs7.c | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 2a557bfad3..52895ac2b7 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -69,6 +69,7 @@ #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ #define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS7 date issued/expired dates are invalid */ /* \} name */ /** diff --git a/library/pkcs7.c b/library/pkcs7.c index 7976a0b3a9..ca0170a6dc 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -630,15 +630,14 @@ static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, if( pkcs7->signed_data.no_of_signers == 0 ) { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; goto out; } if( mbedtls_x509_time_is_past( &cert->valid_to ) || mbedtls_x509_time_is_future( &cert->valid_from )) { - printf("EXPRED\n"); - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + ret = MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID; goto out; } From df0ad658a30e1a6a613852522fe322582666b49a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 13:20:57 +0800 Subject: [PATCH 075/413] tls13: Add allowed extesions constants. - And refactor check_received_extension Signed-off-by: Jerry Yu --- library/ssl_misc.h | 105 +++++++++++++++++++----------------- library/ssl_tls13_generic.c | 25 ++++----- 2 files changed, 66 insertions(+), 64 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8bd98b3c44..8ffdccb378 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -134,76 +134,83 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); * not specified for the message in which it appears, it MUST abort the handshake * with an "illegal_parameter" alert. */ -#define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 ) + +/* Extensions that not recognized by TLS 1.3 */ +#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED \ + ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \ + MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \ + MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \ + MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \ + MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) ) /* RFC 8446 section 4.2. Allowed extensions for ClienHello */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ - ( MBEDTLS_SSL_EXT_SERVERNAME | \ - MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ - MBEDTLS_SSL_EXT_STATUS_REQUEST | \ - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \ - MBEDTLS_SSL_EXT_SIG_ALG | \ - MBEDTLS_SSL_EXT_USE_SRTP | \ - MBEDTLS_SSL_EXT_HEARTBEAT | \ - MBEDTLS_SSL_EXT_ALPN | \ - MBEDTLS_SSL_EXT_SCT | \ - MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ - MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ - MBEDTLS_SSL_EXT_PADDING | \ - MBEDTLS_SSL_EXT_KEY_SHARE | \ - MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ - MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES | \ - MBEDTLS_SSL_EXT_EARLY_DATA | \ - MBEDTLS_SSL_EXT_COOKIE | \ - MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \ - MBEDTLS_SSL_EXT_CERT_AUTH | \ - MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH | \ - MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ - MBEDTLS_SSL_EXT_UNRECOGNIZED ) + ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \ + MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \ + MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \ + MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \ + MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \ + MBEDTLS_SSL_EXT_MASK( ALPN ) | \ + MBEDTLS_SSL_EXT_MASK( SCT ) | \ + MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( PADDING ) | \ + MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \ + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \ + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) | \ + MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \ + MBEDTLS_SSL_EXT_MASK( COOKIE ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) | \ + MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \ + MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \ + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED ) /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ - ( MBEDTLS_SSL_EXT_SERVERNAME | \ - MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \ - MBEDTLS_SSL_EXT_USE_SRTP | \ - MBEDTLS_SSL_EXT_HEARTBEAT | \ - MBEDTLS_SSL_EXT_ALPN | \ - MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ - MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ - MBEDTLS_SSL_EXT_EARLY_DATA ) + ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \ + MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \ + MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \ + MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \ + MBEDTLS_SSL_EXT_MASK( ALPN ) | \ + MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \ + MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) ) /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ - ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ - MBEDTLS_SSL_EXT_SIG_ALG | \ - MBEDTLS_SSL_EXT_SCT | \ - MBEDTLS_SSL_EXT_CERT_AUTH | \ - MBEDTLS_SSL_EXT_OID_FILTERS | \ - MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ - MBEDTLS_SSL_EXT_UNRECOGNIZED ) + ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \ + MBEDTLS_SSL_EXT_MASK( SCT ) | \ + MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \ + MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \ + MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \ + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED ) /* RFC 8446 section 4.2. Allowed extensions for Certificate */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ - ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ - MBEDTLS_SSL_EXT_SCT ) + ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \ + MBEDTLS_SSL_EXT_MASK( SCT ) ) /* RFC 8446 section 4.2. Allowed extensions for ServerHello */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ - ( MBEDTLS_SSL_EXT_KEY_SHARE | \ - MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ - MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) + ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \ + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) ) /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ - ( MBEDTLS_SSL_EXT_KEY_SHARE | \ - MBEDTLS_SSL_EXT_COOKIE | \ - MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) + ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \ + MBEDTLS_SSL_EXT_MASK( COOKIE ) | \ + MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) ) /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ - ( MBEDTLS_SSL_EXT_EARLY_DATA | \ - MBEDTLS_SSL_EXT_UNRECOGNIZED ) + ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \ + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED ) /* * Helper macros for function call with return check. diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a52b4ca696..1bbd7f033b 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1685,28 +1685,22 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, * with an "illegal_parameter" alert. * */ - int mbedtls_ssl_tls13_check_received_extension( mbedtls_ssl_context *ssl, int hs_msg_type, unsigned int received_extension_type, uint32_t hs_msg_allowed_extensions_mask ) { -#if defined(MBEDTLS_DEBUG_C) - const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type ); -#endif - uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type ); + uint32_t extension_mask = mbedtls_ssl_get_extension_mask( + received_extension_type ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "%s : received %s(%x) extension", - hs_msg_name, - mbedtls_tls13_get_extension_name( received_extension_type ), - (unsigned int)received_extension_type ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, hs_msg_type, received_extension_type, "received" ); if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "%s : forbidden extension received.", hs_msg_name ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, hs_msg_type, received_extension_type, "is illegal" ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); @@ -1721,7 +1715,7 @@ int mbedtls_ssl_tls13_check_received_extension( switch( hs_msg_type ) { case MBEDTLS_SSL_HS_SERVER_HELLO: - case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value. + case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: case MBEDTLS_SSL_HS_CERTIFICATE: /* Check if the received extension is sent by peer message.*/ @@ -1732,8 +1726,8 @@ int mbedtls_ssl_tls13_check_received_extension( return( 0 ); } - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "%s : unexpected extension received.", hs_msg_name ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, hs_msg_type, received_extension_type, "is unsupported" ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); @@ -1741,3 +1735,4 @@ int mbedtls_ssl_tls13_check_received_extension( } #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ + From fc234b7b52af978e0bff0c79a8f685bf9ab839b0 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 2 Nov 2022 15:23:39 -0500 Subject: [PATCH 076/413] test/pkcs7: Add Windows CRLF EOF to data files Windows tests are failing pkcs7 verification due to differnt line endings. Therefore, add make instuctions for building the data files with Windows EOF instead. As a result, regenerate other data files so that verification works. Add these CRLF EOF files to the exception in check_files to ignore the line endings. Signed-off-by: Nick Child --- tests/data_files/Makefile | 8 ++++++++ tests/data_files/pkcs7_data.bin | 2 +- tests/data_files/pkcs7_data_1.bin | 2 +- .../data_files/pkcs7_data_cert_encrypted.der | Bin 452 -> 452 bytes .../pkcs7_data_cert_signed_sha1.der | Bin 1276 -> 1276 bytes .../pkcs7_data_cert_signed_sha256.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signed_sha512.der | Bin 1284 -> 1284 bytes .../data_files/pkcs7_data_cert_signed_v2.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signeddata_sha256.der | Bin 1265 -> 1265 bytes .../pkcs7_data_multiple_certs_signed.der | Bin 2504 -> 2504 bytes .../data_files/pkcs7_data_multiple_signed.der | Bin 810 -> 810 bytes .../data_files/pkcs7_data_signed_badcert.der | Bin 1284 -> 1284 bytes .../pkcs7_data_signed_badsigner.der | Bin 1284 -> 1284 bytes .../pkcs7_data_without_cert_signed.der | Bin 435 -> 435 bytes .../pkcs7_signerInfo_issuer_invalid_size.der | Bin 1284 -> 1284 bytes .../pkcs7_signerInfo_serial_invalid_size.der | Bin 1284 -> 1284 bytes tests/scripts/check_files.py | 1 + tests/suites/test_suite_pkcs7.function | 2 +- 18 files changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index b92944ac29..581de256fb 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1136,6 +1136,14 @@ pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt pkcs7_test_file = pkcs7_data.bin +$(pkcs7_test_file): + echo -e "Hello\xd" > $@ +all_final += $(pkcs7_test_file) + +pkcs7_data_1.bin: + echo -e "2\xd" > $@ +all_final += pkcs7_data_1.bin + # Generate signing cert pkcs7-rsa-sha256-1.crt: $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt diff --git a/tests/data_files/pkcs7_data.bin b/tests/data_files/pkcs7_data.bin index e965047ad7..40ee264774 100644 --- a/tests/data_files/pkcs7_data.bin +++ b/tests/data_files/pkcs7_data.bin @@ -1 +1 @@ -Hello +Hello diff --git a/tests/data_files/pkcs7_data_1.bin b/tests/data_files/pkcs7_data_1.bin index 0cfbf08886..78c6baefdd 100644 --- a/tests/data_files/pkcs7_data_1.bin +++ b/tests/data_files/pkcs7_data_1.bin @@ -1 +1 @@ -2 +2 diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der index 763057d9e5eb7be478369ddaba4f227fbe94afee..b7b1c8331d7899a34c9abbc490fa8c4ab99bdd7a 100644 GIT binary patch delta 327 zcmV-N0l5Ce1H=Q6hJPE)4$EW?YqVdyJBdo8YIJN>@8BewJ9eM(4TYQQ9aJ%WnUhyT zu0wBXZAF(k)I=bfF&5Ngz4bntvBK`xfT>mKybF-i-VB{>XNRj_cMi`4q@dCXz|Q&a zUJ|2R1i6f_!mF56I>Vux-a@^!)qyZuS-crr7VqJeUl8=F@qfv%I;dNga5n+37D`p! zlMd~E)f0Vp%djr-#fG0}hO1!^>Uiy#0a{Kx80qW57A*pdd&Wf!6j5qlP^A5wG-0f; z|D7(H$zIIf1}|8b96=X*BtwW|+GPG(DYijRe8cy@LQ7h5t>bS!?@<`yH5dmoWeU delta 327 zcmV-N0l5Ce1H=Q6hJQ-Tx?Q-lfoV9)#(TQgCqeV@4tPO1&1tm13K>?sDR&@`&2;zq zr5b(IZ;8P9uP7ZhV};5Nx$P4TQ~I`OP-JZVFRwH$$g#@GLhNsw7*u)5+$5;%u?lI* z7{f#jt%@Bd*gWd-Mfq+qY7!9F!t%(f_BmMLJc+}gPe-SXVlKe-8=>1~dR{fL1YSk2nD0zG z1e1lidjeML9yt-&lcdkej*zP>Dvpa!;p-i({!UoRGkSWHP_PS{49*_fNF&2ebMTFu za%v$Ei*vw1bh%2l|Mv>FqOyh&-GTi&S#ZbEYa0&xp0+K0aLL7Hh7cW4f# zURfNN9epg{Ht*AKLnMtAH$e)jo`R1nP)0NcVMtOkw3hYdzCOt!YerQGGW1m{oBRn zm8U~%`C1I$PK8v5^MvUh3AZkwyfqsS&?zHlgr}nOEDx;tzGEP+vx+-qhFKS`eENmc QzTmdm((B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der index 41849a943e54d4d08d0d1fdf9926f2c362fc986b..a4aa5875876de0170637190fe7e71da8bbd73ee6 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$IWxkRl)AS@Ao`ZoC;w%Vw76Q@b>Y0K5Kn{oXNP?Z`kesT;a zS>3BVN*QzSsoHr?1a0hzYtmYDw`udB8*#cr{u_NkM3rg=X|Sx+S(J*|A5FG3oOAgX zlH33xWKdE&+j*Q=1MuH4HlHEM-1CF|CQB1y%^Cs-#q@rC7a2eEB$hG&@m*)d1L9~p0fgJ|V- zKO|i_bomi{{JOd>3kGR5rUG7x`4Ga|@9gGRv&UU!Yx*EkquOUVOYzOxLul+8bbZkT ziFpTB$xFfP$=qBrsd#NQGF+4~^!v9I(F*JY9sy0<5=oE7T*-fjZ>o1=(l$1Be=Ak% z_-J$l*M6RG>)wY-UcvnHTBRpm{*ri57_CijJ&)Wb7bfqnpxZgQJEW?^!E!T{}_UWl>h($ diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der index befd17c190253d2fc76833b5f6cc60b6a2742a2c..4f4cb047e079c550dc063ef53425dce81a5e31a3 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$Iu?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der index 85ea9f9fc1f29c7a68936a17ddf3825f10e9636f..cb7d75103daf5ed7cbaf0e2201458ca7c1fad8cf 100644 GIT binary patch delta 266 zcmV+l0rmdz3GoTA@dJNb?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&@It`H2?qr delta 266 zcmV+l0rmdz3GoTA@dJN!DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTr;+Q8~^|S diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der index 69371ae202cfa21a20a1dfdaf11e115c4daa4ffa..4a237e9d145e0f4afedd8c3bcffb3bf146f96c4a 100644 GIT binary patch delta 529 zcmV+s0`C3D6UY;=Q3rop?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 zhj;z#gj$!seGmdI(34RJcYg$6nA~40nd7`J)?_Vz3SsZ7!CW}UV>7(W?(R04PfAvsza}k$w!Zp1P85JQYK(t8eSRuudAsp~VycCG=)wvTwxZ6C zO@A@n8yQoQ&tZkH&NQ#!Se6BQHtDf(w#I(f!YFLNs6Y6jXUDv834gBV*Wr+x(}er{ zVUv#hr5uTq#~rg5a}O5h=XQpAM%V`rkvs<*Z_WQzcHy4B6` z;Fmz`YDF9WQ%?FJP@g-edw~JD9;fA9+x`>*QE+G1uo@}|dGLr_iAsmhwv0`F=#XGY Tfv&lHBGL0V?~*Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? z6F)b8(@@Lv8sq{YT$51&2C4>-vwvIc*m0G?-v5xoOpzv=RkQGEydqpOY%xq4QFw3u6v!~XPD{r; zx;DvnceFuhC!6UWeBXQ-IBMb;VsV`lqoDurfIUVDV)D(XHxz`2GE&3W1x>gVJ}U?s zI2P>)1jZ%ITknV#A(nGR1^b7L;jSpEWbXEmAH zZ_YK%t#>A%y8=wDnQMsP%b0~s>s$+N$4J@v&T4GbH-(F=xD;WECol7)6~^FyJ+PRE zcm3>yT9?0l5CSdGkvu+=@c}u11YnrlUn`m8ye`&cEq@AO@2kOFILBi%yv*+IHkwaL zTivMYStdaw{DDDrb4S@q%Kig?;G43KF)W z&W=rgG2I&(Qv2nJ>e%Hb%Y`>^K_@QUVym1MCuIJa`kekzl z`}|>(j{Kz@iIc}2vlnv@7U$=7hI-`v#bVa+UFC)6xlZ(!qi17hqRXncwl-vo0Cu|7 z&GF!uK&2C4>-vww6cd(|;$YQI9Xm0(^)E8sM>Ph#LuaXrFxk1)heHHv9_KC^j( ze&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC0wlBgrJN|927R=a!?5c#f;;eY6((&r zMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpvYqYiOxq4#1Feupqxz|~m8?IGAa(sX` z;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#&s)$;1ht)r+b04YlC>)b2WE9JfDRUqb zKR15UP|NcgZN{+F&q)V$;=K`E_uLJ=BpwhMP|$yp+n#k}G+}v0`4NNxU>SQKtjF zhGLsqxx*LkZB9X4AHb?>SEMlbakt^j9y0a5wBlO9B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der index aff1448728d2d6f7dd2cf447251fe08cf7ac28e8..aa5447c44d27f7f4ccb8239e0598699a0055f9db 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$Iu?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_without_cert_signed.der b/tests/data_files/pkcs7_data_without_cert_signed.der index dbff326ad33bb0fbedf6716cfa01f015537a8572..b47fe927e5b427158e0d5f27002e6e1ca885dd63 100644 GIT binary patch delta 265 zcmV+k0rvj01G58=vwvIc*m0G?-v5xoOpzv=RkQGEydqpOY%xq4QFw3u6v!~XPD{r; zx;DvnceFuhC!6UWeBXQ-IBMb;VsV`lqoDurfIUVDV)D(XHxz`2GE&3W1x>gVJ}U?s zI2P>)1jZ%ITknV#A(nGR1^b7L;jSpEWbXEmAH zZ_YK%t#>A%y8=wDnQMsP%b0~s>s$+N$4J@v&T4GbH-(F=xD;WECol7)6~^FyJ+PRE Pcm3>yT9?0l5CSdGJ5+y6 delta 265 zcmV+k0rvj01G58=vww6cd(|;$YQI9Xm0(^)E8sM>Ph#LuaXrFxk1)heHHv9_KC^j( ze&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC0wlBgrJN|927R=a!?5c#f;;eY6((&r zMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpvYqYiOxq4#1Feupqxz|~m8?IGAa(sX` z;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#&s)$;1ht)r+b04YlC>)b2WE9JfDRUqb PKR15UP|NcgB?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der index 2db359072b44bcabbecbc1d0cae2c647c2406131..f4b4e384dbfc145a6c0382f71b51c8718701eb1c 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$Iu?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py index a0f5e1f538..50af88a6b6 100755 --- a/tests/scripts/check_files.py +++ b/tests/scripts/check_files.py @@ -119,6 +119,7 @@ BINARY_FILE_PATH_RE_LIST = [ r'tests/data_files/.*\.req\.[^/]+\Z', r'tests/data_files/.*malformed[^/]+\Z', r'tests/data_files/format_pkcs12\.fmt\Z', + r'tests/data_files/pkcs7_data.*\.bin\Z', ] BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST)) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index c5094bcca8..a1de9998d4 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -150,7 +150,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); - file = fopen( filetobesigned, "r" ); + file = fopen( filetobesigned, "rb" ); TEST_ASSERT( file != NULL ); datalen = st.st_size; From 2364aaefa64db2d3303a0b716eff14134f60fa66 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Nov 2022 11:33:04 +0000 Subject: [PATCH 077/413] Update tests/suites/test_suite_pkcs7.function Address test dependency issue Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index a1de9998d4..14a0882532 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -10,7 +10,7 @@ /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PKCS7_C + * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_RSA_C * END_DEPENDENCIES */ From b85838f2f4ce9289061fd0bf07c51bb596af2ca7 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 3 Nov 2022 17:49:29 +0000 Subject: [PATCH 078/413] Change test templating syntax to be valid C For the benefit of auto-formatting tools, move from the '$placeholder' templating syntax to a new syntax of the form: __MBEDTLS_TEST_TEMPLATE__PLACEHOLDER This change allows the test code template to be almost entirely valid C. Signed-off-by: David Horstmann --- tests/scripts/generate_test_code.py | 75 ++++++++++++++++++----------- tests/suites/main_test.function | 44 ++++++++--------- 2 files changed, 69 insertions(+), 50 deletions(-) diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py index f5750aacfa..6d65986c88 100755 --- a/tests/scripts/generate_test_code.py +++ b/tests/scripts/generate_test_code.py @@ -126,33 +126,33 @@ code that is generated or read from helpers and platform files. This script replaces following fields in the template and generates the test source file: -$test_common_helpers <-- All common code from helpers.function - is substituted here. -$functions_code <-- Test functions are substituted here - from the input test_suit_xyz.function - file. C preprocessor checks are generated - for the build dependencies specified - in the input file. This script also - generates wrappers for the test - functions with code to expand the - string parameters read from the data - file. -$expression_code <-- This script enumerates the - expressions in the .data file and - generates code to handle enumerated - expression Ids and return the values. -$dep_check_code <-- This script enumerates all - build dependencies and generate - code to handle enumerated build - dependency Id and return status: if - the dependency is defined or not. -$dispatch_code <-- This script enumerates the functions - specified in the input test data file - and generates the initializer for the - function table in the template - file. -$platform_code <-- Platform specific setup and test - dispatch code. +__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS <-- All common code from helpers.function + is substituted here. +__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE <-- Test functions are substituted here + from the input test_suit_xyz.function + file. C preprocessor checks are generated + for the build dependencies specified + in the input file. This script also + generates wrappers for the test + functions with code to expand the + string parameters read from the data + file. +__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE <-- This script enumerates the + expressions in the .data file and + generates code to handle enumerated + expression Ids and return the values. +__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE <-- This script enumerates all + build dependencies and generate + code to handle enumerated build + dependency Id and return status: if + the dependency is defined or not. +__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE <-- This script enumerates the functions + specified in the input test data file + and generates the initializer for the + function table in the template + file. +__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE <-- Platform specific setup and test + dispatch code. """ @@ -974,11 +974,30 @@ def write_test_source_file(template_file, c_file, snippets): :param snippets: Generated and code snippets :return: """ + + # Create a placeholder pattern with the correct named capture groups + # to override the default provided with Template. + # Match nothing (no way of escaping placeholders). + escaped = "(?P(?!))" + # Match the "__MBEDTLS_TEST_TEMPLATE__PLACEHOLDER_NAME" pattern. + named = "__MBEDTLS_TEST_TEMPLATE__(?P[A-Z][_A-Z0-9]*)" + # Match nothing (no braced placeholder syntax). + braced = "(?P(?!))" + # If not already matched, a "__MBEDTLS_TEST_TEMPLATE__" prefix is invalid. + invalid = "(?P__MBEDTLS_TEST_TEMPLATE__)" + placeholder_pattern = re.compile(escaped \ + + "|" + named \ + + "|" + braced \ + + "|" + invalid) + with open(template_file, 'r') as template_f, open(c_file, 'w') as c_f: for line_no, line in enumerate(template_f.readlines(), 1): # Update line number. +1 as #line directive sets next line number snippets['line_no'] = line_no + 1 - code = string.Template(line).substitute(**snippets) + template = string.Template(line) + template.pattern = placeholder_pattern + snippets = {k.upper():v for (k, v) in snippets.items()} + code = template.substitute(**snippets) c_f.write(code) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index e016865348..48003d4f27 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -3,17 +3,17 @@ * *** THIS FILE HAS BEEN MACHINE GENERATED *** * * This file has been machine generated using the script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * - * Test file : $test_file + * Test file : __MBEDTLS_TEST_TEMPLATE__TEST_FILE * * The following files were used to create this file. * - * Main code file : $test_main_file - * Platform code file : $test_platform_file - * Helper file : $test_common_helper_file - * Test suite file : $test_case_file - * Test suite data : $test_case_data_file + * Main code file : __MBEDTLS_TEST_TEMPLATE__TEST_MAIN_FILE + * Platform code file : __MBEDTLS_TEST_TEMPLATE__TEST_PLATFORM_FILE + * Helper file : __MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPER_FILE + * Test suite file : __MBEDTLS_TEST_TEMPLATE__TEST_CASE_FILE + * Test suite data : __MBEDTLS_TEST_TEMPLATE__TEST_CASE_DATA_FILE * */ @@ -37,9 +37,9 @@ /*----------------------------------------------------------------------------*/ /* Common helper code */ -$test_common_helpers +__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS -#line $line_no "suites/main_test.function" +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" /*----------------------------------------------------------------------------*/ @@ -48,9 +48,9 @@ $test_common_helpers #define TEST_SUITE_ACTIVE -$functions_code +__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE -#line $line_no "suites/main_test.function" +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" /*----------------------------------------------------------------------------*/ @@ -62,7 +62,7 @@ $functions_code * For optimizing space for embedded targets each expression/macro * is identified by a unique identifier instead of string literals. * Identifiers and evaluation code is generated by script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * * \param exp_id Expression identifier. * \param out_value Pointer to int to hold the integer. @@ -78,8 +78,8 @@ int get_expression( int32_t exp_id, int32_t * out_value ) switch( exp_id ) { -$expression_code -#line $line_no "suites/main_test.function" +__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" default: { ret = KEY_VALUE_MAPPING_NOT_FOUND; @@ -95,7 +95,7 @@ $expression_code * For optimizing space for embedded targets each dependency * is identified by a unique identifier instead of string literals. * Identifiers and check code is generated by script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * * \param dep_id Dependency identifier. * @@ -109,8 +109,8 @@ int dep_check( int dep_id ) switch( dep_id ) { -$dep_check_code -#line $line_no "suites/main_test.function" +__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" default: break; } @@ -137,13 +137,13 @@ typedef void (*TestWrapper_t)( void **param_array ); /** * \brief Table of test function wrappers. Used by dispatch_test(). * This table is populated by script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * */ TestWrapper_t test_funcs[] = { -$dispatch_code -#line $line_no "suites/main_test.function" +__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" }; /** @@ -219,9 +219,9 @@ int check_test( size_t func_idx ) } -$platform_code +__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE -#line $line_no "suites/main_test.function" +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" /*----------------------------------------------------------------------------*/ /* Main Test code */ From d25cab0327d40e05f5bd9ea84fb5cc61f820cdd8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 12:48:30 +0800 Subject: [PATCH 079/413] Refactor debug helpers for exts and hs message Signed-off-by: Jerry Yu --- library/ssl_debug_helpers.h | 46 +++++++---- library/ssl_misc.h | 3 + library/ssl_tls.c | 146 +++++++++++++++++++++++++++++++++++ library/ssl_tls13_generic.c | 149 ------------------------------------ 4 files changed, 180 insertions(+), 164 deletions(-) diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 6b97bc6523..8fce87a985 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -43,27 +43,43 @@ const char *mbedtls_ssl_sig_alg_to_str( uint16_t in ); const char *mbedtls_ssl_named_group_to_str( uint16_t in ); -#endif /* MBEDTLS_DEBUG_C */ +const char *mbedtls_ssl_get_extension_name( unsigned int extension_type ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) -#if defined(MBEDTLS_DEBUG_C) +void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, uint32_t extensions_mask, + const char *extra ); -const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ); +void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, + unsigned int extension_type, + const char *extra_msg0, + const char *extra_msg1 ); -void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, - int level, const char *file, int line, - int hs_msg_type, - uint32_t extensions_present ); +#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type ) \ + mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ + hs_msg_type, \ + ssl->handshake->sent_extensions, \ + "sent" ) -#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_type, extensions_present ) \ - mbedtls_ssl_tls13_print_extensions( \ - ssl, level, __FILE__, __LINE__, hs_msg_type, extensions_present ) +#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type ) \ + mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ + hs_msg_type, \ + ssl->handshake->received_extensions, \ + "received" ) + +#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra ) \ + mbedtls_ssl_print_extension_type( ssl, level, __FILE__, __LINE__, \ + hs_msg_type, extension_type, extra, NULL ) #else -#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) +#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type ) -#endif +#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type ) -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra ) -#endif /* SSL_DEBUG_HELPERS_H */ +#endif /* MBEDTLS_DEBUG_C */ + +#endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8ffdccb378..7c32969b2b 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -74,6 +74,9 @@ #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ +/* Faked handshake message identity for HelloRetryRequest. */ +#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO ) + /* * Inernal identity of handshake extensions */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b3210c4155..7bc0a0cd5b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -616,6 +616,152 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ) return( 1 << mbedtls_ssl_get_extension_id( extension_type ) ); } +#if defined(MBEDTLS_DEBUG_C) +static const char *extension_name_table[] = { + [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unreognized", + [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", + [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", + [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", + [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups", + [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms", + [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp", + [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat", + [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation", + [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp", + [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type", + [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type", + [MBEDTLS_SSL_EXT_ID_PADDING] = "padding", + [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key", + [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data", + [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions", + [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie", + [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes", + [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities", + [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters", + [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth", + [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert", + [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share", + [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac", + [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats", + [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac", + [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret", + [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket" +}; + +static unsigned int extension_type_tbl[]={ + [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, + [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, + [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, + [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST, + [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, + [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG, + [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP, + [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT, + [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN, + [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT, + [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE, + [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE, + [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING, + [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY, + [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA, + [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, + [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE, + [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, + [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH, + [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS, + [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH, + [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT, + [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE, + [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC, + [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, + [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, + [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, + [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET +}; + +const char *mbedtls_ssl_get_extension_name( unsigned int extension_type ) +{ + return( extension_name_table[ + mbedtls_ssl_get_extension_id( extension_type ) ] ); +} + +static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type ) +{ + switch( hs_msg_type ) + { + case MBEDTLS_SSL_HS_CLIENT_HELLO: + return( "ClientHello" ); + case MBEDTLS_SSL_HS_SERVER_HELLO: + return( "ServerHello" ); + case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: + return( "HelloRetryRequest" ); + case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: + return( "NewSessionTicket" ); + case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: + return( "EncryptedExtensions" ); + case MBEDTLS_SSL_HS_CERTIFICATE: + return( "Certificate" ); + case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: + return( "CertificateRequest" ); + } + return( NULL ); +} + +void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, + unsigned int extension_type, + const char *extra_msg0, + const char *extra_msg1 ) +{ + const char *extra_msg; + if( extra_msg0 && extra_msg1 ) + { + mbedtls_debug_print_msg( + ssl, level, file, line, + "%s: %s(%u) extension %s %s.", + ssl_tls13_get_hs_msg_name( hs_msg_type ), + mbedtls_ssl_get_extension_name( extension_type ), + extension_type, + extra_msg0, extra_msg1 ); + return; + } + + extra_msg = extra_msg0 ? extra_msg0 : extra_msg1; + if( extra_msg ) + { + mbedtls_debug_print_msg( + ssl, level, file, line, + "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name( hs_msg_type ), + mbedtls_ssl_get_extension_name( extension_type ), extension_type, + extra_msg ); + return; + } + + mbedtls_debug_print_msg( + ssl, level, file, line, + "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name( hs_msg_type ), + mbedtls_ssl_get_extension_name( extension_type ), extension_type ); +} + +void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, uint32_t extensions_mask, + const char *extra ) +{ + + for( unsigned i = 0; + i < sizeof( extension_name_table ) / sizeof( extension_name_table[0] ); + i++ ) + { + mbedtls_ssl_print_extension_type( + ssl, level, file, line, hs_msg_type, extension_type_tbl[i], + extensions_mask & ( 1 << i ) ? "was" : "was not", extra ); + } +} + +#endif /* MBEDTLS_DEBUG_C */ + void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) { diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 1bbd7f033b..a94bbef283 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1529,155 +1529,6 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( } #endif /* MBEDTLS_ECDH_C */ -#if defined(MBEDTLS_DEBUG_C) -const char *mbedtls_tls13_get_extension_name( uint16_t extension_type ) -{ - switch( extension_type ) - { - case MBEDTLS_TLS_EXT_SERVERNAME: - return( "server_name" ); - - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - return( "max_fragment_length" ); - - case MBEDTLS_TLS_EXT_STATUS_REQUEST: - return( "status_request" ); - - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - return( "supported_groups" ); - - case MBEDTLS_TLS_EXT_SIG_ALG: - return( "signature_algorithms" ); - - case MBEDTLS_TLS_EXT_USE_SRTP: - return( "use_srtp" ); - - case MBEDTLS_TLS_EXT_HEARTBEAT: - return( "heartbeat" ); - - case MBEDTLS_TLS_EXT_ALPN: - return( "application_layer_protocol_negotiation" ); - - case MBEDTLS_TLS_EXT_SCT: - return( "signed_certificate_timestamp" ); - - case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: - return( "client_certificate_type" ); - - case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: - return( "server_certificate_type" ); - - case MBEDTLS_TLS_EXT_PADDING: - return( "padding" ); - - case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - return( "pre_shared_key" ); - - case MBEDTLS_TLS_EXT_EARLY_DATA: - return( "early_data" ); - - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - return( "supported_versions" ); - - case MBEDTLS_TLS_EXT_COOKIE: - return( "cookie" ); - - case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: - return( "psk_key_exchange_modes" ); - - case MBEDTLS_TLS_EXT_CERT_AUTH: - return( "certificate_authorities" ); - - case MBEDTLS_TLS_EXT_OID_FILTERS: - return( "oid_filters" ); - - case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: - return( "post_handshake_auth" ); - - case MBEDTLS_TLS_EXT_SIG_ALG_CERT: - return( "signature_algorithms_cert" ); - - case MBEDTLS_TLS_EXT_KEY_SHARE: - return( "key_share" ); - }; - - return( "unknown" ); -} - -static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type ) -{ - switch( hs_msg_type ) - { - case MBEDTLS_SSL_HS_CLIENT_HELLO: - return( "ClientHello" ); - case MBEDTLS_SSL_HS_SERVER_HELLO: - return( "ServerHello" ); - case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value. - return( "HelloRetryRequest" ); - case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: - return( "NewSessionTicket" ); - case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: - return( "EncryptedExtensions" ); - case MBEDTLS_SSL_HS_CERTIFICATE: - return( "Certificate" ); - case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: - return( "CertificateRequest" ); - } - return( NULL ); -} - -void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl, - int level, const char *file, int line, - int hs_msg_type, - uint32_t extensions_present ) -{ - static const struct{ - uint32_t extension_mask; - const char *extension_name; - } mask_to_str_table[] = { - { MBEDTLS_SSL_EXT_SERVERNAME, "server_name" }, - { MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH, "max_fragment_length" }, - { MBEDTLS_SSL_EXT_STATUS_REQUEST, "status_request" }, - { MBEDTLS_SSL_EXT_SUPPORTED_GROUPS, "supported_groups" }, - { MBEDTLS_SSL_EXT_SIG_ALG, "signature_algorithms" }, - { MBEDTLS_SSL_EXT_USE_SRTP, "use_srtp" }, - { MBEDTLS_SSL_EXT_HEARTBEAT, "heartbeat" }, - { MBEDTLS_SSL_EXT_ALPN, "application_layer_protocol_negotiation" }, - { MBEDTLS_SSL_EXT_SCT, "signed_certificate_timestamp" }, - { MBEDTLS_SSL_EXT_CLI_CERT_TYPE, "client_certificate_type" }, - { MBEDTLS_SSL_EXT_SERV_CERT_TYPE, "server_certificate_type" }, - { MBEDTLS_SSL_EXT_PADDING, "padding" }, - { MBEDTLS_SSL_EXT_PRE_SHARED_KEY, "pre_shared_key" }, - { MBEDTLS_SSL_EXT_EARLY_DATA, "early_data" }, - { MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS, "supported_versions" }, - { MBEDTLS_SSL_EXT_COOKIE, "cookie" }, - { MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES, "psk_key_exchange_modes" }, - { MBEDTLS_SSL_EXT_CERT_AUTH, "certificate_authorities" }, - { MBEDTLS_SSL_EXT_OID_FILTERS, "oid_filters" }, - { MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH, "post_handshake_auth" }, - { MBEDTLS_SSL_EXT_SIG_ALG_CERT, "signature_algorithms_cert" }, - { MBEDTLS_SSL_EXT_KEY_SHARE, "key_share" } }; - - mbedtls_debug_print_msg( ssl, level, file, line, - "extension list of %s:", - ssl_tls13_get_hs_msg_name( hs_msg_type ) ); - - for( unsigned i = 0; - i < sizeof( mask_to_str_table ) / sizeof( mask_to_str_table[0] ); - i++ ) - { - const char *extension_name = mask_to_str_table[i].extension_name; - uint32_t is_present = extensions_present & - mask_to_str_table[i].extension_mask; - - mbedtls_debug_print_msg( ssl, level, file, line, - "- %s extension ( %s )", extension_name, - is_present ? "true" : "false" ); - } -} - -#endif /* MBEDTLS_DEBUG_C */ - /* RFC 8446 section 4.2 * * If an implementation receives an extension which it recognizes and which is From 4b8f2f72668270e46b475c697565df0bbb305876 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 13:31:22 +0800 Subject: [PATCH 080/413] Refactor sent extension message output Signed-off-by: Jerry Yu --- library/ssl_client.c | 18 ++++++------------ library/ssl_tls.c | 4 ---- library/ssl_tls13_client.c | 26 ++++---------------------- library/ssl_tls13_generic.c | 2 ++ library/ssl_tls13_server.c | 10 ++++++++++ 5 files changed, 22 insertions(+), 38 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 16cef0204a..1c5b447fe0 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -108,10 +108,6 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SERVERNAME ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_SERVERNAME ) ) ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); } @@ -186,10 +182,6 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_ALPN ) ) ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); } @@ -310,10 +302,8 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ); - MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) ) ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); @@ -684,6 +674,10 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, p_extensions_len, extensions_len ); } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO ); +#endif + *out_len = p - buf; return( 0 ); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7bc0a0cd5b..04d2ef440b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8955,10 +8955,6 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SIG_ALG ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_SIG_ALG ) ) ); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ return( 0 ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 27747a2097..54101cb344 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -89,12 +89,10 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl, } *out_len = 5 + versions_len; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) ) ); + return( 0 ); } @@ -366,11 +364,6 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len ); mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_KEY_SHARE ) ) ); cleanup: @@ -610,12 +603,8 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, *out_len = handshake->hrr_cookie_len + 6; - mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_COOKIE ) ) ); + return( 0 ); } @@ -688,10 +677,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ) ) ); + return ( 0 ); } @@ -1059,10 +1045,6 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); - MBEDTLS_SSL_DEBUG_MSG( - 4, ( "sent %s extension", - mbedtls_tls13_get_extension_name( - MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) ) ); return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a94bbef283..1a17372837 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -887,6 +887,8 @@ static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl, *out_len = p - buf; + MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE ); + return( 0 ); } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index f0f06b81a7..0239090f35 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2128,6 +2128,10 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len ); + MBEDTLS_SSL_PRINT_SENT_EXTS( + 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : + MBEDTLS_SSL_HS_SERVER_HELLO ); + return( ret ); } @@ -2312,6 +2316,8 @@ static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len ); + MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS ); + return( 0 ); } @@ -2441,6 +2447,8 @@ static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl, *out_len = p - buf; + MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); + return( 0 ); } @@ -2834,6 +2842,8 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); + MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET ); + return( 0 ); } From 63a459cde5995c1909d873c707fae8fef09e8e37 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 13:38:40 +0800 Subject: [PATCH 081/413] Refactor client_hello parser and writer Signed-off-by: Jerry Yu --- library/ssl_client.c | 2 +- library/ssl_tls13_server.c | 42 ++++++++++++++++++-------------------- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 1c5b447fe0..ebf0fa701e 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -564,7 +564,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Keeping track of the included extensions */ - handshake->sent_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; #endif /* First write extensions, then the total length */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 0239090f35..607347d730 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -940,9 +940,9 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( { return( ssl_tls13_client_hello_has_exts( ssl, - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | - MBEDTLS_SSL_EXT_KEY_SHARE | - MBEDTLS_SSL_EXT_SIG_ALG ) ); + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | + MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | + MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) ); } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -952,8 +952,8 @@ static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( { return( ssl_tls13_client_hello_has_exts( ssl, - MBEDTLS_SSL_EXT_PRE_SHARED_KEY | - MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) ); + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) ); } MBEDTLS_CHECK_RETURN_CRITICAL @@ -962,10 +962,10 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( { return( ssl_tls13_client_hello_has_exts( ssl, - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | - MBEDTLS_SSL_EXT_KEY_SHARE | - MBEDTLS_SSL_EXT_PRE_SHARED_KEY | - MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) ); + MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | + MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | + MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) ); } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ @@ -1417,7 +1417,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len ); - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; while( p < extensions_end ) { @@ -1432,7 +1432,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, * Servers MUST check that it is the last extension and otherwise fail * the handshake with an "illegal_parameter" alert. */ - if( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) + if( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key is not last extension." ) ); @@ -1555,7 +1555,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); if( ( handshake->received_extensions & - MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 ) + MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) == 0 ) { MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, @@ -1603,18 +1603,16 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "client hello: received %s(%u) extension ( ignored )", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, + extension_type, "( ignored )" ); break; } p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->received_extensions ); + MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, @@ -1628,7 +1626,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, /* If we've settled on a PSK-based exchange, parse PSK identity ext */ if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) && mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && - ( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) + ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) ) ) { handshake->update_checksum( ssl, buf, pre_shared_key_ext - buf ); @@ -1639,12 +1637,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, cipher_suites_end ); if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) { - handshake->received_extensions &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ); } else if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ), - ret ); + MBEDTLS_SSL_DEBUG_RET( + 1, "ssl_tls13_parse_pre_shared_key_ext" , ret ); return( ret ); } } From 9eba750916b751bb1cf1a1d4c0fc2c59bd7be64f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 13:46:16 +0800 Subject: [PATCH 082/413] Refactor encrypted extensions Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 54101cb344..082be20b35 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1989,7 +1989,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; while( p < extensions_end ) { @@ -2029,18 +2029,16 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_SSL_ALPN */ default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "encrypted extensions: received %s(%u) extension ( ignored )", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + extension_type, "( ignored )" ); break; } p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, - handshake->received_extensions ); + MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS ); /* Check that we consumed all the message. */ if( p != end ) From 6d0e78ba22cbaa19e4de862a79b03cdedefe4ff2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 14:13:25 +0800 Subject: [PATCH 083/413] Refactor certificate request Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 082be20b35..688eb52018 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2184,7 +2184,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); extensions_end = p + extensions_len; - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; while( p < extensions_end ) { @@ -2217,19 +2217,16 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, break; default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "certificate request: received %s(%u) extension ( ignored )", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, + extension_type, "( ignored )" ); break; } p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, - MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, - handshake->received_extensions ); + MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); /* Check that we consumed all the message. */ if( p != end ) @@ -2243,7 +2240,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, * * The "signature_algorithms" extension MUST be specified */ - if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 ) + if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithms extension found" ) ); From 0d5cfb7703c51be78e71a6efd4548753ca7929c9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 14:15:48 +0800 Subject: [PATCH 084/413] Refactor Certificate Signed-off-by: Jerry Yu --- library/ssl_tls13_generic.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 1a17372837..a9c8c973f8 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -508,7 +508,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); extensions_end = p + extensions_len; - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; while( p < extensions_end ) { @@ -537,18 +537,16 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, switch( extension_type ) { default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Certificate: received %s(%u) extension ( ignored )", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, MBEDTLS_SSL_HS_CERTIFICATE, + extension_type, "( ignored )" ); break; } p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_CERTIFICATE, handshake->received_extensions ); + MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE ); } exit: From edab637b515d4015c10c59b4ecc176e66bea62d1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 14:37:31 +0800 Subject: [PATCH 085/413] Refactor new session ticket Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 20 +++++++------------- library/ssl_tls13_server.c | 2 ++ 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 688eb52018..b0a835f4e3 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2484,7 +2484,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, const unsigned char *p = buf; - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; while( p < end ) { @@ -2500,30 +2500,24 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len ); ret = mbedtls_ssl_tls13_check_received_extension( - ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, - MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ); + ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type, + MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ); if( ret != 0 ) return( ret ); switch( extension_type ) { - case MBEDTLS_TLS_EXT_EARLY_DATA: - MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) ); - break; - default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "NewSessionTicket : received %s(%u) extension ( ignored )", - mbedtls_tls13_get_extension_name( extension_type ), - extension_type ) ); + MBEDTLS_SSL_PRINT_EXT_TYPE( + 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, + extension_type, "( ignored )" ); break; } p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, handshake->received_extensions ); + MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET ); return( 0 ); } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 607347d730..f31e7ab89e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2832,6 +2832,8 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl, * Note: We currently don't have any extensions. * Set length to zero. */ + ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); MBEDTLS_PUT_UINT16_BE( 0, p, 0 ); p += 2; From 50e00e3ac6b7c9f7940d0f459d727bd35a96c9fc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 31 Oct 2022 14:45:01 +0800 Subject: [PATCH 086/413] Refactor server hello Signed-off-by: Jerry Yu --- library/ssl_tls13_client.c | 24 ++++++++++-------------- library/ssl_tls13_server.c | 1 + 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b0a835f4e3..fff0febed8 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1395,7 +1395,7 @@ static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl, ssl->session_negotiate->tls_version = ssl->tls_version; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; ret = ssl_server_hello_is_hrr( ssl, buf, end ); switch( ret ) @@ -1506,6 +1506,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info; int fatal_alert = 0; uint32_t allowed_extensions_mask; + int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : + MBEDTLS_SSL_HS_SERVER_HELLO; /* * Check there is space for minimal fields @@ -1648,7 +1650,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); - handshake->received_extensions = MBEDTLS_SSL_EXT_NONE; + handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; allowed_extensions_mask = is_hrr ? MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR : MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH; @@ -1668,11 +1670,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, extension_data_end = p + extension_data_len; ret = mbedtls_ssl_tls13_check_received_extension( - ssl, - is_hrr ? - -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO, - extension_type, - allowed_extensions_mask ); + ssl, hs_msg_type, extension_type, allowed_extensions_mask ); if( ret != 0 ) return( ret ); @@ -1744,9 +1742,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_TLS1_3_PRINT_EXTS( - 3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO, - handshake->received_extensions ); + MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, hs_msg_type ); cleanup: @@ -1797,20 +1793,20 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) * exchange mode is EPHEMERAL-only. */ switch( handshake->received_extensions & - ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) ) + ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ) ) { /* Only the pre_shared_key extension was received */ - case MBEDTLS_SSL_EXT_PRE_SHARED_KEY: + case MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ): handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; break; /* Only the key_share extension was received */ - case MBEDTLS_SSL_EXT_KEY_SHARE: + case MBEDTLS_SSL_EXT_MASK( KEY_SHARE ): handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; break; /* Both the pre_shared_key and key_share extensions were received */ - case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ): + case ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ): handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; break; diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index f31e7ab89e..288332865b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2001,6 +2001,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, size_t output_len; *out_len = 0; + ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; /* ... * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 From f467d46bbbcee711d647441152d0f316a354e855 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 7 Nov 2022 13:12:44 +0800 Subject: [PATCH 087/413] move get_srv_psk_list It can be reused in other test-suites Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-kex-modes.sh | 9 --------- tests/ssl-opt.sh | 10 ++++++++++ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 4f62ed69bf..b1320c5b59 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -18,15 +18,6 @@ # limitations under the License. # -get_srv_psk_list () -{ - case $(( TESTS % 3 )) in - 0) echo "psk_list=abc,dead,def,beef,Client_identity,6162636465666768696a6b6c6d6e6f70";; - 1) echo "psk_list=abc,dead,Client_identity,6162636465666768696a6b6c6d6e6f70,def,beef";; - 2) echo "psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef";; - esac -} - requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a75b3f593c..f264b5ed12 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1024,6 +1024,16 @@ is_gnutls() { esac } +# Generate random psk_list argument for ssl_server2 +get_srv_psk_list () +{ + case $(( TESTS % 3 )) in + 0) echo "psk_list=abc,dead,def,beef,Client_identity,6162636465666768696a6b6c6d6e6f70";; + 1) echo "psk_list=abc,dead,Client_identity,6162636465666768696a6b6c6d6e6f70,def,beef";; + 2) echo "psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef";; + esac +} + # Determine what calc_verify trace is to be expected, if any. # # calc_verify is only called for two things: to calculate the From 38860e2f1952ba6179ef24604c2ef9abb04ae9c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Nov 2022 10:05:49 +0100 Subject: [PATCH 088/413] Improve test suite detection in run-test-suites.pl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Looking for executables causes problems with leftover compiled test suites from other branches when we forget to run make clean before switching branches. Using the .data files is more robust as most of them are tracked, so will be removed when switching branches. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/run-test-suites.pl | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl index 22eadd1805..8a5bb937dc 100755 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -50,11 +50,13 @@ GetOptions( 'verbose|v:1' => \$verbose, ) or die; -# All test suites = executable files, excluding source files, debug -# and profiling information, etc. We can't just grep {! /\./} because -# some of our test cases' base names contain a dot. -my @suites = grep { -x $_ || /\.exe$/ } glob 'test_suite_*'; -@suites = grep { !/\.c$/ && !/\.data$/ && -f } @suites; +# All test suites = executable files derived from a .data file. +my @suites = (); +for my $data_file (glob 'suites/test_suite_*.data') { + (my $base = $data_file) =~ s#^suites/(.*)\.data$#$1#; + push @suites, $base if -x $base; + push @suites, "$base.exe" if -e "$base.exe"; +} die "$0: no test suite found\n" unless @suites; # "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar" From 3f1606a1f68f65962a3cc45898a3658fe75115d1 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Fri, 4 Nov 2022 16:55:57 +0000 Subject: [PATCH 089/413] Refactor call hierarchy for ECDH so that it goes through the driver wrapper in a similar fashion to ECDSA. Add component_test_psa_config_accel_ecdh to all.sh to test key agreement driver wrapper with libtestdriver1. Signed-off-by: Aditya Deshpande --- include/psa/crypto_config.h | 4 +- library/psa_crypto.c | 80 ++----------------- library/psa_crypto_ecp.c | 72 +++++++++++++++++ library/psa_crypto_ecp.h | 7 ++ .../crypto_config_test_driver_extension.h | 11 ++- tests/scripts/all.sh | 40 ++++++++++ tests/src/drivers/test_driver_key_agreement.c | 39 ++++++--- 7 files changed, 167 insertions(+), 86 deletions(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 5ab4fdef3a..9f8866b9ce 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -62,7 +62,7 @@ #define PSA_WANT_ALG_CHACHA20_POLY1305 1 #define PSA_WANT_ALG_CTR 1 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 -#define PSA_WANT_ALG_ECB_NO_PADDING 1 +//#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 #define PSA_WANT_ALG_JPAKE 1 @@ -86,7 +86,7 @@ #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 -#define PSA_WANT_ALG_STREAM_CIPHER 1 +//#define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 86b84bf19a..07f3151214 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5735,62 +5735,6 @@ psa_status_t psa_key_derivation_input_key( /****************************************************************/ /* Key agreement */ /****************************************************************/ - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) -static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key, - size_t peer_key_length, - const mbedtls_ecp_keypair *our_key, - uint8_t *shared_secret, - size_t shared_secret_size, - size_t *shared_secret_length ) -{ - mbedtls_ecp_keypair *their_key = NULL; - mbedtls_ecdh_context ecdh; - psa_status_t status; - size_t bits = 0; - psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( our_key->grp.id, &bits ); - mbedtls_ecdh_init( &ecdh ); - - status = mbedtls_psa_ecp_load_representation( - PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve), - bits, - peer_key, - peer_key_length, - &their_key ); - if( status != PSA_SUCCESS ) - goto exit; - - status = mbedtls_to_psa_error( - mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ) ); - if( status != PSA_SUCCESS ) - goto exit; - status = mbedtls_to_psa_error( - mbedtls_ecdh_get_params( &ecdh, our_key, MBEDTLS_ECDH_OURS ) ); - if( status != PSA_SUCCESS ) - goto exit; - - status = mbedtls_to_psa_error( - mbedtls_ecdh_calc_secret( &ecdh, - shared_secret_length, - shared_secret, shared_secret_size, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE ) ); - if( status != PSA_SUCCESS ) - goto exit; - if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length ) - status = PSA_ERROR_CORRUPTION_DETECTED; - -exit: - if( status != PSA_SUCCESS ) - mbedtls_platform_zeroize( shared_secret, shared_secret_size ); - mbedtls_ecdh_free( &ecdh ); - mbedtls_ecp_keypair_free( their_key ); - mbedtls_free( their_key ); - - return( status ); -} -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ - #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attributes, @@ -5807,24 +5751,12 @@ psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attribut { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) case PSA_ALG_ECDH: - if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( attributes->core.type ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); - mbedtls_ecp_keypair *ecp = NULL; - psa_status_t status = mbedtls_psa_ecp_load_representation( - attributes->core.type, - attributes->core.bits, - key_buffer, - key_buffer_size, - &ecp ); - if( status != PSA_SUCCESS ) - return( status ); - status = psa_key_agreement_ecdh( peer_key, peer_key_length, - ecp, - shared_secret, shared_secret_size, - shared_secret_length ); - mbedtls_ecp_keypair_free( ecp ); - mbedtls_free( ecp ); - return( status ); + return( mbedtls_psa_key_agreement_ecdh( attributes, key_buffer, + key_buffer_size, alg, + peer_key, peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ default: (void) attributes; diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index 29f53b96e6..97baef9259 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -33,6 +33,7 @@ #include "mbedtls/platform.h" #include +#include #include #include @@ -464,4 +465,75 @@ cleanup: #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ +/****************************************************************/ +/* ECDH Key Agreement */ +/****************************************************************/ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +psa_status_t mbedtls_psa_key_agreement_ecdh( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length, + uint8_t *shared_secret, size_t shared_secret_size, + size_t *shared_secret_length ) +{ + if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( attributes->core.type ) || + ! PSA_ALG_IS_ECDH(alg) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + mbedtls_ecp_keypair *ecp = NULL; + psa_status_t status = mbedtls_psa_ecp_load_representation( + attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &ecp ); + if( status != PSA_SUCCESS ) + return( status ); + mbedtls_ecp_keypair *their_key = NULL; + mbedtls_ecdh_context ecdh; + size_t bits = 0; + psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( ecp->grp.id, &bits ); + mbedtls_ecdh_init( &ecdh ); + + status = mbedtls_psa_ecp_load_representation( + PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve), + bits, + peer_key, + peer_key_length, + &their_key ); + if( status != PSA_SUCCESS ) + goto exit; + + status = mbedtls_to_psa_error( + mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ) ); + if( status != PSA_SUCCESS ) + goto exit; + status = mbedtls_to_psa_error( + mbedtls_ecdh_get_params( &ecdh, ecp, MBEDTLS_ECDH_OURS ) ); + if( status != PSA_SUCCESS ) + goto exit; + + status = mbedtls_to_psa_error( + mbedtls_ecdh_calc_secret( &ecdh, + shared_secret_length, + shared_secret, shared_secret_size, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE ) ); + if( status != PSA_SUCCESS ) + goto exit; + if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length ) + status = PSA_ERROR_CORRUPTION_DETECTED; + +exit: + if( status != PSA_SUCCESS ) + mbedtls_platform_zeroize( shared_secret, shared_secret_size ); + mbedtls_ecdh_free( &ecdh ); + mbedtls_ecp_keypair_free( their_key ); + mbedtls_free( their_key ); + mbedtls_ecp_keypair_free( ecp ); + mbedtls_free( ecp ); + return( status ); +} +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ + + #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h index 429c062719..5a7f6f2841 100644 --- a/library/psa_crypto_ecp.h +++ b/library/psa_crypto_ecp.h @@ -218,4 +218,11 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length ); + +psa_status_t mbedtls_psa_key_agreement_ecdh( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length, + uint8_t *shared_secret, size_t shared_secret_size, + size_t *shared_secret_length ); #endif /* PSA_CRYPTO_ECP_H */ diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index 0bbca4aefe..fbfe8da7ad 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -54,6 +54,14 @@ #endif #endif +#if defined(PSA_WANT_ALG_ECDH) +#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) +#undef MBEDTLS_PSA_ACCEL_ALG_ECDH +#else +#define MBEDTLS_PSA_ACCEL_ALG_ECDH 1 +#endif +#endif + #if defined(PSA_WANT_ALG_MD5) #if defined(MBEDTLS_PSA_ACCEL_ALG_MD5) #undef MBEDTLS_PSA_ACCEL_ALG_MD5 @@ -202,7 +210,6 @@ #define MBEDTLS_PSA_ACCEL_ALG_CCM 1 #define MBEDTLS_PSA_ACCEL_ALG_CMAC 1 #define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1 -#define MBEDTLS_PSA_ACCEL_ALG_ECDH 1 #define MBEDTLS_PSA_ACCEL_ALG_GCM 1 #define MBEDTLS_PSA_ACCEL_ALG_HKDF 1 #define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT 1 @@ -215,6 +222,7 @@ #define MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS 1 #if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) +#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) #define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256 1 #define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384 1 #define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512 1 @@ -229,6 +237,7 @@ #define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384 1 #define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521 1 #endif +#endif #define MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE 1 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC 1 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a4c6c86c1b..7f1723bcda 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1885,6 +1885,46 @@ component_test_psa_crypto_config_accel_ecdsa () { make test } +component_test_psa_crypto_config_accel_ecdh () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + # SHA384 needed for some ECDSA signature tests. + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA384_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA512_C + + loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS=" -g3 $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Restore test driver base configuration + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA384_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA512_C + + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 -g3 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + not grep mbedtls_ecdh_ library/ecdh.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + make test +} + component_test_psa_crypto_config_accel_rsa_signature () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index 884899ff2e..ccea61dd7d 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -19,15 +19,22 @@ #include +#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) + #include "psa/crypto.h" #include "psa_crypto_core.h" +#include "psa_crypto_ecp.h" #include "test/drivers/key_agreement.h" #include "test/drivers/test_driver.h" #include +#include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/include/psa/crypto.h" +#include "libtestdriver1/library/psa_crypto_ecp.h" +#endif mbedtls_test_driver_key_agreement_hooks_t mbedtls_test_driver_key_agreement_hooks = MBEDTLS_TEST_DRIVER_KEY_AGREEMENT_INIT; @@ -58,16 +65,30 @@ psa_status_t mbedtls_test_transparent_key_agreement( return( PSA_SUCCESS ); } - return( psa_key_agreement_raw_builtin( + if( PSA_ALG_IS_ECDH(alg) ) + { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + (LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDH) + return( libtestdriver1_mbedtls_psa_key_agreement_ecdh( + (const libtestdriver1_psa_key_attributes_t *) attributes, + key_buffer, key_buffer_size, + alg, peer_key, peer_key_length, + shared_secret, shared_secret_size, + shared_secret_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) + return( mbedtls_psa_key_agreement_ecdh( attributes, - key_buffer, - key_buffer_size, - alg, - peer_key, - peer_key_length, - shared_secret, - shared_secret_size, + key_buffer, key_buffer_size, + alg, peer_key, peer_key_length, + shared_secret, shared_secret_size, shared_secret_length ) ); +#endif + } + else + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } + } #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ From 5567c660cd3ec3db1e893af6adad31161d43f673 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Mon, 7 Nov 2022 10:43:29 +0000 Subject: [PATCH 090/413] Fix formatting and code comments Signed-off-by: Aditya Deshpande --- library/psa_crypto_ecp.c | 3 +- library/psa_crypto_ecp.h | 44 ++++++++++++++++++- tests/src/drivers/test_driver_key_agreement.c | 2 +- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index 97baef9259..b840426ab5 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -468,8 +468,9 @@ cleanup: /****************************************************************/ /* ECDH Key Agreement */ /****************************************************************/ + #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) -psa_status_t mbedtls_psa_key_agreement_ecdh( +psa_status_t mbedtls_psa_key_agreement_ecdh( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length, diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h index 5a7f6f2841..386e87aa9f 100644 --- a/library/psa_crypto_ecp.h +++ b/library/psa_crypto_ecp.h @@ -219,7 +219,49 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length ); -psa_status_t mbedtls_psa_key_agreement_ecdh( + +/** Perform a key agreement and return the raw ECDH shared secret. + * + * \note The signature of this function is that of a PSA driver + * key_agreement entry point. This function behaves as a key_agreement + * entry point as defined in the PSA driver interface specification for + * transparent drivers. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the private key + * context. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in + * bytes. + * \param[in] alg A key agreement algorithm that is + * compatible with the type of the key. + * \param[in] peer_key The buffer containing the key context + * of the peer's public key. + * \param[in] peer_key_length Size of the \p peer_key buffer in + * bytes. + * \param[out] shared_secret The buffer to which the shared secret + * is to be written. + * \param[in] shared_secret_size Size of the \p shared_secret buffer in + * bytes. + * \param[out] shared_secret_length On success, the number of bytes that make + * up the returned shared secret. + * \retval #PSA_SUCCESS + * Success. Shared secret successfully calculated. + * \retval #PSA_ERROR_INVALID_HANDLE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p alg is not a key agreement algorithm, or + * \p private_key is not compatible with \p alg, + * or \p peer_key is not valid for \p alg or not compatible with + * \p private_key. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p shared_secret_size is too small + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not a supported key agreement algorithm. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_CORRUPTION_DETECTED + */ +psa_status_t mbedtls_psa_key_agreement_ecdh( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length, diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index ccea61dd7d..393a81a237 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -82,7 +82,7 @@ psa_status_t mbedtls_test_transparent_key_agreement( alg, peer_key, peer_key_length, shared_secret, shared_secret_size, shared_secret_length ) ); -#endif +#endif } else { From 7ba7b3aded7f51051213704edc6c6e710cdee9aa Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 19 Oct 2022 17:22:15 +0200 Subject: [PATCH 091/413] Update tests to use mbedtls_test_read_mpi_core In conditional assign and swap tests use the mbedtls_test_read_mpi_core function for reading MPIs. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_bignum_core.function | 54 +++++--------- .../suites/test_suite_bignum_mod_raw.function | 70 ++++++------------- 2 files changed, 39 insertions(+), 85 deletions(-) diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index f50fd07e41..021b7b31cf 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -345,14 +345,18 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_core_cond_assign( data_t * input_X, - data_t * input_Y, +void mpi_core_cond_assign( char * input_X, + char * input_Y, int input_bytes ) { mbedtls_mpi_uint *X = NULL; mbedtls_mpi_uint *Y = NULL; - size_t limbs_X = CHARS_TO_LIMBS( input_X->len ); - size_t limbs_Y = CHARS_TO_LIMBS( input_Y->len ); + size_t limbs_X; + size_t limbs_Y; + + TEST_EQUAL( mbedtls_test_read_mpi_core( &X, &limbs_X, input_X ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &Y, &limbs_Y, input_Y ), 0 ); + size_t limbs = limbs_X; size_t copy_limbs = CHARS_TO_LIMBS( input_bytes ); size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); @@ -361,24 +365,12 @@ void mpi_core_cond_assign( data_t * input_X, TEST_EQUAL( limbs_X, limbs_Y ); TEST_ASSERT( copy_limbs <= limbs ); - ASSERT_ALLOC( X, limbs ); - ASSERT_ALLOC( Y, limbs ); - - TEST_ASSERT( mbedtls_mpi_core_read_be( X, limbs, input_X->x, input_X->len ) - == 0 ); - - TEST_ASSERT( mbedtls_mpi_core_read_be( Y, limbs, input_Y->x, input_Y->len ) - == 0 ); - /* condition is false */ TEST_CF_SECRET( X, bytes ); TEST_CF_SECRET( Y, bytes ); mbedtls_mpi_core_cond_assign( X, Y, copy_limbs, 0 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - TEST_ASSERT( memcmp( X, Y, bytes ) != 0 ); /* condition is true */ @@ -387,9 +379,6 @@ void mpi_core_cond_assign( data_t * input_X, mbedtls_mpi_core_cond_assign( X, Y, copy_limbs, 1 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs < limbs ) @@ -407,16 +396,20 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_core_cond_swap( data_t * input_X, - data_t * input_Y, +void mpi_core_cond_swap( char * input_X, + char * input_Y, int input_bytes ) { mbedtls_mpi_uint *tmp_X = NULL; mbedtls_mpi_uint *tmp_Y = NULL; mbedtls_mpi_uint *X = NULL; mbedtls_mpi_uint *Y = NULL; - size_t limbs_X = CHARS_TO_LIMBS( input_X->len ); - size_t limbs_Y = CHARS_TO_LIMBS( input_Y->len ); + size_t limbs_X; + size_t limbs_Y; + + TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_X, &limbs_X, input_X ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_Y, &limbs_Y, input_Y ), 0 ); + size_t limbs = limbs_X; size_t copy_limbs = CHARS_TO_LIMBS( input_bytes ); size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); @@ -425,18 +418,9 @@ void mpi_core_cond_swap( data_t * input_X, TEST_EQUAL( limbs_X, limbs_Y ); TEST_ASSERT( copy_limbs <= limbs ); - ASSERT_ALLOC( tmp_X, limbs ); - ASSERT_ALLOC( tmp_Y, limbs ); - - TEST_ASSERT( mbedtls_mpi_core_read_be( tmp_X, limbs, - input_X->x, input_X->len ) - == 0 ); ASSERT_ALLOC( X, limbs ); memcpy( X, tmp_X, bytes ); - TEST_ASSERT( mbedtls_mpi_core_read_be( tmp_Y, limbs, - input_Y->x, input_Y->len ) - == 0 ); ASSERT_ALLOC( Y, limbs ); memcpy( Y, tmp_Y, bytes ); @@ -446,9 +430,6 @@ void mpi_core_cond_swap( data_t * input_X, mbedtls_mpi_core_cond_swap( X, Y, copy_limbs, 0 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - ASSERT_COMPARE( X, bytes, tmp_X, bytes ); ASSERT_COMPARE( Y, bytes, tmp_Y, bytes ); @@ -458,9 +439,6 @@ void mpi_core_cond_swap( data_t * input_X, mbedtls_mpi_core_cond_swap( X, Y, copy_limbs, 1 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs < limbs ) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 8ac1ef4977..556cca07f0 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -110,16 +110,20 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_mod_raw_cond_assign( data_t * input_X, - data_t * input_Y, +void mpi_mod_raw_cond_assign( char * input_X, + char * input_Y, int input_bytes ) { mbedtls_mpi_uint *X = NULL; mbedtls_mpi_uint *Y = NULL; mbedtls_mpi_uint *buff_m = NULL; mbedtls_mpi_mod_modulus m; - size_t limbs_X = CHARS_TO_LIMBS( input_X->len ); - size_t limbs_Y = CHARS_TO_LIMBS( input_Y->len ); + size_t limbs_X; + size_t limbs_Y; + + TEST_EQUAL( mbedtls_test_read_mpi_core( &X, &limbs_X, input_X ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &Y, &limbs_Y, input_Y ), 0 ); + size_t limbs = limbs_X; size_t copy_limbs = CHARS_TO_LIMBS( input_bytes ); size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); @@ -130,24 +134,12 @@ void mpi_mod_raw_cond_assign( data_t * input_X, TEST_EQUAL( limbs_X, limbs_Y ); TEST_ASSERT( copy_limbs <= limbs ); - ASSERT_ALLOC( X, limbs ); - ASSERT_ALLOC( Y, limbs ); - - ASSERT_ALLOC( buff_m, limbs ); - memset( buff_m, 0xFF, copy_bytes ); - TEST_ASSERT( mbedtls_mpi_mod_modulus_setup( + ASSERT_ALLOC( buff_m, copy_limbs ); + memset( buff_m, 0xFF, copy_limbs ); + TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, buff_m, copy_limbs, MBEDTLS_MPI_MOD_EXT_REP_BE, - MBEDTLS_MPI_MOD_REP_MONTGOMERY ) - == 0 ); - - TEST_ASSERT( mbedtls_mpi_core_read_be( X, limbs, - input_X->x, input_X->len ) - == 0 ); - - TEST_ASSERT( mbedtls_mpi_core_read_be( Y, limbs, - input_Y->x, input_Y->len ) - == 0 ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); /* condition is false */ TEST_CF_SECRET( X, bytes ); @@ -155,9 +147,6 @@ void mpi_mod_raw_cond_assign( data_t * input_X, mbedtls_mpi_mod_raw_cond_assign( X, Y, &m, 0 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - TEST_ASSERT( memcmp( X, Y, bytes ) != 0 ); /* condition is true */ @@ -166,9 +155,6 @@ void mpi_mod_raw_cond_assign( data_t * input_X, mbedtls_mpi_mod_raw_cond_assign( X, Y, &m, 1 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs len ); - size_t limbs_Y = CHARS_TO_LIMBS( input_Y->len ); + size_t limbs_X; + size_t limbs_Y; + + TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_X, &limbs_X, input_X ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_Y, &limbs_Y, input_Y ), 0 ); + size_t limbs = limbs_X; size_t copy_limbs = CHARS_TO_LIMBS( input_bytes ); size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); @@ -211,24 +201,16 @@ void mpi_mod_raw_cond_swap( data_t * input_X, TEST_EQUAL( limbs_X, limbs_Y ); TEST_ASSERT( copy_limbs <= limbs ); - ASSERT_ALLOC( tmp_X, limbs ); - ASSERT_ALLOC( tmp_Y, limbs ); - ASSERT_ALLOC( buff_m, copy_limbs ); - memset( buff_m, 0xFF, copy_bytes ); - TEST_ASSERT( mbedtls_mpi_mod_modulus_setup( + memset( buff_m, 0xFF, copy_limbs ); + TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, buff_m, copy_limbs, MBEDTLS_MPI_MOD_EXT_REP_BE, - MBEDTLS_MPI_MOD_REP_MONTGOMERY ) - == 0 ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); - TEST_ASSERT( mbedtls_mpi_core_read_be( tmp_X, limbs, input_X->x, input_X->len ) - == 0 ); ASSERT_ALLOC( X, limbs ); memcpy( X, tmp_X, bytes ); - TEST_ASSERT( mbedtls_mpi_core_read_be( tmp_Y, limbs, input_Y->x, input_Y->len ) - == 0 ); ASSERT_ALLOC( Y, bytes ); memcpy( Y, tmp_Y, bytes ); @@ -238,9 +220,6 @@ void mpi_mod_raw_cond_swap( data_t * input_X, mbedtls_mpi_mod_raw_cond_swap( X, Y, &m, 0 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - ASSERT_COMPARE( X, bytes, tmp_X, bytes ); ASSERT_COMPARE( Y, bytes, tmp_Y, bytes ); @@ -250,9 +229,6 @@ void mpi_mod_raw_cond_swap( data_t * input_X, mbedtls_mpi_mod_raw_cond_swap( X, Y, &m, 1 ); - TEST_CF_PUBLIC( X, bytes ); - TEST_CF_PUBLIC( Y, bytes ); - /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs < limbs ) From a8cf998bc9569ce29dae28c3387a44882d226cdc Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 20 Oct 2022 12:27:36 +0200 Subject: [PATCH 092/413] Let the allocated memory visible for the memory sanitizer Signed-off-by: Gabor Mezei --- tests/suites/test_suite_bignum_core.function | 15 +++++++++++++++ tests/suites/test_suite_bignum_mod_raw.function | 12 ++++++++++++ 2 files changed, 27 insertions(+) diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index 021b7b31cf..612a7c6bd4 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -371,6 +371,9 @@ void mpi_core_cond_assign( char * input_X, mbedtls_mpi_core_cond_assign( X, Y, copy_limbs, 0 ); + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + TEST_ASSERT( memcmp( X, Y, bytes ) != 0 ); /* condition is true */ @@ -379,10 +382,16 @@ void mpi_core_cond_assign( char * input_X, mbedtls_mpi_core_cond_assign( X, Y, copy_limbs, 1 ); + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs < limbs ) { + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + ASSERT_COMPARE( X, copy_bytes, Y, copy_bytes ); TEST_ASSERT( memcmp( X, Y, bytes ) != 0 ); } @@ -430,6 +439,9 @@ void mpi_core_cond_swap( char * input_X, mbedtls_mpi_core_cond_swap( X, Y, copy_limbs, 0 ); + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + ASSERT_COMPARE( X, bytes, tmp_X, bytes ); ASSERT_COMPARE( Y, bytes, tmp_Y, bytes ); @@ -439,6 +451,9 @@ void mpi_core_cond_swap( char * input_X, mbedtls_mpi_core_cond_swap( X, Y, copy_limbs, 1 ); + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs < limbs ) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 556cca07f0..4b906751f2 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -147,6 +147,9 @@ void mpi_mod_raw_cond_assign( char * input_X, mbedtls_mpi_mod_raw_cond_assign( X, Y, &m, 0 ); + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + TEST_ASSERT( memcmp( X, Y, bytes ) != 0 ); /* condition is true */ @@ -155,6 +158,9 @@ void mpi_mod_raw_cond_assign( char * input_X, mbedtls_mpi_mod_raw_cond_assign( X, Y, &m, 1 ); + TEST_CF_PUBLIC( X, bytes ); + TEST_CF_PUBLIC( Y, bytes ); + /* Check if the given length is copied even it is smaller than the length of the given MPIs. */ if( copy_limbs Date: Mon, 7 Nov 2022 15:28:49 +0100 Subject: [PATCH 093/413] Fix outdated reference in debug message Signed-off-by: Jan Bruckner --- library/ssl_msg.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 4cd4107ca1..dbc6391885 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1797,8 +1797,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -2013,8 +2012,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( ssl->f_send == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } From ec6bb5879adf411c4c1df1388e9d429363cf6398 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Mon, 7 Nov 2022 17:11:48 +0000 Subject: [PATCH 094/413] Disabled tests in test_suite_ssl that won't work without builtin ECDH Signed-off-by: Aditya Deshpande --- tests/scripts/all.sh | 4 ++-- tests/suites/test_suite_ssl.data | 36 ++++++++++++++++---------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7f1723bcda..2b78a4f46c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1899,7 +1899,7 @@ component_test_psa_crypto_config_accel_ecdh () { loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) - make -C tests libtestdriver1.a CFLAGS=" -g3 $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" # Restore test driver base configuration scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA384_C @@ -1917,7 +1917,7 @@ component_test_psa_crypto_config_accel_ecdh () { scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" - make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 -g3 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" not grep mbedtls_ecdh_ library/ecdh.o diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1210694526..6f63e7331b 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -262,11 +262,11 @@ depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_ handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:0 Handshake, ECDHE-ECDSA-WITH-AES-256-CCM -depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:0 Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0 Handshake, PSK-WITH-AES-128-CBC-SHA @@ -290,11 +290,11 @@ depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_ handshake_cipher:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:1 DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM -depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:1 DTLS Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_SSL_PROTO_DTLS handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1 DTLS Handshake, PSK-WITH-AES-128-CBC-SHA @@ -402,59 +402,59 @@ depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C: handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque -depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH -depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256 -depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg -depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage -depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage -depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Sending app data via TLS, MFL=512 without fragmentation From 82ba274c01378f9e7e5ff72ffae6d8819d157309 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 4 Nov 2022 04:01:23 -0400 Subject: [PATCH 095/413] Deprecate mbedtls_asn1_free_named_data() Signed-off-by: Glenn Strauss --- ChangeLog.d/mbedtls_asn1_type_free.txt | 4 ++++ include/mbedtls/asn1.h | 16 ++++++++++++---- library/asn1parse.c | 2 ++ tests/suites/test_suite_asn1parse.data | 5 +++++ tests/suites/test_suite_asn1parse.function | 4 ++-- 5 files changed, 25 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt index 87ac5ec5bb..81f3a2007f 100644 --- a/ChangeLog.d/mbedtls_asn1_type_free.txt +++ b/ChangeLog.d/mbedtls_asn1_type_free.txt @@ -1,2 +1,6 @@ Features * Shared code to free x509 structs like mbedtls_x509_named_data +New deprecations + * Deprecate mbedtls_asn1_free_named_data(). + Use mbedtls_asn1_free_named_data_list() + or mbedtls_asn1_free_named_data_list_shallow() diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 5d274950ae..8b66ee228c 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -24,6 +24,7 @@ #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" +#include "mbedtls/platform_util.h" #include @@ -606,22 +607,29 @@ int mbedtls_asn1_get_alg_null( unsigned char **p, const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( const mbedtls_asn1_named_data *list, const char *oid, size_t len ); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief Free a mbedtls_asn1_named_data entry * + * \deprecated This function is deprecated and will be removed in a + * future version of the library. + * Please use mbedtls_asn1_free_named_data_list() + * or mbedtls_asn1_free_named_data_list_shallow(). + * * \param entry The named data entry to free. * This function calls mbedtls_free() on * `entry->oid.p` and `entry->val.p`. */ -void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry ); +void MBEDTLS_DEPRECATED mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry ); +#endif /* MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Free all entries in a mbedtls_asn1_named_data list. * * \param head Pointer to the head of the list of named data entries to free. - * This function calls mbedtls_asn1_free_named_data() and - * mbedtls_free() on each list element and - * sets \c *head to \c NULL. + * This function calls mbedtls_free() on + * `entry->oid.p` and `entry->val.p` and then on `entry` + * for each list entry, and sets \c *head to \c NULL. */ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ); diff --git a/library/asn1parse.c b/library/asn1parse.c index 4bc17710c0..28a3b144bf 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -431,6 +431,7 @@ int mbedtls_asn1_get_alg_null( unsigned char **p, return( 0 ); } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur ) { if( cur == NULL ) @@ -441,6 +442,7 @@ void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur ) mbedtls_platform_zeroize( cur, sizeof( mbedtls_asn1_named_data ) ); } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head ) { diff --git a/tests/suites/test_suite_asn1parse.data b/tests/suites/test_suite_asn1parse.data index 36ab1e481c..c129e3c8f7 100644 --- a/tests/suites/test_suite_asn1parse.data +++ b/tests/suites/test_suite_asn1parse.data @@ -608,18 +608,23 @@ Find named data: first match find_named_data:"414141":"414141":"434343":"444444":"414141":0:0 Free named data: null pointer +depends_on:MBEDTLS_TEST_DEPRECATED free_named_data_null: Free named data: all null +depends_on:MBEDTLS_TEST_DEPRECATED free_named_data:0:0:0 Free named data: with oid +depends_on:MBEDTLS_TEST_DEPRECATED free_named_data:1:0:0 Free named data: with val +depends_on:MBEDTLS_TEST_DEPRECATED free_named_data:0:1:0 Free named data: with next +depends_on:MBEDTLS_TEST_DEPRECATED free_named_data:0:0:1 Free named data list (empty) diff --git a/tests/suites/test_suite_asn1parse.function b/tests/suites/test_suite_asn1parse.function index 002d8c4269..dac8e312b8 100644 --- a/tests/suites/test_suite_asn1parse.function +++ b/tests/suites/test_suite_asn1parse.function @@ -735,7 +735,7 @@ void find_named_data( data_t *oid0, data_t *oid1, data_t *oid2, data_t *oid3, } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:!MBEDTLS_DEPRECATED_REMOVED */ void free_named_data_null( ) { mbedtls_asn1_free_named_data( NULL ); @@ -743,7 +743,7 @@ void free_named_data_null( ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:!MBEDTLS_DEPRECATED_REMOVED */ void free_named_data( int with_oid, int with_val, int with_next ) { mbedtls_asn1_named_data next = From aa36c2a6f66a2db081238f3e202ca28a625fae3b Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Mon, 7 Nov 2022 20:08:54 -0500 Subject: [PATCH 096/413] Update tests/suites/test_suite_asn1parse.function Co-authored-by: Andrzej Kurek Signed-off-by: Glenn Strauss --- tests/suites/test_suite_asn1parse.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_asn1parse.function b/tests/suites/test_suite_asn1parse.function index dac8e312b8..6d7e49ee47 100644 --- a/tests/suites/test_suite_asn1parse.function +++ b/tests/suites/test_suite_asn1parse.function @@ -743,7 +743,7 @@ void free_named_data_null( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:!MBEDTLS_DEPRECATED_REMOVED */ +/* BEGIN_CASE depends_on:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING */ void free_named_data( int with_oid, int with_val, int with_next ) { mbedtls_asn1_named_data next = From 2a642996483a26166aa20284d46540a10a992aa7 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Mon, 7 Nov 2022 20:09:38 -0500 Subject: [PATCH 097/413] Update tests/suites/test_suite_asn1parse.function Co-authored-by: Andrzej Kurek Signed-off-by: Glenn Strauss --- tests/suites/test_suite_asn1parse.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_asn1parse.function b/tests/suites/test_suite_asn1parse.function index 6d7e49ee47..62669b35f1 100644 --- a/tests/suites/test_suite_asn1parse.function +++ b/tests/suites/test_suite_asn1parse.function @@ -735,7 +735,7 @@ void find_named_data( data_t *oid0, data_t *oid1, data_t *oid2, data_t *oid3, } /* END_CASE */ -/* BEGIN_CASE depends_on:!MBEDTLS_DEPRECATED_REMOVED */ +/* BEGIN_CASE depends_on:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING */ void free_named_data_null( ) { mbedtls_asn1_free_named_data( NULL ); From 0750d08601df0c68f25ee0f929732f67c252f7ed Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 8 Nov 2022 02:25:01 -0500 Subject: [PATCH 098/413] Add comments for some forbidden aliasing in bignum Signed-off-by: Glenn Strauss --- include/mbedtls/bignum.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index ee37430488..9d15955f34 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -758,11 +758,11 @@ int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, * * \param Q The destination MPI for the quotient. * This may be \c NULL if the value of the - * quotient is not needed. + * quotient is not needed. This must not alias A or B. * \param R The destination MPI for the remainder value. * This may be \c NULL if the value of the - * remainder is not needed. - * \param A The dividend. This must point to an initialized MPi. + * remainder is not needed. This must not alias A or B. + * \param A The dividend. This must point to an initialized MPI. * \param B The divisor. This must point to an initialized MPI. * * \return \c 0 if successful. @@ -779,10 +779,10 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, * * \param Q The destination MPI for the quotient. * This may be \c NULL if the value of the - * quotient is not needed. + * quotient is not needed. This must not alias A. * \param R The destination MPI for the remainder value. * This may be \c NULL if the value of the - * remainder is not needed. + * remainder is not needed. This must not alias A. * \param A The dividend. This must point to an initialized MPi. * \param b The divisor. * @@ -837,6 +837,7 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, * \brief Perform a sliding-window exponentiation: X = A^E mod N * * \param X The destination MPI. This must point to an initialized MPI. + * This must not alias E or N. * \param A The base of the exponentiation. * This must point to an initialized MPI. * \param E The exponent MPI. This must point to an initialized MPI. From e5991328ffaa3139f6a747cd6a68fbac55e931aa Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 7 Nov 2022 14:03:44 +0800 Subject: [PATCH 099/413] fix tls13 psk only test fail Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 17 ++++++-- tests/opt-testcases/tls13-misc.sh | 70 +++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 4 deletions(-) create mode 100755 tests/opt-testcases/tls13-misc.sh diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 288332865b..598ca91bfa 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -934,6 +934,7 @@ static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl, return( masked == exts_mask ); } +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) @@ -944,8 +945,9 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) ); } +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ -#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( mbedtls_ssl_context *ssl ) @@ -955,7 +957,9 @@ static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) ); } +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */ +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) @@ -967,19 +971,24 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) ); } -#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) { +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) && ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) ); +#else + ((void) ssl); + return( 0 ); +#endif } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) && mbedtls_ssl_tls13_psk_enabled( ssl ) && ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) ); @@ -992,7 +1001,7 @@ static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) && mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) && ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) ); diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh new file mode 100755 index 0000000000..661b3500b1 --- /dev/null +++ b/tests/opt-testcases/tls13-misc.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +# tls13-misc.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "TLS 1.3: G->m: PSK: configured psk only, good." \ + "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ + "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \ + --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ + localhost" \ + 0 \ + -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ + -s "Found PSK_EPHEMERAL KEX MODE" \ + -s "Found PSK KEX MODE" \ + -s "key exchange mode: psk$" + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "TLS 1.3: G->m: PSK: configured psk_ephemeral only, good." \ + "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ + "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \ + --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ + localhost" \ + 0 \ + -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ + -s "Found PSK_EPHEMERAL KEX MODE" \ + -s "Found PSK KEX MODE" \ + -s "key exchange mode: psk_ephemeral$" + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +run_test "TLS 1.3: G->m: PSK: configured ephemeral only, good." \ + "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ + "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \ + --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ + localhost" \ + 0 \ + -s "key exchange mode: ephemeral$" + From ca7d5065562b90210374fb2cf9c08c400879d8e1 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 31 May 2022 14:43:23 +0200 Subject: [PATCH 100/413] Use PSA PAKE API when MBEDTLS_USE_PSA_CRYPTO is selected Signed-off-by: Neil Armstrong Signed-off-by: Valerio Setti --- library/ssl_misc.h | 9 +- library/ssl_tls.c | 131 ++++++++++++++++++++++++ library/ssl_tls12_client.c | 195 +++++++++++++++++++++++++++++++++++- library/ssl_tls12_server.c | 197 ++++++++++++++++++++++++++++++++++++- 4 files changed, 527 insertions(+), 5 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 41bb9c514d..8b96243507 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -50,7 +50,8 @@ #include "mbedtls/sha512.h" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + !defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/ecjpake.h" #endif @@ -663,7 +664,13 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ + mbedtls_svc_key_id_t psa_pake_password; + uint8_t psa_pake_ctx_is_ok; +#else mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ size_t ecjpake_cache_len; /*!< Length of cached data */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5200d90443..ebada7a394 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -668,7 +668,12 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->psa_pake_ctx = psa_pake_operation_init(); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) handshake->ecjpake_cache = NULL; handshake->ecjpake_cache_len = 0; @@ -1615,11 +1620,75 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_pake_role_t psa_role; + psa_status_t status; +#else mbedtls_ecjpake_role role; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake == NULL || ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + psa_role = PSA_PAKE_ROLE_SERVER; + else + psa_role = PSA_PAKE_ROLE_CLIENT; + + + if( pw_len > 0 ) + { + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + + status = psa_import_key( &attributes, pw, pw_len, + &ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); + psa_pake_cs_set_primitive( &cipher_suite, + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, + 256) ); + psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); + + status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + if( pw_len > 0 ) + { + psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, + ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } + + ssl->handshake->psa_pake_ctx_is_ok = 1; + + return( 0 ); +#else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) role = MBEDTLS_ECJPAKE_SERVER; else @@ -1630,6 +1699,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -3665,7 +3735,13 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_abort( &handshake->psa_pake_ctx ); + psa_destroy_key( handshake->psa_pake_password ); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) mbedtls_free( handshake->ecjpake_cache ); handshake->ecjpake_cache = NULL; @@ -5879,6 +5955,55 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, else #endif { +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + psa_status_t status; + psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PMS KDF for ECJPAKE" ) ); + + handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; + + status = psa_key_derivation_setup( &derivation, alg ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_key_derivation_set_capacity( &derivation, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_get_implicit_key( &handshake->psa_pake_ctx, + &derivation ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_output_bytes( &derivation, + handshake->premaster, + handshake->pmslen ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_abort( &derivation ); + if( status != PSA_SUCCESS ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } +#endif ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, lbl, seed, seed_len, master, @@ -5917,6 +6042,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } + /* Compute master secret if needed */ ret = ssl_compute_master( ssl->handshake, ssl->session_negotiate->master, @@ -8620,8 +8746,13 @@ int mbedtls_ssl_validate_ciphersuite( #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { return( -1 ); } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 5360b3cb7f..3d25e4003f 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -130,15 +130,24 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, const unsigned char *end, size_t *olen ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; size_t kkpp_len; *olen = 0; /* Skip costly extension if we can't use EC J-PAKE anyway */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) + return( 0 ); +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); @@ -158,6 +167,43 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(p + 2 + output_offset) = 65; + } else { + *(p + 2 + output_offset) = 32; + } + output_offset += 1; + + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, p + 2 + output_offset, + end - p - output_offset - 2, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + } + + kkpp_len = output_offset; +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -167,6 +213,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, "mbedtls_ecjpake_write_round_one", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); if( ssl->handshake->ecjpake_cache == NULL ) @@ -849,10 +896,11 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -876,6 +924,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, size_t len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake->ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) @@ -889,6 +940,52 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache = NULL; ssl->handshake->ecjpake_cache_len = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto psa_pake_error; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_error; + } + + input_offset += length; + } + } + + return( 0 ); + +psa_pake_error: + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + + return( ret ); +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -901,6 +998,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -2296,6 +2394,61 @@ start_processing: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + size_t len = end - p; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + size_t length; + + if( step == PSA_PAKE_STEP_KEY_SHARE ) + { + /* Length is stored after 3bytes curve */ + length = p[input_offset + 3]; + input_offset += 3 + 1; + } + else + { + /* Length is stored at the first byte */ + length = p[input_offset]; + input_offset += 1; + } + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + goto psa_pake_out; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + p + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_out; + } + + input_offset += length; + } + +psa_pake_out: + if( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -2307,6 +2460,7 @@ start_processing: MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -3235,6 +3389,42 @@ ecdh_calc_secret: { header_len = 4; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + header_len; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + header_len; + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(out_p + output_offset) = 65; + } else { + *(out_p + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, out_p + output_offset, + end_p - out_p - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + content_len = output_offset; +#else ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + header_len, MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, @@ -3254,6 +3444,7 @@ ecdh_calc_secret: MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 71f703c7ff..68b4d09883 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -268,10 +268,11 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -292,13 +293,52 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, size_t len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); return( 0 ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto psa_pake_error; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_error; + } + + input_offset += length; + } + } +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -307,11 +347,26 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Only mark the extension as OK when we're sure it is */ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; return( 0 ); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) +psa_pake_error: + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + + return( ret ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -1973,7 +2028,11 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; size_t kkpp_len; @@ -1996,6 +2055,42 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 ); p += 2; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(p + 2 + output_offset) = 65; + } else { + *(p + 2 + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, p + 2 + output_offset, + end - p - output_offset - 2, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return; + } + + output_offset += output_len; + } + } + + kkpp_len = output_offset; +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -2004,6 +2099,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); return; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 ); p += 2; @@ -2807,6 +2903,61 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + ssl->out_msglen; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + ssl->out_msglen; + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + size_t ec_len; + +#if !defined(MBEDTLS_ECJPAKE_ALT) + psa_pake_operation_t* pake_op = &(ssl->handshake->psa_pake_ctx); + + mbedtls_ecp_tls_write_group( &(pake_op->ctx.ecjpake.grp), + &ec_len, out_p + output_offset, + end_p - out_p); +#else + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; + + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p + 1, 0 ); + ec_len = 3; +#endif //MBEDTLS_PSA_BUILTIN_ALG_JPAKE + output_offset += ec_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(out_p + output_offset) = 65; + } else { + *(out_p + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, out_p + output_offset, + end_p - out_p - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + ssl->out_msglen += output_offset; +#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; @@ -2822,6 +2973,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } ssl->out_msglen += len; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -4039,6 +4191,46 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t len = end - p; + psa_status_t status; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = p[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto psa_pake_out; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + p + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_out; + } + + input_offset += length; + } + +psa_pake_out: + if( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -4055,6 +4247,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ From e2977b690187ff848b1a0f26db6c35f5620104c8 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 13 Sep 2022 14:30:57 +0200 Subject: [PATCH 101/413] Remove TLS 1.2 exception about EC J-PAKE and PSA Crypto Signed-off-by: Neil Armstrong --- docs/use-psa-crypto.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index b22d37f65f..11442ed66d 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -86,7 +86,6 @@ is enabled, no change required on the application side. Current exceptions: -- EC J-PAKE (when `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` is defined) - finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA, DHE-PSK) From 98061a75a1847f04275f98b732a8d64f42ab789f Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Tue, 8 Nov 2022 10:33:44 +0000 Subject: [PATCH 102/413] Add default return case to mbedtls_test_transparent_key_agreement() Signed-off-by: Aditya Deshpande --- include/psa/crypto_config.h | 4 ++-- tests/src/drivers/test_driver_key_agreement.c | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 13532a0459..5ab4fdef3a 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -62,7 +62,7 @@ #define PSA_WANT_ALG_CHACHA20_POLY1305 1 #define PSA_WANT_ALG_CTR 1 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 -#define PSA_WANT_ALG_ECB_NO_PADDING +#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 #define PSA_WANT_ALG_JPAKE 1 @@ -86,7 +86,7 @@ #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 -#define PSA_WANT_ALG_STREAM_CIPHER +#define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index 393a81a237..20d1d6b87f 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -82,6 +82,16 @@ psa_status_t mbedtls_test_transparent_key_agreement( alg, peer_key, peer_key_length, shared_secret, shared_secret_size, shared_secret_length ) ); +#else + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) peer_key; + (void) peer_key_length; + (void) shared_secret; + (void) shared_secret_size; + (void) shared_secret_length; + return( PSA_ERROR_NOT_SUPPORTED ); #endif } else From ea52ed91cf746915736625ad6205c5adc615e160 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Nov 2022 21:01:17 +0800 Subject: [PATCH 103/413] fix typo and spell issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 14 +++++++------- library/ssl_tls.c | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 7c32969b2b..77b091d030 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -78,7 +78,7 @@ #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO ) /* - * Inernal identity of handshake extensions + * Internal identity of handshake extensions */ #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 @@ -138,8 +138,8 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); * with an "illegal_parameter" alert. */ -/* Extensions that not recognized by TLS 1.3 */ -#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED \ +/* Extensions that are not recognized by TLS 1.3 */ +#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \ MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \ MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \ @@ -169,7 +169,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \ MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \ MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \ - MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED ) + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED ) /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ @@ -191,7 +191,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \ MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \ MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \ - MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED ) + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED ) /* RFC 8446 section 4.2. Allowed extensions for Certificate */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ @@ -213,7 +213,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \ - MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED ) + MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED ) /* * Helper macros for function call with return check. @@ -1950,7 +1950,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ /* - * Helper functions for extensions checking and convert. + * Helper functions for extensions checking. */ MBEDTLS_CHECK_RETURN_CRITICAL diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 04d2ef440b..cf71d263a5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -618,7 +618,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ) #if defined(MBEDTLS_DEBUG_C) static const char *extension_name_table[] = { - [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unreognized", + [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized", [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", @@ -648,7 +648,7 @@ static const char *extension_name_table[] = { [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket" }; -static unsigned int extension_type_tbl[]={ +static unsigned int extension_type_table[]={ [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, @@ -755,7 +755,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, i++ ) { mbedtls_ssl_print_extension_type( - ssl, level, file, line, hs_msg_type, extension_type_tbl[i], + ssl, level, file, line, hs_msg_type, extension_type_table[i], extensions_mask & ( 1 << i ) ? "was" : "was not", extra ); } } From c437ee3bac80e52b5d6d637f6816426fb12a7c2a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Nov 2022 21:04:15 +0800 Subject: [PATCH 104/413] fix wrong return value Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 598ca91bfa..378ce8fc91 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1447,8 +1447,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, 3, ( "pre_shared_key is not last extension." ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); From c018204019a6a935ae0bf3ab888cd7a6d7fc2039 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 8 Nov 2022 08:12:56 -0500 Subject: [PATCH 105/413] Improve error injection in EC J-PAKE tests Instead of corrupting the public key part of the message, corrupt the proof part. A proof is conceptually similar to a signature, and changing anything in it should make it invalid with a high probability. Also, instead of shifting data, perform a bitflip. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_psa_crypto.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 36a8efaae5..779f594dca 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -790,8 +790,8 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, if( inject_error == 1 ) { - buffer0[s_x1_pk_off + 8] >>= 4; - buffer0[s_x2_pk_off + 7] <<= 4; + buffer0[s_x1_pr_off + 8] ^= 1; + buffer0[s_x2_pr_off + 7] ^= 1; expected_status = PSA_ERROR_DATA_INVALID; } @@ -1013,8 +1013,8 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, if( inject_error == 2 ) { - buffer1[c_x1_pk_off + 12] >>= 4; - buffer1[c_x2_pk_off + 7] <<= 4; + buffer1[c_x1_pr_off + 12] ^= 1; + buffer1[c_x2_pr_off + 7] ^= 1; expected_status = PSA_ERROR_DATA_INVALID; } From b95dd3683b99d5a34876952f65d915656804c819 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Nov 2022 21:19:34 +0800 Subject: [PATCH 106/413] Add missing mask set and tls13 unrecognized extension Signed-off-by: Jerry Yu --- library/ssl_misc.h | 1 + library/ssl_tls.c | 5 +++++ library/ssl_tls13_server.c | 9 +++++++++ 3 files changed, 15 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 77b091d030..ad8754cac2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -144,6 +144,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type ); MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \ MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \ MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \ + MBEDTLS_SSL_EXT_MASK( TRUNCATED_HMAC ) | \ MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) ) /* RFC 8446 section 4.2. Allowed extensions for ClienHello */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cf71d263a5..4787ca0585 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9155,6 +9155,11 @@ int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl, p[6] = MBEDTLS_BYTE_0( protocol_name_len ); memcpy( p + 7, ssl->alpn_chosen, protocol_name_len ); + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN ); +#endif + return ( 0 ); } #endif /* MBEDTLS_SSL_ALPN */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 378ce8fc91..051afa2705 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -700,6 +700,8 @@ static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u", ssl->handshake->selected_identity ) ); + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY ); + return( 0 ); } @@ -1812,6 +1814,9 @@ static int ssl_tls13_write_server_hello_supported_versions_ext( *out_len = 6; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( + ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ); + return( 0 ); } @@ -1918,6 +1923,8 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, *out_len = p - buf; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); + return( 0 ); } @@ -1982,6 +1989,8 @@ static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, *out_len = 6; + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE ); + return( 0 ); } From 79aa721adee6042afecae06c124d35a36337b18a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Nov 2022 21:30:21 +0800 Subject: [PATCH 107/413] Rename ext print function and macro Signed-off-by: Jerry Yu --- library/ssl_debug_helpers.h | 19 +++++++++---------- library/ssl_tls.c | 14 ++++++-------- library/ssl_tls13_client.c | 6 +++--- library/ssl_tls13_generic.c | 8 ++++---- library/ssl_tls13_server.c | 2 +- 5 files changed, 23 insertions(+), 26 deletions(-) diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 8fce87a985..ad84619a0d 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -50,12 +50,10 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, int hs_msg_type, uint32_t extensions_mask, const char *extra ); -void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl, - int level, const char *file, int line, - int hs_msg_type, - unsigned int extension_type, - const char *extra_msg0, - const char *extra_msg1 ); +void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, unsigned int extension_type, + const char *extra_msg0, const char *extra_msg1 ); #define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type ) \ mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ @@ -69,16 +67,17 @@ void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl, ssl->handshake->received_extensions, \ "received" ) -#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra ) \ - mbedtls_ssl_print_extension_type( ssl, level, __FILE__, __LINE__, \ - hs_msg_type, extension_type, extra, NULL ) +#define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) \ + mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__, \ + hs_msg_type, extension_type, \ + extra, NULL ) #else #define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type ) #define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type ) -#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra ) +#define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) #endif /* MBEDTLS_DEBUG_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4787ca0585..efe24634fe 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -704,15 +704,13 @@ static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type ) case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: return( "CertificateRequest" ); } - return( NULL ); + return( "Unknown" ); } -void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl, - int level, const char *file, int line, - int hs_msg_type, - unsigned int extension_type, - const char *extra_msg0, - const char *extra_msg1 ) +void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, + int level, const char *file, int line, + int hs_msg_type, unsigned int extension_type, + const char *extra_msg0, const char *extra_msg1 ) { const char *extra_msg; if( extra_msg0 && extra_msg1 ) @@ -754,7 +752,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, i < sizeof( extension_name_table ) / sizeof( extension_name_table[0] ); i++ ) { - mbedtls_ssl_print_extension_type( + mbedtls_ssl_print_extension( ssl, level, file, line, hs_msg_type, extension_type_table[i], extensions_mask & ( 1 << i ) ? "was" : "was not", extra ); } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index fff0febed8..f4502d290f 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2025,7 +2025,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_SSL_ALPN */ default: - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type, "( ignored )" ); break; @@ -2213,7 +2213,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, break; default: - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type, "( ignored )" ); break; @@ -2504,7 +2504,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, switch( extension_type ) { default: - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type, "( ignored )" ); break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a9c8c973f8..39b86b984a 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -537,7 +537,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, switch( extension_type ) { default: - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_CERTIFICATE, extension_type, "( ignored )" ); break; @@ -1545,12 +1545,12 @@ int mbedtls_ssl_tls13_check_received_extension( uint32_t extension_mask = mbedtls_ssl_get_extension_mask( received_extension_type ); - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, hs_msg_type, received_extension_type, "received" ); if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 ) { - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, hs_msg_type, received_extension_type, "is illegal" ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, @@ -1577,7 +1577,7 @@ int mbedtls_ssl_tls13_check_received_extension( return( 0 ); } - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, hs_msg_type, received_extension_type, "is unsupported" ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 051afa2705..28f242295b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1614,7 +1614,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ default: - MBEDTLS_SSL_PRINT_EXT_TYPE( + MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, "( ignored )" ); break; From 7de2ff0310f4c7e7493844533e10785a6207a2a8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Nov 2022 21:43:46 +0800 Subject: [PATCH 108/413] Refactor extension list print Signed-off-by: Jerry Yu --- library/ssl_client.c | 3 ++- library/ssl_debug_helpers.h | 16 +++------------- library/ssl_tls.c | 2 +- library/ssl_tls13_client.c | 12 ++++++++---- library/ssl_tls13_generic.c | 6 ++++-- library/ssl_tls13_server.c | 17 +++++++++++------ 6 files changed, 29 insertions(+), 27 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index ebf0fa701e..b226caffff 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -675,7 +675,8 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO ); + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions ); #endif *out_len = p - buf; diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index ad84619a0d..ccdda2a0d6 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -55,17 +55,9 @@ void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, int hs_msg_type, unsigned int extension_type, const char *extra_msg0, const char *extra_msg1 ); -#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type ) \ +#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask ) \ mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ - hs_msg_type, \ - ssl->handshake->sent_extensions, \ - "sent" ) - -#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type ) \ - mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ - hs_msg_type, \ - ssl->handshake->received_extensions, \ - "received" ) + hs_msg_type, extension_mask, NULL ) #define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) \ mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__, \ @@ -73,9 +65,7 @@ void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, extra, NULL ) #else -#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type ) - -#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type ) +#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask ) #define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index efe24634fe..ea8464f0c8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -754,7 +754,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, { mbedtls_ssl_print_extension( ssl, level, file, line, hs_msg_type, extension_type_table[i], - extensions_mask & ( 1 << i ) ? "was" : "was not", extra ); + extensions_mask & ( 1 << i ) ? "exists" : "does not exists", extra ); } } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index f4502d290f..364e886bca 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1742,7 +1742,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, hs_msg_type ); + MBEDTLS_SSL_PRINT_EXTS( + 3, hs_msg_type, ssl->handshake->received_extensions ); cleanup: @@ -2034,7 +2035,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS ); + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + ssl->handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2222,7 +2224,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, + ssl->handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2513,7 +2516,8 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET ); + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, + ssl->handshake->received_extensions ); return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 39b86b984a..a39949c1cd 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -546,7 +546,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE ); + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE, + ssl->handshake->received_extensions ); } exit: @@ -885,7 +886,8 @@ static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl, *out_len = p - buf; - MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE ); + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions ); return( 0 ); } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 28f242295b..597fbb7e63 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1623,7 +1623,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO ); + MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO, + ssl->handshake->received_extensions ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, @@ -2145,9 +2146,10 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len ); - MBEDTLS_SSL_PRINT_SENT_EXTS( + MBEDTLS_SSL_PRINT_EXTS( 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : - MBEDTLS_SSL_HS_SERVER_HELLO ); + MBEDTLS_SSL_HS_SERVER_HELLO, + ssl->handshake->sent_extensions ); return( ret ); } @@ -2333,7 +2335,8 @@ static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len ); - MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS ); + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions ); return( 0 ); } @@ -2464,7 +2467,8 @@ static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl, *out_len = p - buf; - MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions ); return( 0 ); } @@ -2861,7 +2865,8 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); - MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET ); + MBEDTLS_SSL_PRINT_EXTS( + 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions ); return( 0 ); } From 616ba75c233b47dac91ac652621acb15b30a32c9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Nov 2022 21:49:47 +0800 Subject: [PATCH 109/413] move test cases and mark `tls13-kex-modes.sh` as locked Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-kex-modes.sh | 215 +------------------------ tests/opt-testcases/tls13-misc.sh | 214 ++++++++++++++++++++++++ 2 files changed, 216 insertions(+), 213 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index b1320c5b59..2681f61f17 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -18,219 +18,8 @@ # limitations under the License. # -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - -run_test "TLS 1.3: PSK: No valid ciphersuite. G->m" \ - "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ - "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-CIPHER-ALL:+AES-256-GCM:+AEAD:+SHA384:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3 \ - --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ - localhost" \ - 1 \ - -s "found psk key exchange modes extension" \ - -s "found pre_shared_key extension" \ - -s "Found PSK_EPHEMERAL KEX MODE" \ - -s "Found PSK KEX MODE" \ - -s "No matched ciphersuite" - -requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - -run_test "TLS 1.3: PSK: No valid ciphersuite. O->m" \ - "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ - "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -ciphersuites TLS_AES_256_GCM_SHA384\ - -psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70" \ - 1 \ - -s "found psk key exchange modes extension" \ - -s "found pre_shared_key extension" \ - -s "Found PSK_EPHEMERAL KEX MODE" \ - -s "Found PSK KEX MODE" \ - -s "No matched ciphersuite" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Multiple PSKs: valid ticket, reconnect with ticket" \ - "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8" \ - "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 2" \ - -s "sent selected_identity: 0" \ - -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "key exchange mode: ephemeral$" \ - -S "ticket is not authentic" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \ - "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \ - "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 2" \ - -s "sent selected_identity: 1" \ - -s "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "key exchange mode: ephemeral$" \ - -s "ticket is not authentic" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \ - "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 1" \ - -S "sent selected_identity:" \ - -s "key exchange mode: ephemeral" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -s "ticket is not authentic" \ - -S "ticket is expired" \ - -S "Invalid ticket start time" \ - -S "Ticket age exceeds limitation" \ - -S "Ticket age outside tolerance window" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \ - "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 1" \ - -S "sent selected_identity:" \ - -s "key exchange mode: ephemeral" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "ticket is not authentic" \ - -s "ticket is expired" \ - -S "Invalid ticket start time" \ - -S "Ticket age exceeds limitation" \ - -S "Ticket age outside tolerance window" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \ - "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 1" \ - -S "sent selected_identity:" \ - -s "key exchange mode: ephemeral" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "ticket is not authentic" \ - -S "ticket is expired" \ - -s "Invalid ticket start time" \ - -S "Ticket age exceeds limitation" \ - -S "Ticket age outside tolerance window" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \ - "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 1" \ - -S "sent selected_identity:" \ - -s "key exchange mode: ephemeral" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "ticket is not authentic" \ - -S "ticket is expired" \ - -S "Invalid ticket start time" \ - -s "Ticket age exceeds limitation" \ - -S "Ticket age outside tolerance window" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \ - "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 1" \ - -S "sent selected_identity:" \ - -s "key exchange mode: ephemeral" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "ticket is not authentic" \ - -S "ticket is expired" \ - -S "Invalid ticket start time" \ - -S "Ticket age exceeds limitation" \ - -s "Ticket age outside tolerance window" - -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ - MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \ - "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ - 0 \ - -c "Pre-configured PSK number = 1" \ - -S "sent selected_identity:" \ - -s "key exchange mode: ephemeral" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: psk$" \ - -S "ticket is not authentic" \ - -S "ticket is expired" \ - -S "Invalid ticket start time" \ - -S "Ticket age exceeds limitation" \ - -s "Ticket age outside tolerance window" - -requires_gnutls_tls1_3 -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -run_test "TLS 1.3: G->m: ephemeral_all/psk, fail, no common kex mode" \ - "$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 $(get_srv_psk_list)" \ - "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+VERS-TLS1.3 \ - --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ - localhost" \ - 1 \ - -s "found psk key exchange modes extension" \ - -s "found pre_shared_key extension" \ - -s "Found PSK_EPHEMERAL KEX MODE" \ - -S "Found PSK KEX MODE" \ - -S "key exchange mode: psk$" \ - -S "key exchange mode: psk_ephemeral" \ - -S "key exchange mode: ephemeral" +# DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases can be generated by +# scripts in future(#6280) requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 661b3500b1..4ad6faa48f 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -18,6 +18,220 @@ # limitations under the License. # +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + +run_test "TLS 1.3: PSK: No valid ciphersuite. G->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ + "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-CIPHER-ALL:+AES-256-GCM:+AEAD:+SHA384:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3 \ + --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ + localhost" \ + 1 \ + -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ + -s "Found PSK_EPHEMERAL KEX MODE" \ + -s "Found PSK KEX MODE" \ + -s "No matched ciphersuite" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + +run_test "TLS 1.3: PSK: No valid ciphersuite. O->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \ + "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -ciphersuites TLS_AES_256_GCM_SHA384\ + -psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70" \ + 1 \ + -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ + -s "Found PSK_EPHEMERAL KEX MODE" \ + -s "Found PSK KEX MODE" \ + -s "No matched ciphersuite" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Multiple PSKs: valid ticket, reconnect with ticket" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 0" \ + -s "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "key exchange mode: ephemeral$" \ + -S "ticket is not authentic" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \ + "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 2" \ + -s "sent selected_identity: 1" \ + -s "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "key exchange mode: ephemeral$" \ + -s "ticket is not authentic" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -s "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Invalid ticket start time" \ + -S "Ticket age exceeds limitation" \ + -S "Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "ticket is not authentic" \ + -s "ticket is expired" \ + -S "Invalid ticket start time" \ + -S "Ticket age exceeds limitation" \ + -S "Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -s "Invalid ticket start time" \ + -S "Ticket age exceeds limitation" \ + -S "Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Invalid ticket start time" \ + -s "Ticket age exceeds limitation" \ + -S "Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Invalid ticket start time" \ + -S "Ticket age exceeds limitation" \ + -s "Ticket age outside tolerance window" + +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \ + "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \ + "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ + 0 \ + -c "Pre-configured PSK number = 1" \ + -S "sent selected_identity:" \ + -s "key exchange mode: ephemeral" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: psk$" \ + -S "ticket is not authentic" \ + -S "ticket is expired" \ + -S "Invalid ticket start time" \ + -S "Ticket age exceeds limitation" \ + -s "Ticket age outside tolerance window" + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +run_test "TLS 1.3: G->m: ephemeral_all/psk, fail, no common kex mode" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 $(get_srv_psk_list)" \ + "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+VERS-TLS1.3 \ + --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ + localhost" \ + 1 \ + -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ + -s "Found PSK_EPHEMERAL KEX MODE" \ + -S "Found PSK KEX MODE" \ + -S "key exchange mode: psk$" \ + -S "key exchange mode: psk_ephemeral" \ + -S "key exchange mode: ephemeral" + requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ From ab45425623fa487e423070df499017e65a210c0a Mon Sep 17 00:00:00 2001 From: Moritz Fischer Date: Tue, 8 Nov 2022 14:55:32 -0800 Subject: [PATCH 110/413] include: mbedtls: Add missing private_access header This adds a missing private access header. Signed-off-by: Moritz Fischer --- include/mbedtls/lms.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/mbedtls/lms.h b/include/mbedtls/lms.h index 5e03d9b5f9..fe87d40a5a 100644 --- a/include/mbedtls/lms.h +++ b/include/mbedtls/lms.h @@ -30,6 +30,7 @@ #include #include +#include "mbedtls/private_access.h" #include "mbedtls/build_info.h" #define MBEDTLS_ERR_LMS_BAD_INPUT_DATA -0x0011 /**< Bad data has been input to an LMS function */ From 0b7e07904e6c325c6cb1a581e1cb3925e792296a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 10:45:15 +0100 Subject: [PATCH 111/413] Forbid empty mpi_core in test data This way static analyzers have a chance of knowing we don't expect the bignum functions to support empty inputs. As things are, Coverity keeps complaining about it. Signed-off-by: Gilles Peskine --- tests/src/helpers.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index b7c83646c1..cc23fd7c4d 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -357,8 +357,12 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, size_t hex_len = strlen( input ); size_t byte_len = ( hex_len + 1 ) / 2; *plimbs = CHARS_TO_LIMBS( byte_len ); + + /* A core bignum is not allowed to be empty. Forbid it as test data, + * this way static analyzers have a chance of knowing we don't expect + * the bignum functions to support empty inputs. */ if( *plimbs == 0 ) - return( 0 ); + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); *pX = mbedtls_calloc( *plimbs, sizeof( **pX ) ); if( *pX == NULL ) From 6856f4c70d2a0e3fb16e180ae45aa19db36772d7 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 9 Nov 2022 10:50:29 +0100 Subject: [PATCH 112/413] Fix typos and comments Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index de52d776b4..74b3184d0a 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -63,7 +63,7 @@ def analyze_coverage(results, outcomes): def analyze_driver_vs_reference(outcomes, components, ignored_tests): """Check that all tests executed in the reference component are also executed in the corresponding driver component. - Skip test suits provided in ignored_tests list. + Skip test suites provided in ignored_tests list. """ driver_component = components[0] reference_component = components[1] @@ -72,9 +72,9 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests): for key in available: # Skip ignored test suites - test_suit = key.split(';')[0] # retrieve test suit name - test_suit = test_suit.split('.')[0] # retrieve main part of test suit name - if test_suit in ignored_tests: + test_suite = key.split(';')[0] # retrieve test suit name + test_suite = test_suite.split('.')[0] # retrieve main part of test suit name + if test_suite in ignored_tests: continue # Continue if test was not executed by any component hits = outcomes[key].hits() if key in outcomes else 0 @@ -88,8 +88,6 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests): driver_test_passed = True if reference_component in entry: reference_test_passed = True - #if(driver_test_passed is True and reference_test_passed is False): - # print('{}: driver: passed; reference: skipped'.format(key)) if(driver_test_passed is False and reference_test_passed is True): print('{}: driver: skipped/failed; reference: passed'.format(key)) result = False @@ -123,7 +121,7 @@ by a semicolon. return outcomes def do_analyze_coverage(outcome_file, args): - """Perform coverage analyze.""" + """Perform coverage analysis.""" del args # unused outcomes = read_outcome_file(outcome_file) results = analyze_outcomes(outcomes) @@ -141,7 +139,7 @@ def do_analyze_driver_vs_reference(outcome_file, args): outcomes = read_outcome_file(outcome_file) return analyze_driver_vs_reference(outcomes, components, ignored_tests) -# List of tasks with function that can handle this task and additional arguments if required +# List of tasks with a function that can handle this task and additional arguments if required # pylint: disable=line-too-long TASKS = { 'analyze_coverage': { @@ -161,7 +159,7 @@ def main(): parser.add_argument('outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') parser.add_argument('--task', default='all', - help='Analyze to be done: all or analyze_coverage or ' + help='Analysis to be done: all or analyze_coverage or ' 'analyze_driver_vs_reference_hash') options = parser.parse_args() From 95b5addcd63dfccd6ac7470983bbdefa36e9c255 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 11:18:38 +0100 Subject: [PATCH 113/413] Don't test mbedtls_mpi_core_lt_ct with 0 limbs A core MPI must have at least 1 limb. We can no longer test with 0 limbs, and we don't need to anyway, so don't try. Signed-off-by: Gilles Peskine --- library/constant_time_internal.h | 1 + tests/suites/test_suite_bignum_core.misc.data | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index 9cc63c2308..1e4a3ab0be 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -138,6 +138,7 @@ unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, * \param B The right-hand MPI. This must point to an array of limbs * with the same allocated length as \p A. * \param limbs The number of limbs in \p A and \p B. + * This must not be 0. * * \return The result of the comparison: * \c 1 if \p A is less than \p B. diff --git a/tests/suites/test_suite_bignum_core.misc.data b/tests/suites/test_suite_bignum_core.misc.data index 30c767c742..62480e47f7 100644 --- a/tests/suites/test_suite_bignum_core.misc.data +++ b/tests/suites/test_suite_bignum_core.misc.data @@ -167,9 +167,6 @@ mpi_core_lt_ct:"2B5":"2B4":0 mbedtls_mpi_core_lt_ct: xy (63 bit x, y first byte greater) mpi_core_lt_ct:"7FFFFFFFFFFFFFFF":"00000000000000FF":0 From 51f30ff6e687ccd669611a4d9190cc98d67886a9 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 9 Nov 2022 12:07:29 +0100 Subject: [PATCH 114/413] Make separate components for ref and driver in TASKS Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 74b3184d0a..031e16132d 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -60,13 +60,11 @@ def analyze_coverage(results, outcomes): # fixed this branch to have full coverage of test cases. results.warning('Test case not executed: {}', key) -def analyze_driver_vs_reference(outcomes, components, ignored_tests): +def analyze_driver_vs_reference(outcomes, component_ref,component_driver, ignored_tests): """Check that all tests executed in the reference component are also executed in the corresponding driver component. Skip test suites provided in ignored_tests list. """ - driver_component = components[0] - reference_component = components[1] available = check_test_cases.collect_available_test_cases() result = True @@ -84,9 +82,9 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests): driver_test_passed = False reference_test_passed = False for entry in outcomes[key].successes: - if driver_component in entry: + if component_driver in entry: driver_test_passed = True - if reference_component in entry: + if component_ref in entry: reference_test_passed = True if(driver_test_passed is False and reference_test_passed is True): print('{}: driver: skipped/failed; reference: passed'.format(key)) @@ -129,18 +127,14 @@ def do_analyze_coverage(outcome_file, args): def do_analyze_driver_vs_reference(outcome_file, args): """Perform driver vs reference analyze.""" - components = args['components'].split(',') ignored_tests = args['ignored'].split(',') ignored_tests = ['test_suite_' + x for x in ignored_tests] - # We need exactly 2 components to analyze (first driver and second reference) - if(len(components) != 2 or "accel" not in components[0] or "reference" not in components[1]): - print('Error: Wrong component list. Exactly 2 components are required (driver,reference). ') - return False + outcomes = read_outcome_file(outcome_file) - return analyze_driver_vs_reference(outcomes, components, ignored_tests) + return analyze_driver_vs_reference(outcomes, args['component_ref'], + args['component_driver'], ignored_tests) # List of tasks with a function that can handle this task and additional arguments if required -# pylint: disable=line-too-long TASKS = { 'analyze_coverage': { 'test_function': do_analyze_coverage, @@ -148,10 +142,10 @@ TASKS = { 'analyze_driver_vs_reference_hash': { 'test_function': do_analyze_driver_vs_reference, 'args': { - 'components': 'test_psa_crypto_config_accel_hash_use_psa,test_psa_crypto_config_reference_hash_use_psa', + 'component_ref': 'test_psa_crypto_config_reference_hash_use_psa', + 'component_driver': 'test_psa_crypto_config_accel_hash_use_psa', 'ignored': 'md,mdx,shax,entropy,hmac_drbg,random,psa_crypto_init,hkdf'}} } -# pylint: enable=line-too-long def main(): try: From be279c7bcc6f5b33a704ff925960d81fdc72b3c1 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 9 Nov 2022 12:17:08 +0100 Subject: [PATCH 115/413] Make a list from ignored tests in TASKS Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 031e16132d..85ec97c164 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -127,8 +127,7 @@ def do_analyze_coverage(outcome_file, args): def do_analyze_driver_vs_reference(outcome_file, args): """Perform driver vs reference analyze.""" - ignored_tests = args['ignored'].split(',') - ignored_tests = ['test_suite_' + x for x in ignored_tests] + ignored_tests = ['test_suite_' + x for x in args['ignored_suites']] outcomes = read_outcome_file(outcome_file) return analyze_driver_vs_reference(outcomes, args['component_ref'], @@ -144,7 +143,13 @@ TASKS = { 'args': { 'component_ref': 'test_psa_crypto_config_reference_hash_use_psa', 'component_driver': 'test_psa_crypto_config_accel_hash_use_psa', - 'ignored': 'md,mdx,shax,entropy,hmac_drbg,random,psa_crypto_init,hkdf'}} + 'ignored_suites': ['shax','mdx', # the software implementations that are being excluded + 'md' # the legacy abstraction layer that's being excluded + 'entropy','hmac_drbg','random', # temporary limitation (see RNG EPIC) + 'psa_crypto_init', # doesn't work with external RNG + 'hkdf', # legacy still depends on MD, but there's a PSA interface that doesn't + 'pkcs7 ' # recent addition, will be addressed later + ]}} } def main(): From 91e35e3c32426387541f176f2d9320d3514b3564 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 9 Nov 2022 11:45:29 +0000 Subject: [PATCH 116/413] Enable mpi_mod_int test case to take full-range MPI integers Also add commented-out test cases that currently fail Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum.function | 37 +++++++++++++++++----- tests/suites/test_suite_bignum.misc.data | 40 +++++++++++++++++------- 2 files changed, 58 insertions(+), 19 deletions(-) diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 4cec0a7c71..40b23fe63d 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -959,24 +959,47 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_mod_int( char * input_X, int input_Y, - int input_A, int div_result ) +void mpi_mod_int( char * input_X, char * input_Y, + char * input_A, int mod_result ) { mbedtls_mpi X; + mbedtls_mpi Y; + mbedtls_mpi A; int res; mbedtls_mpi_uint r; - mbedtls_mpi_init( &X ); - TEST_ASSERT( mbedtls_test_read_mpi( &X, input_X ) == 0 ); - res = mbedtls_mpi_mod_int( &r, &X, input_Y ); - TEST_ASSERT( res == div_result ); + mbedtls_mpi_init( &X ); + mbedtls_mpi_init( &Y ); + mbedtls_mpi_init( &A ); + + /* We use MPIs to read Y and A since the test framework limits us to + * ints, so we can't have 64-bit values */ + TEST_EQUAL( mbedtls_test_read_mpi( &X, input_X ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi( &Y, input_Y ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi( &A, input_A ), 0 ); + + TEST_EQUAL( Y.n, 1 ); + TEST_EQUAL( A.n, 1 ); + + /* Convert the MPIs for Y and A to signed mbedtls_mpi_uints */ + mbedtls_mpi_uint y = Y.p[0]; + if( Y.s == -1 ) + y = -y; + mbedtls_mpi_uint a = A.p[0]; + if( A.s == -1 ) + a = -a; + + res = mbedtls_mpi_mod_int( &r, &X, y ); + TEST_EQUAL( res, mod_result ); if( res == 0 ) { - TEST_ASSERT( r == (mbedtls_mpi_uint) input_A ); + TEST_EQUAL( r, a ); } exit: mbedtls_mpi_free( &X ); + mbedtls_mpi_free( &Y ); + mbedtls_mpi_free( &A ); } /* END_CASE */ diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 29ba4ab46d..70b4998e28 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1205,40 +1205,56 @@ Test mbedtls_mpi_mod_mpi: 0 (null) % -1 mpi_mod_mpi:"":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE Base test mbedtls_mpi_mod_int #1 -mpi_mod_int:"3e8":13:12:0 +mpi_mod_int:"3e8":"d":"c":0 Base test mbedtls_mpi_mod_int #2 (Divide by zero) -mpi_mod_int:"3e8":0:0:MBEDTLS_ERR_MPI_DIVISION_BY_ZERO +mpi_mod_int:"3e8":"0":"0":MBEDTLS_ERR_MPI_DIVISION_BY_ZERO Base test mbedtls_mpi_mod_int #3 -mpi_mod_int:"-3e8":13:1:0 +mpi_mod_int:"-3e8":"d":"1":0 Base test mbedtls_mpi_mod_int #4 (Negative modulo) -mpi_mod_int:"3e8":-13:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE +mpi_mod_int:"3e8":"-d":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE Base test mbedtls_mpi_mod_int #5 (Negative modulo) -mpi_mod_int:"-3e8":-13:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE +mpi_mod_int:"-3e8":"-d":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE Base test mbedtls_mpi_mod_int #6 (By 1) -mpi_mod_int:"3e8":1:0:0 +mpi_mod_int:"3e8":"1":"0":0 Base test mbedtls_mpi_mod_int #7 (By 2) -mpi_mod_int:"3e9":2:1:0 +mpi_mod_int:"3e9":"2":"1":0 Base test mbedtls_mpi_mod_int #8 (By 2) -mpi_mod_int:"3e8":2:0:0 +mpi_mod_int:"3e8":"2":"0":0 Test mbedtls_mpi_mod_int: 0 (null) % 1 -mpi_mod_int:"":1:0:0 +mpi_mod_int:"":"1":"0":0 Test mbedtls_mpi_mod_int: 0 (null) % 2 -mpi_mod_int:"":2:0:0 +mpi_mod_int:"":"2":"0":0 Test mbedtls_mpi_mod_int: 0 (null) % -1 -mpi_mod_int:"":-1:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE +mpi_mod_int:"":"-1":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE Test mbedtls_mpi_mod_int: 0 (null) % -2 -mpi_mod_int:"":-2:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE +mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE + +# CURRENTLY FAILS +#Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810 +#depends_on:MBEDTLS_HAVE_INT64 +#mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0 + +Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810 +mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0 + +# CURRENTLY FAILS WHEN MPIS ARE 32-BIT: WHEN FIXED, REMOVE "depends_on" LINE +Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 1205652040 -> 3644370 +depends_on:MBEDTLS_HAVE_INT64 +mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0 + +Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 1205652040 -> 3644370 +mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0 Base test mbedtls_mpi_exp_mod #1 mpi_exp_mod:"17":"d":"1d":"18":0 From 992de3c56284bf48758a33d189a511a73c7c727e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 9 Nov 2022 13:54:49 +0100 Subject: [PATCH 117/413] Make TASK parameter positional and allow more than one task Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 36 +++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 85ec97c164..f78af68f3c 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -144,7 +144,7 @@ TASKS = { 'component_ref': 'test_psa_crypto_config_reference_hash_use_psa', 'component_driver': 'test_psa_crypto_config_accel_hash_use_psa', 'ignored_suites': ['shax','mdx', # the software implementations that are being excluded - 'md' # the legacy abstraction layer that's being excluded + 'md', # the legacy abstraction layer that's being excluded 'entropy','hmac_drbg','random', # temporary limitation (see RNG EPIC) 'psa_crypto_init', # doesn't work with external RNG 'hkdf', # legacy still depends on MD, but there's a PSA interface that doesn't @@ -157,24 +157,38 @@ def main(): parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') - parser.add_argument('--task', default='all', - help='Analysis to be done: all or analyze_coverage or ' - 'analyze_driver_vs_reference_hash') + parser.add_argument('task', default='all', + help='Analysis to be done. By default, run all tasks. ' + 'With one or more TASK, run only those. ' + 'TASK can be the name of a single task or ' + 'coma-separated list of tasks. ') + parser.add_argument('--list', action='store_true', + help='List all available tasks and exit.') options = parser.parse_args() + if options.list: + for task in TASKS: + print(task) + sys.exit(0) + result = True + tasks = [] if options.task == 'all': for task in TASKS: + tasks.append(task) + else: + tasks = options.task.split(',') + + for task in tasks: + if task not in TASKS: + print('Error: invalid task: {}'.format(task)) + sys.exit(1) + + for task in TASKS: + if task in tasks: if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']): result = False - elif options.task in TASKS: - if not TASKS[options.task]['test_function'](options.outcomes, - TASKS[options.task]['args']): - result = False - else: - print('Error: Unknown task: {}'.format(options.task)) - result = False if result is False: sys.exit(1) From 93986645d8a6f6e157d04c892386ddc6fa5a7de5 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 9 Nov 2022 15:06:44 +0100 Subject: [PATCH 118/413] Remove reference vs drivers test from outcome-analysis.sh Signed-off-by: Przemek Stekiel --- .../psa-migration/outcome-analysis.sh | 71 ++++++------------- 1 file changed, 20 insertions(+), 51 deletions(-) diff --git a/docs/architecture/psa-migration/outcome-analysis.sh b/docs/architecture/psa-migration/outcome-analysis.sh index 81ab69183c..9084685482 100755 --- a/docs/architecture/psa-migration/outcome-analysis.sh +++ b/docs/architecture/psa-migration/outcome-analysis.sh @@ -13,6 +13,7 @@ # - the set of tests skipped in the driver-only build is the same as in an # equivalent software-based configuration, or the difference is small enough, # justified, and a github issue is created to track it. +# This part is verified by tests/scripts/analyze_outcomes.py # # WARNING: this script checks out a commit other than the head of the current # branch; it checks out the current branch again when running successfully, @@ -26,30 +27,12 @@ # re-running this script (for example "get numbers before this PR"). # ----- BEGIN edit this ----- -# The component in all.sh that builds and tests with drivers. -DRIVER_COMPONENT=test_psa_crypto_config_accel_hash_use_psa -# A similar configuration to that of the component, except without drivers, -# for comparison. -reference_config () { - # start with full - scripts/config.py full - # use PSA config and disable driver-less algs as in the component - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - # disable options as in the component - # (no need to disable whole modules, we'll just skip their test suite) - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA -} # Space-separated list of test suites to ignore: # if SSS is in that list, test_suite_SSS and test_suite_SSS.* are ignored. IGNORE="md mdx shax" # accelerated IGNORE="$IGNORE entropy hmac_drbg random" # disabled (ext. RNG) IGNORE="$IGNORE psa_crypto_init" # needs internal RNG IGNORE="$IGNORE hkdf" # disabled in the all.sh component tested -# Compare only "reference vs driver" or also "before vs after"? -BEFORE_AFTER=1 # 0 or 1 # ----- END edit this ----- set -eu @@ -65,38 +48,27 @@ record() { make check } -if [ "$BEFORE_AFTER" -eq 1 ]; then - # save current HEAD - HEAD=$(git branch --show-current) +# save current HEAD +HEAD=$(git branch --show-current) - # get the numbers before this PR for default and full - cleanup - git checkout $(git merge-base HEAD development) - record "before-default" - - cleanup - scripts/config.py full - record "before-full" - - # get the numbers now for default and full - cleanup - git checkout $HEAD - record "after-default" - - cleanup - scripts/config.py full - record "after-full" -fi - -# get the numbers now for driver-only and reference +# get the numbers before this PR for default and full cleanup -reference_config -record "reference" +git checkout $(git merge-base HEAD development) +record "before-default" cleanup -export MBEDTLS_TEST_OUTCOME_FILE="$PWD/outcome-drivers.csv" -export SKIP_SSL_OPT_COMPAT_SH=1 -tests/scripts/all.sh -k test_psa_crypto_config_accel_hash_use_psa +scripts/config.py full +record "before-full" + +# get the numbers now for default and full +cleanup +git checkout $HEAD +record "after-default" + +cleanup +scripts/config.py full +record "after-full" + # analysis @@ -156,8 +128,5 @@ compare_builds () { } populate_suites -if [ "$BEFORE_AFTER" -eq 1 ]; then - compare_builds before-default after-default - compare_builds before-full after-full -fi -compare_builds reference drivers +compare_builds before-default after-default +compare_builds before-full after-full From 97be6a913ecf7d4436ca7bf923958b5bb5191421 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 9 Nov 2022 22:43:31 +0800 Subject: [PATCH 119/413] fix various issues - typo error - replace `ssl->hanshake` with handshake Signed-off-by: Jerry Yu --- library/ssl_client.c | 2 +- library/ssl_debug_helpers.h | 4 ++-- library/ssl_tls.c | 2 +- library/ssl_tls13_client.c | 9 ++++----- library/ssl_tls13_generic.c | 2 +- library/ssl_tls13_server.c | 2 +- tests/opt-testcases/tls13-kex-modes.sh | 2 +- 7 files changed, 11 insertions(+), 12 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index b226caffff..0f0ea1dc52 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -676,7 +676,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) MBEDTLS_SSL_PRINT_EXTS( - 3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions ); + 3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->sent_extensions ); #endif *out_len = p - buf; diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index ccdda2a0d6..4412f8e213 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -55,9 +55,9 @@ void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl, int hs_msg_type, unsigned int extension_type, const char *extra_msg0, const char *extra_msg1 ); -#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask ) \ +#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extensions_mask ) \ mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__, \ - hs_msg_type, extension_mask, NULL ) + hs_msg_type, extensions_mask, NULL ) #define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra ) \ mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__, \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ea8464f0c8..20648a1667 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -754,7 +754,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl, { mbedtls_ssl_print_extension( ssl, level, file, line, hs_msg_type, extension_type_table[i], - extensions_mask & ( 1 << i ) ? "exists" : "does not exists", extra ); + extensions_mask & ( 1 << i ) ? "exists" : "does not exist", extra ); } } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 364e886bca..9940a0e5ea 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1742,8 +1742,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } - MBEDTLS_SSL_PRINT_EXTS( - 3, hs_msg_type, ssl->handshake->received_extensions ); + MBEDTLS_SSL_PRINT_EXTS( 3, hs_msg_type, handshake->received_extensions ); cleanup: @@ -2036,7 +2035,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, - ssl->handshake->received_extensions ); + handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2225,7 +2224,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, - ssl->handshake->received_extensions ); + handshake->received_extensions ); /* Check that we consumed all the message. */ if( p != end ) @@ -2517,7 +2516,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, - ssl->handshake->received_extensions ); + handshake->received_extensions ); return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a39949c1cd..f854998893 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -547,7 +547,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE, - ssl->handshake->received_extensions ); + handshake->received_extensions ); } exit: diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 597fbb7e63..3cd03108f6 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1624,7 +1624,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO, - ssl->handshake->received_extensions ); + handshake->received_extensions ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 2681f61f17..974d513d8e 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -18,7 +18,7 @@ # limitations under the License. # -# DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases can be generated by +# DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases will be generated by # scripts in future(#6280) requires_gnutls_tls1_3 From 89e82e1685e87add62385d100f7d9b428042cdbc Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 9 Nov 2022 10:36:10 -0600 Subject: [PATCH 120/413] pkcs7: Add dependecy on MBEDTLS_MD_C Signed-off-by: Nick Child --- include/mbedtls/check_config.h | 3 ++- include/mbedtls/mbedtls_config.h | 3 ++- tests/scripts/all.sh | 2 ++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index dcb6392f1c..e5f8b89753 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -992,7 +992,8 @@ #if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ - ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) ) + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) \ + ( !defined(MBEDTLS_MD_C) ) ) #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 45dd2748cf..84dcf47ff3 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2669,7 +2669,8 @@ * Module: library/pkcs7.c * * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, - * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, + * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C * * This module is required for the PKCS7 parsing modules. */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7139fde6b3..401afaf15b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1211,6 +1211,7 @@ component_test_crypto_full_no_md () { scripts/config.py unset MBEDTLS_HKDF_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_PKCS12_C # Indirect dependencies scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC @@ -1871,6 +1872,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py unset MBEDTLS_HKDF_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_PKCS12_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA From 360f8e442971fcb8f48820d6138ee4b8405befb9 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 9 Nov 2022 17:27:33 +0000 Subject: [PATCH 121/413] Minor improvements to test code script Signed-off-by: David Horstmann --- tests/scripts/generate_test_code.py | 65 +++++++++++++++-------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py index 6d65986c88..938f24cf4f 100755 --- a/tests/scripts/generate_test_code.py +++ b/tests/scripts/generate_test_code.py @@ -126,33 +126,39 @@ code that is generated or read from helpers and platform files. This script replaces following fields in the template and generates the test source file: -__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS <-- All common code from helpers.function - is substituted here. -__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE <-- Test functions are substituted here - from the input test_suit_xyz.function - file. C preprocessor checks are generated - for the build dependencies specified - in the input file. This script also - generates wrappers for the test - functions with code to expand the - string parameters read from the data - file. -__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE <-- This script enumerates the - expressions in the .data file and - generates code to handle enumerated - expression Ids and return the values. -__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE <-- This script enumerates all - build dependencies and generate - code to handle enumerated build - dependency Id and return status: if - the dependency is defined or not. -__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE <-- This script enumerates the functions - specified in the input test data file - and generates the initializer for the - function table in the template - file. -__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE <-- Platform specific setup and test - dispatch code. +__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS + All common code from helpers.function + is substituted here. +__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE + Test functions are substituted here + from the input test_suit_xyz.function + file. C preprocessor checks are generated + for the build dependencies specified + in the input file. This script also + generates wrappers for the test + functions with code to expand the + string parameters read from the data + file. +__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE + This script enumerates the + expressions in the .data file and + generates code to handle enumerated + expression Ids and return the values. +__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE + This script enumerates all + build dependencies and generate + code to handle enumerated build + dependency Id and return status: if + the dependency is defined or not. +__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE + This script enumerates the functions + specified in the input test data file + and generates the initializer for the + function table in the template + file. +__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE + Platform specific setup and test + dispatch code. """ @@ -985,10 +991,7 @@ def write_test_source_file(template_file, c_file, snippets): braced = "(?P(?!))" # If not already matched, a "__MBEDTLS_TEST_TEMPLATE__" prefix is invalid. invalid = "(?P__MBEDTLS_TEST_TEMPLATE__)" - placeholder_pattern = re.compile(escaped \ - + "|" + named \ - + "|" + braced \ - + "|" + invalid) + placeholder_pattern = re.compile("|".join([escaped, named, braced, invalid])) with open(template_file, 'r') as template_f, open(c_file, 'w') as c_f: for line_no, line in enumerate(template_f.readlines(), 1): From d21ecd71c0227c39178375c8204f63ff7b5987ec Mon Sep 17 00:00:00 2001 From: ihsinme Date: Tue, 8 Nov 2022 14:30:45 +0300 Subject: [PATCH 122/413] dh_genprime: Fix issue where the error code returned by mbedtls_mpi_write_file() is incorrectly reported on failure In 'dh_genprime.c', the following condition can be found inside an 'if' statement: ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) != 0 As the '!=' operator binds closer than the assignment operator ('='), the value assigned to 'ret' will be the boolean result of the comparison (0 or 1) instead of the status code returned by 'mbedtls_mpi_write_file'. This means that the above statement is actually equivalent to: ret = ( mbedtls_mpi_write_file( "P = ", &P, 16, fout ) != 0 ) What we want instead is for the the status code to be assigned to 'ret'. If the value assigned is non-zero, it will be 'truthy' and the 'if' branch will be taken. ( ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) ) != 0 This PR fixes the issue by explicitly specifying the precedence of operations with parentheses. Signed-off-by: ihsinme --- programs/pkey/dh_genprime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c index 2e696e574a..331838bb4c 100644 --- a/programs/pkey/dh_genprime.c +++ b/programs/pkey/dh_genprime.c @@ -157,8 +157,8 @@ int main( int argc, char **argv ) goto exit; } - if( ( ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) != 0 ) || - ( ret = mbedtls_mpi_write_file( "G = ", &G, 16, fout ) != 0 ) ) + if( ( ( ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) ) != 0 ) || + ( ( ret = mbedtls_mpi_write_file( "G = ", &G, 16, fout ) ) != 0 ) ) { mbedtls_printf( " failed\n ! mbedtls_mpi_write_file returned %d\n\n", ret ); fclose( fout ); From 50e5616553b9d3d6f39b2030a6eb6462f2d9921d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 10 Nov 2022 10:07:35 +0000 Subject: [PATCH 123/413] Fix typo in check_config.h Signed-off-by: Dave Rodgman --- include/mbedtls/check_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 701bdedc1e..e49cf12b73 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -1065,7 +1065,7 @@ #if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ - ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) \ + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) || \ ( !defined(MBEDTLS_MD_C) ) ) #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif From e9c86a100a90196e2560bc1614c53e68b3d71d2a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 9 Nov 2022 11:46:47 +0000 Subject: [PATCH 124/413] bignum_mod_raw.py: Added BignumModRawOperation This patch is adding a basic instantance of `BignumModRawOperation` and creates an `BignumModRawOperationArchSplit` class, copying over the implementation of `BignumCoreRawOperationArchSplit`. Signed-off-by: Minos Galanakis --- scripts/mbedtls_dev/bignum_mod_raw.py | 38 +++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 2e059b26e8..1127ced8d8 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -15,8 +15,11 @@ # limitations under the License. from abc import ABCMeta +from typing import Dict, Iterator, List +from . import test_case from . import test_data_generation +from . import bignum_common class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): #pylint: disable=abstract-method @@ -48,7 +51,42 @@ class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 +class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta): + #pylint: disable=abstract-method + pass +class BignumModRawOperationArchSplit(BignumModRawOperation): + #pylint: disable=abstract-method + """Common features for bignum core operations where the result depends on + the limb size.""" + + def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: + super().__init__(val_a, val_b) + bound_val = max(self.int_a, self.int_b) + self.bits_in_limb = bits_in_limb + self.bound = bignum_common.bound_mpi(bound_val, self.bits_in_limb) + limbs = bignum_common.limbs_mpi(bound_val, self.bits_in_limb) + byte_len = limbs * self.bits_in_limb // 8 + self.hex_digits = 2 * byte_len + if self.bits_in_limb == 32: + self.dependencies = ["MBEDTLS_HAVE_INT32"] + elif self.bits_in_limb == 64: + self.dependencies = ["MBEDTLS_HAVE_INT64"] + else: + raise ValueError("Invalid number of bits in limb!") + self.arg_a = self.arg_a.zfill(self.hex_digits) + self.arg_b = self.arg_b.zfill(self.hex_digits) + self.arg_a_int = bignum_common.hex_to_int(self.arg_a) + self.arg_b_int = bignum_common.hex_to_int(self.arg_b) + + def pad_to_limbs(self, val) -> str: + return "{:x}".format(val).zfill(self.hex_digits) + + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + for a_value, b_value in cls.get_value_pairs(): + yield cls(a_value, b_value, 32).create_test_case() + yield cls(a_value, b_value, 64).create_test_case() # END MERGE SLOT 7 # BEGIN MERGE SLOT 8 From a461ece8104d1e50b0d9e041c63fb0218ca265e0 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 9 Nov 2022 12:36:02 +0000 Subject: [PATCH 125/413] bignum_mod_raw.py: Refactoring `BignumModRawOperation` This patch modifies the BignumModRawOperation class to provide special access to key members commonly used in tests. It binds the module's getters to conversion functions which enable automatic conversions such as: * hex to int. * zero padding hex strings. * common Montgomery constants such as R, R^2 and R^01 are now be calculated upon access. class `BignumModRawOperationArchSplit` is also updated to utilise the new design. Signed-off-by: Minos Galanakis --- scripts/mbedtls_dev/bignum_mod_raw.py | 83 +++++++++++++++++++-------- 1 file changed, 59 insertions(+), 24 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 1127ced8d8..19942ed160 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -53,40 +53,75 @@ class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): # BEGIN MERGE SLOT 7 class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta): #pylint: disable=abstract-method - pass + """Target for bignum mod_raw test case generation.""" + + def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: + super().__init__(val_a=val_a, val_b=val_b) + self.val_n = val_n + self.bits_in_limb = bits_in_limb + + @property + def int_n(self) -> int: + return bignum_common.hex_to_int(self.val_n) + + @property + def boundary(self) -> int: + data_in = [self.int_a, self.int_b, self.int_n] + return max([n for n in data_in if n is not None]) + + @property + def limbs(self) -> int: + return bignum_common.limbs_mpi(self.boundary, self.bits_in_limb) + + @property + def hex_digits(self) -> int: + return 2 * (self.limbs * self.bits_in_limb // 8) + + @property + def hex_n(self) -> str: + return "{:x}".format(self.int_n).zfill(self.hex_digits) + + @property + def hex_a(self) -> str: + return "{:x}".format(self.int_a).zfill(self.hex_digits) + + @property + def hex_b(self) -> str: + return "{:x}".format(self.int_b).zfill(self.hex_digits) + + @property + def r(self) -> int: # pylint: disable=invalid-name + l = bignum_common.limbs_mpi(self.int_n, self.bits_in_limb) + return bignum_common.bound_mpi_limbs(l, self.bits_in_limb) + + @property + def r_inv(self) -> int: + return bignum_common.invmod(self.r, self.int_n) + + @property + def r_sqrt(self) -> int: # pylint: disable=invalid-name + return pow(self.r, 2) class BignumModRawOperationArchSplit(BignumModRawOperation): #pylint: disable=abstract-method - """Common features for bignum core operations where the result depends on + """Common features for bignum mod raw operations where the result depends on the limb size.""" - def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: - super().__init__(val_a, val_b) - bound_val = max(self.int_a, self.int_b) - self.bits_in_limb = bits_in_limb - self.bound = bignum_common.bound_mpi(bound_val, self.bits_in_limb) - limbs = bignum_common.limbs_mpi(bound_val, self.bits_in_limb) - byte_len = limbs * self.bits_in_limb // 8 - self.hex_digits = 2 * byte_len - if self.bits_in_limb == 32: - self.dependencies = ["MBEDTLS_HAVE_INT32"] - elif self.bits_in_limb == 64: - self.dependencies = ["MBEDTLS_HAVE_INT64"] - else: - raise ValueError("Invalid number of bits in limb!") - self.arg_a = self.arg_a.zfill(self.hex_digits) - self.arg_b = self.arg_b.zfill(self.hex_digits) - self.arg_a_int = bignum_common.hex_to_int(self.arg_a) - self.arg_b_int = bignum_common.hex_to_int(self.arg_b) + limb_sizes = [32, 64] # type: List[int] - def pad_to_limbs(self, val) -> str: - return "{:x}".format(val).zfill(self.hex_digits) + def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: + super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb) + + if bits_in_limb not in self.limb_sizes: + raise ValueError("Invalid number of bits in limb!") + + self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: for a_value, b_value in cls.get_value_pairs(): - yield cls(a_value, b_value, 32).create_test_case() - yield cls(a_value, b_value, 64).create_test_case() + for bil in cls.limb_sizes: + yield cls(a_value, b_value, bits_in_limb=bil).create_test_case() # END MERGE SLOT 7 # BEGIN MERGE SLOT 8 From 5566eff65740025802810e55cdaad026d563c34c Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 7 Nov 2022 16:02:21 +0000 Subject: [PATCH 126/413] generate_bignum_tests: Enabled BignumModRaw automatic generation Signed-off-by: Minos Galanakis --- tests/scripts/generate_bignum_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index 4ac9210e71..a105203b04 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -66,7 +66,7 @@ from mbedtls_dev import bignum_common # Import modules containing additional test classes # Test function classes in these modules will be registered by # the framework -from mbedtls_dev import bignum_core # pylint: disable=unused-import +from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import class BignumTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): #pylint: disable=abstract-method From 855c228b29ccdb6723608e6089565be318fabd9a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 10 Nov 2022 11:33:25 +0000 Subject: [PATCH 127/413] bignum_mod_raw.py: Moved Classes outside of slots This patch moves `BignumModRawOperation` and `BignumModRawOperationArchSplit` outside of the scaffolding merge slot. It also renames `r_sqrt` property to `r2`. Signed-off-by: Minos Galanakis --- scripts/mbedtls_dev/bignum_mod_raw.py | 53 ++++++++++++++------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 19942ed160..1465e3ed75 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -26,31 +26,6 @@ class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): """Target for bignum mod_raw test case generation.""" target_basename = 'test_suite_bignum_mod_raw.generated' -# BEGIN MERGE SLOT 1 - -# END MERGE SLOT 1 - -# BEGIN MERGE SLOT 2 - -# END MERGE SLOT 2 - -# BEGIN MERGE SLOT 3 - -# END MERGE SLOT 3 - -# BEGIN MERGE SLOT 4 - -# END MERGE SLOT 4 - -# BEGIN MERGE SLOT 5 - -# END MERGE SLOT 5 - -# BEGIN MERGE SLOT 6 - -# END MERGE SLOT 6 - -# BEGIN MERGE SLOT 7 class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta): #pylint: disable=abstract-method """Target for bignum mod_raw test case generation.""" @@ -99,7 +74,7 @@ class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, m return bignum_common.invmod(self.r, self.int_n) @property - def r_sqrt(self) -> int: # pylint: disable=invalid-name + def r2(self) -> int: # pylint: disable=invalid-name return pow(self.r, 2) class BignumModRawOperationArchSplit(BignumModRawOperation): @@ -122,6 +97,32 @@ class BignumModRawOperationArchSplit(BignumModRawOperation): for a_value, b_value in cls.get_value_pairs(): for bil in cls.limb_sizes: yield cls(a_value, b_value, bits_in_limb=bil).create_test_case() +# BEGIN MERGE SLOT 1 + +# END MERGE SLOT 1 + +# BEGIN MERGE SLOT 2 + +# END MERGE SLOT 2 + +# BEGIN MERGE SLOT 3 + +# END MERGE SLOT 3 + +# BEGIN MERGE SLOT 4 + +# END MERGE SLOT 4 + +# BEGIN MERGE SLOT 5 + +# END MERGE SLOT 5 + +# BEGIN MERGE SLOT 6 + +# END MERGE SLOT 6 + +# BEGIN MERGE SLOT 7 + # END MERGE SLOT 7 # BEGIN MERGE SLOT 8 From 9feb19f98dedd0aa516c38dd83e7f6bccd3fa052 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 10 Nov 2022 12:05:55 +0000 Subject: [PATCH 128/413] Use mbedtls_mpi_sint not mbedtls_mpi_uint in mpi_mod_int test Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum.function | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 40b23fe63d..5c3d776f09 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -981,11 +981,21 @@ void mpi_mod_int( char * input_X, char * input_Y, TEST_EQUAL( Y.n, 1 ); TEST_EQUAL( A.n, 1 ); - /* Convert the MPIs for Y and A to signed mbedtls_mpi_uints */ - mbedtls_mpi_uint y = Y.p[0]; + /* Convert the MPIs for Y and A to (signed) mbedtls_mpi_sints */ + + /* Since we're converting sign+magnitude to two's complement, we lose one + * bit of value in the output. This means there are some values we can't + * represent, e.g. (hex) -A0000000 on 32-bit systems. These are technically + * invalid test cases, so could be considered "won't happen", but they are + * easy to test for, and this helps guard against human error. */ + + mbedtls_mpi_sint y = (mbedtls_mpi_sint) Y.p[0]; + TEST_ASSERT( y >= 0 ); /* If y < 0 here, we can't make negative y */ if( Y.s == -1 ) y = -y; - mbedtls_mpi_uint a = A.p[0]; + + mbedtls_mpi_sint a = (mbedtls_mpi_sint) A.p[0]; + TEST_ASSERT( a >= 0 ); /* Same goes for a */ if( A.s == -1 ) a = -a; From 163d8952b391f00665c3badd7357e6cb1bcfb172 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 10 Nov 2022 12:17:36 +0000 Subject: [PATCH 129/413] Add additional (would fail) test cases for mpi_mod_int with 0 remainder Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum.misc.data | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 70b4998e28..0b8aa334ac 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1240,7 +1240,7 @@ mpi_mod_int:"":"-1":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE Test mbedtls_mpi_mod_int: 0 (null) % -2 mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE -# CURRENTLY FAILS +# CURRENTLY FAILS - SEE GITHUB ISSUE #6540 #Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810 #depends_on:MBEDTLS_HAVE_INT64 #mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0 @@ -1248,7 +1248,15 @@ mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810 mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0 -# CURRENTLY FAILS WHEN MPIS ARE 32-BIT: WHEN FIXED, REMOVE "depends_on" LINE +# CURRENTLY FAILS - SEE GITHUB ISSUE #6540 +#Test mbedtls_mpi_mod_int: 230772460340062999996714233870911201200 % 5178236083361335880 -> 0 +#depends_on:MBEDTLS_HAVE_INT64 +#mpi_mod_int:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":"47DCCA4847DCCA48":"0":0 + +Test mbedtls_mpi_mod_mpi: 230772460340062999996714233870911201200 % 5178236083361335880 -> 0 +mpi_mod_mpi:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":"47DCCA4847DCCA48":"0":0 + +# CURRENTLY FAILS WHEN MPIS ARE 32-BIT (ISSUE #6450): WHEN FIXED, REMOVE "depends_on" LINE Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 1205652040 -> 3644370 depends_on:MBEDTLS_HAVE_INT64 mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0 @@ -1256,6 +1264,14 @@ mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0 Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 1205652040 -> 3644370 mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0 +# CURRENTLY FAILS WHEN MPIS ARE 32-BIT (ISSUE #6450): WHEN FIXED, REMOVE "depends_on" LINE +Test mbedtls_mpi_mod_int: 230772460340063000000100500000296355640 % 1205652040 -> 0 +depends_on:MBEDTLS_HAVE_INT64 +mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980974738":"47DCCA48":"0":0 + +Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000296355640 % 1205652040 -> 0 +mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980974738":"47DCCA48":"0":0 + Base test mbedtls_mpi_exp_mod #1 mpi_exp_mod:"17":"d":"1d":"18":0 From bd2bfa92bd679983c0fff75fe5b39811ab393ca4 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Thu, 10 Nov 2022 14:07:20 +0000 Subject: [PATCH 130/413] Add Changelog entry Signed-off-by: Aditya Deshpande --- ChangeLog.d/fix_dh_genprime_error_reporting.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix_dh_genprime_error_reporting.txt diff --git a/ChangeLog.d/fix_dh_genprime_error_reporting.txt b/ChangeLog.d/fix_dh_genprime_error_reporting.txt new file mode 100644 index 0000000000..1c98947f3b --- /dev/null +++ b/ChangeLog.d/fix_dh_genprime_error_reporting.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix bug in error reporting in dh_genprime.c where upon failure, + the error code returned by mbedtls_mpi_write_file() is overwritten + and therefore not printed. From ebd0caffdf66d57bf64625bb2ec41e031a66aca5 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 10 Nov 2022 15:33:54 +0000 Subject: [PATCH 131/413] Fix test memory allocation Fix error in memory allocation in test code, which was triggering an error in test_memory_buffer_allocator. Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 14a0882532..e3961407d5 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -75,7 +75,7 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has TEST_ASSERT( file != NULL ); datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); + ASSERT_ALLOC( data, datalen ); TEST_ASSERT( data != NULL ); buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); @@ -154,7 +154,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch TEST_ASSERT( file != NULL ); datalen = st.st_size; - data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + ASSERT_ALLOC( data, datalen ); buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); TEST_ASSERT( buflen == datalen ); From 71565cff3aeaa7f0acb0a019fd646dc0bd67d8d0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 11 Nov 2022 10:37:38 +0000 Subject: [PATCH 132/413] Disable PKCS7 for some TLS 1.3 tests Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 716495e28c..d3ad4d92d2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3242,6 +3242,7 @@ component_test_tls13_only_psk () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" @@ -3273,6 +3274,7 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" @@ -3290,6 +3292,7 @@ component_test_tls13_only_psk_all () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" From 5ad4a93596ef3b7ec4d70ade7a30a18149f09efc Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 9 Aug 2022 14:45:53 +0100 Subject: [PATCH 133/413] bignum_mod_raw: Added conversion methods for internal/public data representation Signed-off-by: Minos Galanakis --- library/bignum_mod_raw.c | 21 +++++++++++++++++++++ library/bignum_mod_raw.h | 18 ++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index a329e86dfb..97f7731c4c 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -127,7 +127,28 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ +int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *modulus ) +{ + mbedtls_mpi_uint one = 1; + mbedtls_mpi T; + mbedtls_mpi_init( &T ); + mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs, + m->rep.mont.mm, T.p ); + mbedtls_mpi_free( &T ); + return( 0 ); +} +int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *modulus ) +{ + mbedtls_mpi T; + mbedtls_mpi_init( &T ); + mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, 1, m->p, m->limbs, + m->rep.mont.mm, T.p ); + mbedtls_mpi_free( &T ); + return( 0 ); +} /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index 30648d3cc4..38415f415f 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -163,7 +163,25 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ +/** Convert from internal to public (little endian) data presentation + * + * \param X The address of the MPI. + * \param m The address of a modulus. + * + * \return \c 0 if successful. + */ +int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *modulus ); +/** Convert from public (little endian) to internal data presentation. + * + * \param X The address of the MPI. + * \param m The address of a modulus. + * + * \return \c 0 if successful. + */ +int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *modulus ); /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ From d9299c388e9bb60166c72e943c704a3d079256bd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 1 Nov 2022 16:19:07 +0000 Subject: [PATCH 134/413] bignum_mod_raw: Refactored Montgomery conversion functions This patch updates the `mbedtls_mpi_mod_raw_conv_xx()` methods as follows: * Renamed for simplicity: conv_fwd -> from_mont_rep, conv_inv -> to_mont_rep. * Uncoupled the dependency on the legaly bignum interface. * `mbedtls_mpi` is no longer used for temporary buffer allocation. Signed-off-by: Minos Galanakis --- library/bignum_mod_raw.c | 42 ++++++++++++++++++++++++++-------------- library/bignum_mod_raw.h | 20 +++++++++++-------- 2 files changed, 39 insertions(+), 23 deletions(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 97f7731c4c..b43add77d3 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -127,26 +127,38 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ -int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X, - const mbedtls_mpi_mod_modulus *modulus ) +int mbedtls_mpi_mod_raw_to_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ) { - mbedtls_mpi_uint one = 1; - mbedtls_mpi T; - mbedtls_mpi_init( &T ); - mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs, - m->rep.mont.mm, T.p ); - mbedtls_mpi_free( &T ); + mbedtls_mpi_uint *T; + const size_t t_limbs = m->limbs * 2 + 1; + + if( ( T = (mbedtls_mpi_uint *) mbedtls_calloc( t_limbs, ciL ) ) == NULL ) + return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); + + mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, m->limbs, m->p, m->limbs, + m->rep.mont.mm, T ); + + mbedtls_platform_zeroize( T, t_limbs * ciL ); + mbedtls_free( T ); return( 0 ); } -int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X, - const mbedtls_mpi_mod_modulus *modulus ) +int mbedtls_mpi_mod_raw_from_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ) { - mbedtls_mpi T; - mbedtls_mpi_init( &T ); - mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, 1, m->p, m->limbs, - m->rep.mont.mm, T.p ); - mbedtls_mpi_free( &T ); + const mbedtls_mpi_uint one = 1; + const size_t t_limbs = m->limbs * 2 + 1; + mbedtls_mpi_uint *T; + + if( ( T = (mbedtls_mpi_uint *) mbedtls_calloc( t_limbs, ciL ) ) == NULL ) + return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); + + mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs, + m->rep.mont.mm, T ); + + mbedtls_platform_zeroize( T, t_limbs * ciL ); + mbedtls_free( T ); return( 0 ); } /* END MERGE SLOT 7 */ diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index 38415f415f..f738e917e1 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -163,25 +163,29 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ -/** Convert from internal to public (little endian) data presentation +/** Convert an MPI into Montgomery form. * * \param X The address of the MPI. - * \param m The address of a modulus. + * Must have the same number of limbs as \p m. + * \param m The address of the modulus, which gives the size of + * the base `R` = 2^(biL*m->limbs). * * \return \c 0 if successful. */ -int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X, - const mbedtls_mpi_mod_modulus *modulus ); +int mbedtls_mpi_mod_raw_to_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ); -/** Convert from public (little endian) to internal data presentation. +/** Convert an MPI back from Montgomery representation. * * \param X The address of the MPI. - * \param m The address of a modulus. + * Must have the same number of limbs as \p m. + * \param m The address of the modulus, which gives the size of + * the base `R`= 2^(biL*m->limbs). * * \return \c 0 if successful. */ -int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X, - const mbedtls_mpi_mod_modulus *modulus ); +int mbedtls_mpi_mod_raw_from_mont_rep( mbedtls_mpi_uint *X, + const mbedtls_mpi_mod_modulus *m ); /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ From 631b491cbf7de025d4a0c670789ab8b5e42f4e8d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 7 Nov 2022 15:53:23 +0000 Subject: [PATCH 135/413] bignum_tests: Added test for `mbedtls_mpi_mod_raw_to_mont_rep()` Signed-off-by: Minos Galanakis --- .../suites/test_suite_bignum_mod_raw.function | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 4b906751f2..026b49d13c 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -294,7 +294,43 @@ exit: /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ +/* BEGIN_CASE */ +void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X ) +{ + mbedtls_mpi N, A, X; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_init( &N ); + mbedtls_mpi_init( &A ); + mbedtls_mpi_init( &X ); + + /* Read inputs */ + TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) ); + + /* All of the inputs are +ve (or zero) */ + TEST_EQUAL( 1, X.s ); + TEST_EQUAL( 1, A.s ); + + mbedtls_mpi_mod_modulus_init( &m ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + + TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A.p ,&m ) ); + + /* Calculated matches expected value */ + TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 ); + + /* Output is +ve (or zero) */ + TEST_EQUAL( 1, A.s ); + +exit: + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_mpi_free( &N ); + mbedtls_mpi_free( &A ); + mbedtls_mpi_free( &X ); +} +/* END_CASE */ /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ From df070d660d6eaee91ba0811894ea1d0ccdad8c48 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 8 Nov 2022 16:19:04 +0000 Subject: [PATCH 136/413] bignum_tests: Added test for `mbedtls_mpi_mod_raw_from_mont_rep()` Signed-off-by: Minos Galanakis --- .../suites/test_suite_bignum_mod_raw.function | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 026b49d13c..8536e310ef 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -324,6 +324,44 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X ) /* Output is +ve (or zero) */ TEST_EQUAL( 1, A.s ); +exit: + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_mpi_free( &N ); + mbedtls_mpi_free( &A ); + mbedtls_mpi_free( &X ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X ) +{ + mbedtls_mpi N, A, X; + mbedtls_mpi_mod_modulus m; + + mbedtls_mpi_init( &N ); + mbedtls_mpi_init( &A ); + mbedtls_mpi_init( &X ); + + /* Read inputs */ + TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) ); + + /* All of the inputs are +ve (or zero) */ + TEST_EQUAL( 1, X.s ); + TEST_EQUAL( 1, A.s ); + + mbedtls_mpi_mod_modulus_init( &m ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + + TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A.p ,&m ) ); + + /* Calculated matches expected value */ + TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 ); + + /* Output is +ve (or zero) */ + TEST_EQUAL( 1, A.s ); + exit: mbedtls_mpi_mod_modulus_free( &m ); mbedtls_mpi_free( &N ); From 47691fb75619044716a3a5f9c356bbf595d5fd70 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 10 Nov 2022 09:02:51 +0000 Subject: [PATCH 137/413] bignum_tests: Refactored mpi_mod_raw_to/fromt_mont_rep This patch migrates the tests to use the `mbedtls_test_read_mpi_core()`. Signed-off-by: Minos Galanakis --- .../suites/test_suite_bignum_mod_raw.function | 82 +++++++++---------- 1 file changed, 38 insertions(+), 44 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 8536e310ef..d0ffd27b0f 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -297,76 +297,70 @@ exit: /* BEGIN_CASE */ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X ) { - mbedtls_mpi N, A, X; + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *A = NULL; + mbedtls_mpi_uint *X = NULL; mbedtls_mpi_mod_modulus m; - - mbedtls_mpi_init( &N ); - mbedtls_mpi_init( &A ); - mbedtls_mpi_init( &X ); + size_t n_limbs, a_limbs, x_limbs, x_bytes; /* Read inputs */ - TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &x_limbs, input_X ) ); + x_bytes = x_limbs * sizeof(mbedtls_mpi_uint); - /* All of the inputs are +ve (or zero) */ - TEST_EQUAL( 1, X.s ); - TEST_EQUAL( 1, A.s ); + /* Test that input does not require more limbs than modulo */ + TEST_LE_U(a_limbs, n_limbs); mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, + MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); - TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A.p ,&m ) ); - - /* Calculated matches expected value */ - TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 ); - - /* Output is +ve (or zero) */ - TEST_EQUAL( 1, A.s ); + /* Convert from cannonical into Montgomery representation */ + TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A, &m ) ); + /* The result matches expected value */ + ASSERT_COMPARE( A, x_bytes, X, x_bytes ); exit: mbedtls_mpi_mod_modulus_free( &m ); - mbedtls_mpi_free( &N ); - mbedtls_mpi_free( &A ); - mbedtls_mpi_free( &X ); + mbedtls_free( N ); + mbedtls_free( A ); + mbedtls_free( X ); } /* END_CASE */ /* BEGIN_CASE */ void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X ) { - mbedtls_mpi N, A, X; + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *A = NULL; + mbedtls_mpi_uint *X = NULL; mbedtls_mpi_mod_modulus m; - - mbedtls_mpi_init( &N ); - mbedtls_mpi_init( &A ); - mbedtls_mpi_init( &X ); + size_t n_limbs, a_limbs, x_limbs, x_bytes; /* Read inputs */ - TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &x_limbs, input_X ) ); + x_bytes = x_limbs * sizeof(mbedtls_mpi_uint); - /* All of the inputs are +ve (or zero) */ - TEST_EQUAL( 1, X.s ); - TEST_EQUAL( 1, A.s ); + /* Test that input does not require more limbs than modulo */ + TEST_LE_U(a_limbs, n_limbs); mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, + MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); - TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A.p ,&m ) ); - - /* Calculated matches expected value */ - TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 ); - - /* Output is +ve (or zero) */ - TEST_EQUAL( 1, A.s ); + /* Convert from Montgomery into cannonical representation */ + TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A, &m ) ); + /* The result matches expected value */ + ASSERT_COMPARE( A, x_bytes, X, x_bytes ); exit: mbedtls_mpi_mod_modulus_free( &m ); - mbedtls_mpi_free( &N ); - mbedtls_mpi_free( &A ); - mbedtls_mpi_free( &X ); + mbedtls_free( N ); + mbedtls_free( A ); + mbedtls_free( X ); } /* END_CASE */ /* END MERGE SLOT 7 */ From a252f6b24c95322617059a2ba61bc691cb63df19 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 9 Nov 2022 19:23:53 +0000 Subject: [PATCH 138/413] bignum_mod_raw.py: Added BignumModRawConvertToMont This patch adds test class for 'mpi_mod_raw_to_mont_rep()`. Signed-off-by: Minos Galanakis --- scripts/mbedtls_dev/bignum_mod_raw.py | 88 +++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 1465e3ed75..cea7ec78d1 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -122,7 +122,95 @@ class BignumModRawOperationArchSplit(BignumModRawOperation): # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 +class BignumModRawConvertToMont(BignumModRawOperationArchSplit): + """ Test cases for mpi_mod_raw_to_mont_rep(). """ + test_function = "mpi_mod_raw_to_mont_rep" + test_name = "Convert into Mont: " + + test_data_moduli = ["b", + "fd", + "eeff99aa37", + "eeff99aa11", + "800000000005", + "7fffffffffffffff", + "80fe000a10000001", + "25a55a46e5da99c71c7", + "1058ad82120c3a10196bb36229c1", + "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f" + "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a" + "98df75154f8c914a282f8b", + "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63", + "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f" + "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6" + "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2" + "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d" + "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0" + "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389" + "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6" + "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a" + "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d" + "b8896f33bb12e6ef73f12ec5c5ea7a8a337" + ] + + test_input_numbers = ["0", + "1", + "97", + "f5", + "6f5c3", + "745bfe50f7", + "ffa1f9924123", + "334a8b983c79bd", + "5b84f632b58f3461", + "19acd15bc38008e1", + "ffffffffffffffff", + "54ce6a6bb8247fa0427cfc75a6b0599", + "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9", + "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72" + "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc" + "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6" + "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481" + "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b" + "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a" + "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6" + "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12" + "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617" + "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185" + ] + + descr_tpl = '{} #{} N: \"{}\" A: \"{}\".' + + def result(self) -> List[str]: + return [self.hex_x] + + def arguments(self) -> List[str]: + return [bignum_common.quote_str(n) for n in [self.hex_n, + self.hex_a, + self.hex_x]] + + def description(self) -> str: + return self.descr_tpl.format(self.test_name, + self.count, + self.int_n, + self.int_a) + + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + for bil in [32, 64]: + for n in cls.test_data_moduli: + for i in cls.test_input_numbers: + # Skip invalid combinations where A.limbs > N.limbs + if bignum_common.hex_to_int(i) > bignum_common.hex_to_int(n): + continue + yield cls(n, i, bits_in_limb=bil).create_test_case() + + @property + def x(self) -> int: # pylint: disable=invalid-name + return (self.int_a * self.r) % self.int_n + + @property + def hex_x(self) -> str: + return "{:x}".format(self.x).zfill(self.hex_digits) # END MERGE SLOT 7 # BEGIN MERGE SLOT 8 From 50de073c84a5cc0946a87dddc457b3d125cb5ac1 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 9 Nov 2022 19:36:16 +0000 Subject: [PATCH 139/413] bignum_mod_raw.py: Added BignumModRawConvertfromMont This patch adds test class for 'mpi_mod_raw_from_mont_rep()`. Signed-off-by: Minos Galanakis --- scripts/mbedtls_dev/bignum_mod_raw.py | 31 +++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index cea7ec78d1..bd694a6084 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -211,6 +211,37 @@ class BignumModRawConvertToMont(BignumModRawOperationArchSplit): @property def hex_x(self) -> str: return "{:x}".format(self.x).zfill(self.hex_digits) + +class BignumModRawConvertFromMont(BignumModRawConvertToMont): + """ Test cases for mpi_mod_raw_from_mont_rep(). """ + + test_function = "mpi_mod_raw_from_mont_rep" + test_name = "Convert from Mont: " + + test_input_numbers = ["0", + "1", + "3ca", + "539ed428", + "7dfe5c6beb35a2d6", + "dca8de1c2adfc6d7aafb9b48e", + "a7d17b6c4be72f3d5c16bf9c1af6fc933", + "2fec97beec546f9553142ed52f147845463f579", + "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f", + "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a" + "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675" + "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57" + "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea" + "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3" + "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c" + "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8" + "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74" + "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32" + "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627" + ] + + @property + def x(self): # pylint: disable=invalid-name + return (self.int_a * self.r_inv) % self.int_n # END MERGE SLOT 7 # BEGIN MERGE SLOT 8 From 0e97d4d16dcf4d90fdac381a3c0ec7cd68fd29f2 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 24 Oct 2022 11:12:51 +0000 Subject: [PATCH 140/413] Add early data indication to client side Add fields to mbedtls_ssl_context Add write early data indication function Add check whether write early data indication Add early data option to ssl_client2 Add test cases for early data Signed-off-by: Xiaokang Qian --- include/mbedtls/build_info.h | 4 ++++ include/mbedtls/ssl.h | 16 ++++++++++++++ library/ssl_misc.h | 19 ++++++++++++++++ library/ssl_tls.c | 9 ++++++++ library/ssl_tls13_client.c | 39 +++++++++++++++++++++++---------- library/ssl_tls13_generic.c | 35 ++++++++++++++++++++++++++++++ programs/ssl/ssl_client2.c | 42 ++++++++++++++++++++++++++++++++++++ tests/configs/tls13-only.h | 1 + tests/ssl-opt.sh | 18 ++++++++++++++++ 9 files changed, 172 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 170cbebbee..f1bb527700 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -112,6 +112,10 @@ #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +#endif + +#if !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ + !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) #undef MBEDTLS_SSL_EARLY_DATA #endif diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 01ede4088d..47ce3c6950 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -332,6 +332,9 @@ #define MBEDTLS_SSL_EARLY_DATA_DISABLED 0 #define MBEDTLS_SSL_EARLY_DATA_ENABLED 1 +#define MBEDTLS_SSL_EARLY_DATA_OFF 0 +#define MBEDTLS_SSL_EARLY_DATA_ON 1 + #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1 @@ -801,6 +804,11 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +#define MBEDTLS_SSL_EARLY_DATA_NOT_SENT 0 +#define MBEDTLS_SSL_EARLY_DATA_REJECTED 1 +#define MBEDTLS_SSL_EARLY_DATA_ACCEPTED 2 +#endif /** * \brief Callback type: server-side session cache getter * @@ -1783,6 +1791,13 @@ struct mbedtls_ssl_context * and #MBEDTLS_SSL_CID_DISABLED. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) + /* + * early data request state + */ + int MBEDTLS_PRIVATE(early_data_status); +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ + /** Callback to export key block and master secret */ mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */ @@ -1936,6 +1951,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); */ void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index ad8754cac2..2b1f90f4f3 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -987,6 +987,15 @@ struct mbedtls_ssl_handshake_params } tls13_master_secrets; mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; + +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_early_secrets early_secrets; + + int early_data; /*!< Early data indication: + * 0 -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and + * 1 -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data) + */ +#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1480,6 +1489,11 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, #endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ); +#endif + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) #if defined(MBEDTLS_SSL_CLI_C) MBEDTLS_CHECK_RETURN_CRITICAL @@ -2046,6 +2060,11 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( size_t *out_len ); #endif /* MBEDTLS_ECDH_C */ +#if defined(MBEDTLS_SSL_EARLY_DATA) +int mbedtls_ssl_tls13_write_early_data_ext( + mbedtls_ssl_context *ssl, + unsigned char *buf, const unsigned char *end, size_t *olen); +#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da90b2350f..945a2e9bde 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1872,6 +1872,15 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + return( ssl->handshake->resume && + session != NULL && session->ticket != NULL ); +} +#endif + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) { diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9940a0e5ea..0d24474ec3 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -693,13 +693,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite ) } #if defined(MBEDTLS_SSL_SESSION_TICKETS) -static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) -{ - mbedtls_ssl_session *session = ssl->session_negotiate; - return( ssl->handshake->resume && - session != NULL && session->ticket != NULL ); -} - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, @@ -708,7 +701,7 @@ static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl, { mbedtls_ssl_session *session = ssl->session_negotiate; - if( !ssl_tls13_has_configured_ticket( ssl ) ) + if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) return( -1 ); *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite ); @@ -726,7 +719,7 @@ static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl, mbedtls_ssl_session *session = ssl->session_negotiate; - if( !ssl_tls13_has_configured_ticket( ssl ) ) + if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) return( -1 ); *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite ); @@ -773,7 +766,7 @@ static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl ) { int configured_psk_count = 0; #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ssl_tls13_has_configured_ticket( ssl ) ) + if( mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) ); configured_psk_count++; @@ -1093,7 +1086,8 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) ) + if( selected_identity == 0 && + mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) { ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ); } @@ -1160,6 +1154,29 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, } #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) + if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && + ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 || + mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) && + ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) + { + ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len ); + if( ret != 0 ) + return( ret ); + p += ext_len; + + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; + /* We're using rejected once we send the EarlyData extension, + and change it to accepted upon receipt of the server extension. */ + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_REJECTED; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) ); + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF; + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* For PSK-based key exchange we need the pre_shared_key extension * and the psk_key_exchange_modes extension. diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f854998893..8757487535 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1374,6 +1374,41 @@ cleanup: #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +/* Early Data Extension + * + * struct {} Empty; + * + * struct { + * select ( Handshake.msg_type ) { + * case new_session_ticket: uint32 max_early_data_size; + * case client_hello: Empty; + * case encrypted_extensions: Empty; + * }; + * } EarlyDataIndication; + */ +#if defined(MBEDTLS_SSL_EARLY_DATA) +int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ) +{ + unsigned char *p = buf; + *out_len = 0; + ((void) ssl); + + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "client hello, adding early_data extension" ) ); + + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 ); + /* Write length of the early data indication extension */ + MBEDTLS_PUT_UINT16_BE( 0, p, 2 ); + + *out_len = 4; + return( 0 ); +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /* Reset SSL context and update hash for handling HRR. * * Replace Transcript-Hash(X) by diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 56efb3c17d..9685e69d4b 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -344,6 +344,14 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) +#define USAGE_EARLY_DATA \ + " early_data=%%d default: 0 (disabled)\n" \ + " options: 0 (disabled), 1 (enabled)\n" +#else +#define USAGE_EARLY_DATA "" +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_PROTO_TLS1_3 */ + #define USAGE_KEY_OPAQUE_ALGS \ " key_opaque_algs=%%s Allowed opaque key algorithms.\n" \ " comma-separated pair of values among the following:\n" \ @@ -533,6 +541,7 @@ struct options * after renegotiation */ int reproducible; /* make communication reproducible */ int skip_close_notify; /* skip sending the close_notify alert */ + int early_data; /* support for early data */ int query_config_mode; /* whether to read config */ int use_srtp; /* Support SRTP */ int force_srtp_profile; /* SRTP protection profile to use or all */ @@ -1189,7 +1198,24 @@ int main( int argc, char *argv[] ) default: goto usage; } } + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_EARLY_DATA) + else if( strcmp( p, "early_data" ) == 0 ) + { + switch( atoi( q ) ) + { + case 0: + opt.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + break; + case 1: + opt.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + break; + default: goto usage; + } + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + else if( strcmp( p, "tls13_kex_modes" ) == 0 ) { if( strcmp( q, "psk" ) == 0 ) @@ -2091,6 +2117,10 @@ int main( int argc, char *argv[] ) if( opt.max_version != DFL_MAX_VERSION ) mbedtls_ssl_conf_max_tls_version( &conf, opt.max_version ); +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_conf_early_data( &conf, opt.early_data ); +#endif /* MBEDTLS_SSL_EARLY_DATA */ + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", @@ -2467,6 +2497,12 @@ int main( int argc, char *argv[] ) } } +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) + /* TODO: We can log the actual early data status after we define + * the API mbedtls_ssl_get_early_data_status. + */ +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* * 5. Verify the server certificate @@ -3177,6 +3213,12 @@ reconnect: mbedtls_printf( " ok\n" ); +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) + /* TODO: We can log the actual early data status when reconnect + * after we define the API mbedtls_ssl_get_early_data_status. + */ +#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ + goto send_request; } diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 7483f1cd97..a4dcb92ba3 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -24,6 +24,7 @@ /* Enable TLS 1.3 and core 1.3 features */ #define MBEDTLS_SSL_PROTO_TLS1_3 +#define MBEDTLS_SSL_EARLY_DATA #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE /* Disable TLS 1.2 and 1.2-specific features */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9eb925aa16..14123fa9a2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -80,12 +80,14 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_SRV_NO_WWW="$OPENSSL_NEXT s_server -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false + O_NEXT_SRV_NO_WWW=false O_NEXT_CLI_NO_CERT=false O_NEXT_CLI=false fi @@ -1690,6 +1692,7 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT" + O_NEXT_SRV_NO_WWW="$O_NEXT_SRV_NO_WWW -accept $SRV_PORT" O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT" fi @@ -13039,6 +13042,21 @@ run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" +requires_openssl_next +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3, ext PSK, early data" \ + "$O_NEXT_SRV_NO_WWW -msg -debug -tls1_3 -early_data -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + 1 \ + -c "=> write client hello" \ + -c "client hello, adding early_data extension" \ + -c "<= write client hello" \ + -c "client state: MBEDTLS_SSL_SERVER_HELLO" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 911c0cc4f0971e0cc77685359cc8b649bb147e4f Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 31 Oct 2022 09:35:32 +0000 Subject: [PATCH 141/413] Fix format issues in comments Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 2 +- library/ssl_tls13_generic.c | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 47ce3c6950..6369de0a96 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1793,7 +1793,7 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) /* - * early data request state + * early data request status */ int MBEDTLS_PRIVATE(early_data_status); #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 8757487535..a27315102d 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1375,8 +1375,6 @@ cleanup: #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ /* Early Data Extension - * - * struct {} Empty; * * struct { * select ( Handshake.msg_type ) { From 893ad8196689e0c75ec3a318bee1270da724222e Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 31 Oct 2022 10:38:10 +0000 Subject: [PATCH 142/413] Remove useless early_secrets field Signed-off-by: Xiaokang Qian --- library/ssl_misc.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2b1f90f4f3..52dbb3b175 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -989,8 +989,6 @@ struct mbedtls_ssl_handshake_params mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; #if defined(MBEDTLS_SSL_EARLY_DATA) - mbedtls_ssl_tls13_early_secrets early_secrets; - int early_data; /*!< Early data indication: * 0 -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and * 1 -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data) From b781a2323c8aa878b3370a6335479940b6d9483c Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 1 Nov 2022 07:39:46 +0000 Subject: [PATCH 143/413] Move ssl_tls13_has_configured_ticket() back to tls13 client Signed-off-by: Xiaokang Qian --- library/ssl_misc.h | 5 ----- library/ssl_tls.c | 9 --------- library/ssl_tls13_client.c | 18 +++++++++++++----- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 52dbb3b175..901c1049d6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1487,11 +1487,6 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, #endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) -MBEDTLS_CHECK_RETURN_CRITICAL -int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ); -#endif - #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) #if defined(MBEDTLS_SSL_CLI_C) MBEDTLS_CHECK_RETURN_CRITICAL diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 945a2e9bde..da90b2350f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1872,15 +1872,6 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) -int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) -{ - mbedtls_ssl_session *session = ssl->session_negotiate; - return( ssl->handshake->resume && - session != NULL && session->ticket != NULL ); -} -#endif - #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) { diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0d24474ec3..bb7e14bea0 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -693,6 +693,14 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite ) } #if defined(MBEDTLS_SSL_SESSION_TICKETS) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + return( ssl->handshake->resume && + session != NULL && session->ticket != NULL ); +} + MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, @@ -701,7 +709,7 @@ static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl, { mbedtls_ssl_session *session = ssl->session_negotiate; - if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) + if( !ssl_tls13_has_configured_ticket( ssl ) ) return( -1 ); *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite ); @@ -719,7 +727,7 @@ static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl, mbedtls_ssl_session *session = ssl->session_negotiate; - if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) + if( !ssl_tls13_has_configured_ticket( ssl ) ) return( -1 ); *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite ); @@ -766,7 +774,7 @@ static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl ) { int configured_psk_count = 0; #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) + if( ssl_tls13_has_configured_ticket( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) ); configured_psk_count++; @@ -1087,7 +1095,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SESSION_TICKETS) if( selected_identity == 0 && - mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) + ssl_tls13_has_configured_ticket( ssl ) ) { ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ); } @@ -1157,7 +1165,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 || - mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) && + ssl_tls13_has_configured_ticket( ssl ) ) && ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len ); From 338f7276835fa1543de883017c8dc7802b567521 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 2 Nov 2022 07:18:30 +0000 Subject: [PATCH 144/413] Move EARLY_DATA_OFF/ON guard to ssl_misc.h Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 3 --- library/ssl_misc.h | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6369de0a96..8c49859874 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -332,9 +332,6 @@ #define MBEDTLS_SSL_EARLY_DATA_DISABLED 0 #define MBEDTLS_SSL_EARLY_DATA_ENABLED 1 -#define MBEDTLS_SSL_EARLY_DATA_OFF 0 -#define MBEDTLS_SSL_EARLY_DATA_ON 1 - #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1 diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 901c1049d6..d454ebb518 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -77,6 +77,10 @@ /* Faked handshake message identity for HelloRetryRequest. */ #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO ) +/* Early data indication sent or not */ +#define MBEDTLS_SSL_EARLY_DATA_OFF 0 +#define MBEDTLS_SSL_EARLY_DATA_ON 1 + /* * Internal identity of handshake extensions */ From 76332816c7a29d2f5f3e8a623fd4b9712caead08 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 2 Nov 2022 07:22:48 +0000 Subject: [PATCH 145/413] Define the EARLY_DATA_STATUS Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 7 ++++--- library/ssl_tls13_client.c | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8c49859874..92ab1a3902 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -802,9 +802,10 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) -#define MBEDTLS_SSL_EARLY_DATA_NOT_SENT 0 -#define MBEDTLS_SSL_EARLY_DATA_REJECTED 1 -#define MBEDTLS_SSL_EARLY_DATA_ACCEPTED 2 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 3 #endif /** * \brief Callback type: server-side session cache getter diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index bb7e14bea0..8879c44af0 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1176,7 +1176,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; /* We're using rejected once we send the EarlyData extension, and change it to accepted upon receipt of the server extension. */ - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_REJECTED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; } else { From ecc2948f211627acb21d4d9b7b003543f84f0692 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 2 Nov 2022 07:52:47 +0000 Subject: [PATCH 146/413] Fix format issues Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 1 - library/ssl_misc.h | 7 ++++--- library/ssl_tls13_client.c | 8 +++----- library/ssl_tls13_generic.c | 5 ++--- 4 files changed, 9 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 92ab1a3902..f1d16bc603 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1949,7 +1949,6 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); */ void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ); - #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d454ebb518..581e1534c8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2058,9 +2058,10 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( #endif /* MBEDTLS_ECDH_C */ #if defined(MBEDTLS_SSL_EARLY_DATA) -int mbedtls_ssl_tls13_write_early_data_ext( - mbedtls_ssl_context *ssl, - unsigned char *buf, const unsigned char *end, size_t *olen); +int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ); #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8879c44af0..c019db2fad 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -693,7 +693,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite ) } #if defined(MBEDTLS_SSL_SESSION_TICKETS) -MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) { mbedtls_ssl_session *session = ssl->session_negotiate; @@ -1094,8 +1093,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( selected_identity == 0 && - ssl_tls13_has_configured_ticket( ssl ) ) + if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) ) { ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ); } @@ -1174,8 +1172,8 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, p += ext_len; ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; - /* We're using rejected once we send the EarlyData extension, - and change it to accepted upon receipt of the server extension. */ + /* Initializes the status to `rejected`. Changes it to `accepted` + * when `early_data` is received in EncryptedExtesion. */ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; } else diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a27315102d..04790387a6 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1374,11 +1374,11 @@ cleanup: #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ -/* Early Data Extension +/* Early Data Indication Extension * * struct { * select ( Handshake.msg_type ) { - * case new_session_ticket: uint32 max_early_data_size; + * ... * case client_hello: Empty; * case encrypted_extensions: Empty; * }; @@ -1399,7 +1399,6 @@ int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, 3, ( "client hello, adding early_data extension" ) ); MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 ); - /* Write length of the early data indication extension */ MBEDTLS_PUT_UINT16_BE( 0, p, 2 ); *out_len = 4; From b0c32d8b20d729cad83cb786bf2c1cca7a8fde4c Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 2 Nov 2022 10:51:13 +0000 Subject: [PATCH 147/413] Update early data test cases Signed-off-by: Xiaokang Qian --- tests/ssl-opt.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 14123fa9a2..868de81d23 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -80,14 +80,14 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" - O_NEXT_SRV_NO_WWW="$OPENSSL_NEXT s_server -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false - O_NEXT_SRV_NO_WWW=false + O_NEXT_SRV_EARLY_DATA=false O_NEXT_CLI_NO_CERT=false O_NEXT_CLI=false fi @@ -1692,7 +1692,7 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT" - O_NEXT_SRV_NO_WWW="$O_NEXT_SRV_NO_WWW -accept $SRV_PORT" + O_NEXT_SRV_EARLY_DATA="$O_NEXT_SRV_EARLY_DATA -accept $SRV_PORT" O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT" fi @@ -13049,8 +13049,8 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_EARLY_DATA run_test "TLS 1.3, ext PSK, early data" \ - "$O_NEXT_SRV_NO_WWW -msg -debug -tls1_3 -early_data -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ + "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ 1 \ -c "=> write client hello" \ -c "client hello, adding early_data extension" \ From 01323a46c6f7e8a2b39b78a3458b456d88c41be6 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 3 Nov 2022 02:27:35 +0000 Subject: [PATCH 148/413] Add session ticket related check when send early data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c019db2fad..9434c2b088 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -700,6 +700,18 @@ static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) session != NULL && session->ticket != NULL ); } +#if defined(MBEDTLS_SSL_EARLY_DATA) +static int ssl_tls13_early_data_ticket_verify( mbedtls_ssl_context *ssl ) +{ + mbedtls_ssl_session *session = ssl->session_negotiate; + return( ssl->handshake->resume && + session != NULL && session->ticket != NULL && + session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + mbedtls_ssl_tls13_cipher_suite_is_offered( + ssl, session->ciphersuite ) ); +} +#endif + MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, @@ -1162,8 +1174,11 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && - ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 || - ssl_tls13_has_configured_ticket( ssl ) ) && + ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + || ssl_tls13_early_data_ticket_verify( ssl ) +#endif + ) && ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len ); From a341225fd03a96051b482e0fd64623c464885864 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 4 Nov 2022 10:13:19 +0000 Subject: [PATCH 149/413] Change function name ssl_tls13_early_data_has_valid_ticket Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9434c2b088..b539f8ff4a 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -701,7 +701,7 @@ static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_EARLY_DATA) -static int ssl_tls13_early_data_ticket_verify( mbedtls_ssl_context *ssl ) +static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl ) { mbedtls_ssl_session *session = ssl->session_negotiate; return( ssl->handshake->resume && @@ -1176,7 +1176,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 #if defined(MBEDTLS_SSL_SESSION_TICKETS) - || ssl_tls13_early_data_ticket_verify( ssl ) + || ssl_tls13_early_data_has_valid_ticket( ssl ) #endif ) && ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) From f447e8a8d38730cb0973888cfd1cce818942c290 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 8 Nov 2022 07:02:27 +0000 Subject: [PATCH 150/413] Address comments base on reviews Improve early data indication check Update test case to gnutls server Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 23 ++++++++++++++++------- library/ssl_debug_helpers.h | 5 +++++ library/ssl_misc.h | 7 ------- library/ssl_tls13_client.c | 22 ++++++++++++---------- tests/ssl-opt.sh | 14 +++++++------- 5 files changed, 40 insertions(+), 31 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index f1d16bc603..0804746131 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -802,11 +802,23 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) -#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 3 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 4 #endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) + +typedef enum +{ + MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA = 1, + MBEDTLS_SSL_TICKET_ALLOW_DHE_RESUMPTION = 2, + MBEDTLS_SSL_TICKET_ALLOW_PSK_RESUMPTION = 4, +} mbedtls_ssl_ticket_flags; + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /** * \brief Callback type: server-side session cache getter * @@ -1790,9 +1802,6 @@ struct mbedtls_ssl_context #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) - /* - * early data request status - */ int MBEDTLS_PRIVATE(early_data_status); #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 4412f8e213..9efbbbcd26 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -33,6 +33,11 @@ const char *mbedtls_ssl_states_str( mbedtls_ssl_states in ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) +const char *mbedtls_ssl_ticket_flags_str( mbedtls_ssl_ticket_flags in ); +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) && + defined(MBEDTLS_SSL_SESSION_TICKETS) */ + const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in ); const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 581e1534c8..342cabb3a2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -991,13 +991,6 @@ struct mbedtls_ssl_handshake_params } tls13_master_secrets; mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; - -#if defined(MBEDTLS_SSL_EARLY_DATA) - int early_data; /*!< Early data indication: - * 0 -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and - * 1 -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data) - */ -#endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b539f8ff4a..46c7c45898 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -705,8 +705,8 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl ) { mbedtls_ssl_session *session = ssl->session_negotiate; return( ssl->handshake->resume && - session != NULL && session->ticket != NULL && session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && + ( session->ticket_flags & MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA ) && mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, session->ciphersuite ) ); } @@ -1174,11 +1174,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && - ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - || ssl_tls13_early_data_has_valid_ticket( ssl ) -#endif - ) && + ssl_tls13_early_data_has_valid_ticket( ssl ) && ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) { ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len ); @@ -1186,15 +1182,14 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, return( ret ); p += ext_len; - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; - /* Initializes the status to `rejected`. Changes it to `accepted` + /* Initializes the status to `indication sent`. Changes it to `accepted` * when `early_data` is received in EncryptedExtesion. */ - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT; } else { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) ); - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -2543,6 +2538,13 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, switch( extension_type ) { + case MBEDTLS_TLS_EXT_EARLY_DATA: + MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) ); + if( extension_data_len == 4 && ssl->session != NULL) + ssl->session->ticket_flags |= + MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA; + break; + default: MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 868de81d23..b6c3982d82 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13042,15 +13042,15 @@ run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" -requires_openssl_next -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_EARLY_DATA -run_test "TLS 1.3, ext PSK, early data" \ - "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ - "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +run_test "TLS 1.3: NewSessionTicket: early data, m->G" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ 1 \ -c "=> write client hello" \ -c "client hello, adding early_data extension" \ From a042b8406d0ec8489eceff88e27c5583577bab26 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 01:59:33 +0000 Subject: [PATCH 151/413] Address some format issues Signed-off-by: Xiaokang Qian --- library/ssl_misc.h | 4 ---- library/ssl_tls13_client.c | 8 +++++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 342cabb3a2..4d7f63547d 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -77,10 +77,6 @@ /* Faked handshake message identity for HelloRetryRequest. */ #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO ) -/* Early data indication sent or not */ -#define MBEDTLS_SSL_EARLY_DATA_OFF 0 -#define MBEDTLS_SSL_EARLY_DATA_ON 1 - /* * Internal identity of handshake extensions */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 46c7c45898..f68b240803 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1182,8 +1182,10 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, return( ret ); p += ext_len; - /* Initializes the status to `indication sent`. Changes it to `accepted` - * when `early_data` is received in EncryptedExtesion. */ + /* Initializes the status to `indication sent`. It will be updated to + * `accepted` or `rejected` depend on whether the EncryptedExtension + * message will contain an early data indication extension or not. + */ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT; } else @@ -2540,7 +2542,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, { case MBEDTLS_TLS_EXT_EARLY_DATA: MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) ); - if( extension_data_len == 4 && ssl->session != NULL) + if( extension_data_len == 4 && ssl->session != NULL ) ssl->session->ticket_flags |= MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA; break; From 097771672d0923b10d7eb44bc689e3f0ff717bce Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 03:46:23 +0000 Subject: [PATCH 152/413] Update early data document and prerequisites check Signed-off-by: Xiaokang Qian --- include/mbedtls/build_info.h | 4 ++++ include/mbedtls/check_config.h | 5 +++-- include/mbedtls/mbedtls_config.h | 5 ++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index f1bb527700..71f5bffd24 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -119,6 +119,10 @@ #undef MBEDTLS_SSL_EARLY_DATA #endif +#if !defined(MBEDTLS_SSL_SESSION_TICKETS) +#undef MBEDTLS_SSL_EARLY_DATA +#endif + #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index d36db4a9ec..4eb1528bb8 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -844,8 +844,9 @@ /* Early data requires PSK related mode defined */ #if defined(MBEDTLS_SSL_EARLY_DATA) && \ - ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ - !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)) + ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ + !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) ) #error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index b4c8635215..93ca9b58ae 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1641,7 +1641,10 @@ * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED * * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 -* is not enabled, this option does not have any effect on the build. +* is not enabled or both MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled or +* MBEDTLS_SSL_SESSION_TICKETS is not enabled, this option does not have any +* effect on the build. * * This feature is experimental, not completed and thus not ready for * production. From 50a47940b60d0dcb104bfcd3d0300df95e6e95d8 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 03:58:41 +0000 Subject: [PATCH 153/413] Update early data test case with gnutls Signed-off-by: Xiaokang Qian --- tests/ssl-opt.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b6c3982d82..ccca83b739 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13048,14 +13048,15 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -run_test "TLS 1.3: NewSessionTicket: early data, m->G" \ +run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ 1 \ - -c "=> write client hello" \ - -c "client hello, adding early_data extension" \ - -c "<= write client hello" \ - -c "client state: MBEDTLS_SSL_SERVER_HELLO" + -c "client hello, adding early_data extension" \ + -c "Reconnecting with saved session" \ + -c "unsupported extension found: 42" \ + -s "Parsing extension 'Early Data/42' (0 bytes)" \ + -s "Sending extension Early Data/42 (0 bytes)" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From 29ee43c0e17d4c1a7bf3b1c47d54e14d8ae73bb7 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 07:39:57 +0000 Subject: [PATCH 154/413] Update document base on comments Signed-off-by: Xiaokang Qian --- include/mbedtls/mbedtls_config.h | 3 ++- include/mbedtls/ssl.h | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 93ca9b58ae..e3bae2cf80 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1637,7 +1637,8 @@ * * Enable support for RFC 8446 TLS 1.3 early data. * -* Requires: MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or +* Requires: MBEDTLS_SSL_SESSION_TICKETS and either +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED * * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0804746131..1ae441caaa 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -802,6 +802,15 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +/* Define the status of early data. + * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN : Initilized. + * MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT: Have sent early data + * indication in client hello successfully. + * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT: Have sent client hello without + * data indication. + * MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED: Server side reject the early data. + * MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED: Server side accept the early data. + */ #define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 #define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 #define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2 From 2d87a9eeb551fe6d5c447374283eb163f33ab4a9 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 07:55:48 +0000 Subject: [PATCH 155/413] Pend one alert in case wrong EXT_EARLY_DATA length Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index f68b240803..4935fbf4e5 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2542,9 +2542,18 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, { case MBEDTLS_TLS_EXT_EARLY_DATA: MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) ); - if( extension_data_len == 4 && ssl->session != NULL ) + if( extension_data_len != 4 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + if( ssl->session != NULL ) + { ssl->session->ticket_flags |= MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA; + } break; default: From ae07cd995a7cb20f570a00dfaaf4d03cdc1ae422 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 08:09:47 +0000 Subject: [PATCH 156/413] Change ticket_flag base on review Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 10 ++++------ library/ssl_debug_helpers.h | 5 ----- library/ssl_tls13_client.c | 5 +++-- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 1ae441caaa..8b1ed23d14 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -820,12 +820,10 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -typedef enum -{ - MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA = 1, - MBEDTLS_SSL_TICKET_ALLOW_DHE_RESUMPTION = 2, - MBEDTLS_SSL_TICKET_ALLOW_PSK_RESUMPTION = 4, -} mbedtls_ssl_ticket_flags; +typedef uint8_t mbedtls_ssl_tls13_ticket_flags; +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION ( 1u << 0 ) +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION ( 1u << 2 ) +#define MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION ( 1u << 3 ) #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /** diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h index 9efbbbcd26..4412f8e213 100644 --- a/library/ssl_debug_helpers.h +++ b/library/ssl_debug_helpers.h @@ -33,11 +33,6 @@ const char *mbedtls_ssl_states_str( mbedtls_ssl_states in ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) -const char *mbedtls_ssl_ticket_flags_str( mbedtls_ssl_ticket_flags in ); -#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) && - defined(MBEDTLS_SSL_SESSION_TICKETS) */ - const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in ); const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 4935fbf4e5..aea7adab09 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -706,7 +706,8 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl ) mbedtls_ssl_session *session = ssl->session_negotiate; return( ssl->handshake->resume && session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && - ( session->ticket_flags & MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA ) && + ( session->ticket_flags & + MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION ) && mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, session->ciphersuite ) ); } @@ -2552,7 +2553,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, if( ssl->session != NULL ) { ssl->session->ticket_flags |= - MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA; + MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION; } break; From fe3483f9a142ca019c5371d04a3b83e084289cf7 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 9 Nov 2022 10:45:23 +0000 Subject: [PATCH 157/413] Update early data doument and config dependencies Signed-off-by: Xiaokang Qian --- include/mbedtls/build_info.h | 4 ---- include/mbedtls/check_config.h | 7 ++----- include/mbedtls/mbedtls_config.h | 9 +++------ include/mbedtls/ssl.h | 13 ++----------- library/ssl_tls13_client.c | 6 +++--- 5 files changed, 10 insertions(+), 29 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 71f5bffd24..f1bb527700 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -119,10 +119,6 @@ #undef MBEDTLS_SSL_EARLY_DATA #endif -#if !defined(MBEDTLS_SSL_SESSION_TICKETS) -#undef MBEDTLS_SSL_EARLY_DATA -#endif - #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 4eb1528bb8..4c4bde49b2 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -842,11 +842,8 @@ "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" #endif -/* Early data requires PSK related mode defined */ -#if defined(MBEDTLS_SSL_EARLY_DATA) && \ - ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \ - ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ - !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) ) +/* Early data requires MBEDTLS_SSL_SESSION_TICKETS defined */ +#if defined(MBEDTLS_SSL_EARLY_DATA) && !defined(MBEDTLS_SSL_SESSION_TICKETS) #error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e3bae2cf80..3c46971758 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1637,15 +1637,12 @@ * * Enable support for RFC 8446 TLS 1.3 early data. * -* Requires: MBEDTLS_SSL_SESSION_TICKETS and either -* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or -* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +* Requires: MBEDTLS_SSL_SESSION_TICKETS * * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 * is not enabled or both MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and -* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled or -* MBEDTLS_SSL_SESSION_TICKETS is not enabled, this option does not have any -* effect on the build. +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled, +* this option does not have any effect on the build. * * This feature is experimental, not completed and thus not ready for * production. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8b1ed23d14..16de0f8066 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -802,15 +802,6 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) -/* Define the status of early data. - * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN : Initilized. - * MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT: Have sent early data - * indication in client hello successfully. - * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT: Have sent client hello without - * data indication. - * MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED: Server side reject the early data. - * MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED: Server side accept the early data. - */ #define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 #define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 #define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2 @@ -822,8 +813,8 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; typedef uint8_t mbedtls_ssl_tls13_ticket_flags; #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION ( 1u << 0 ) -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION ( 1u << 2 ) -#define MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION ( 1u << 3 ) +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION ( 1u << 1 ) +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1u << 2 ) #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /** diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index aea7adab09..405cce031f 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -707,7 +707,7 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl ) return( ssl->handshake->resume && session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && ( session->ticket_flags & - MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION ) && + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) && mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, session->ciphersuite ) ); } @@ -1184,7 +1184,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, p += ext_len; /* Initializes the status to `indication sent`. It will be updated to - * `accepted` or `rejected` depend on whether the EncryptedExtension + * `accepted` or `rejected` depending on whether the EncryptedExtension * message will contain an early data indication extension or not. */ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT; @@ -2553,7 +2553,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, if( ssl->session != NULL ) { ssl->session->ticket_flags |= - MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION; + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA; } break; From de95604f6c144807b315f3b3625b540729cbf7b7 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 10 Nov 2022 03:11:54 +0000 Subject: [PATCH 158/413] Update ticket_flags related macros Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 16de0f8066..02685e1f85 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -812,9 +812,12 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) typedef uint8_t mbedtls_ssl_tls13_ticket_flags; -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION ( 1u << 0 ) -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION ( 1u << 1 ) -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1u << 2 ) +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA \ + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION << 1 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /** From 402bb1ee905e43410ddb442b8070f901677e7416 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 10 Nov 2022 10:38:17 +0000 Subject: [PATCH 159/413] Update documents and check Signed-off-by: Xiaokang Qian --- include/mbedtls/build_info.h | 4 ---- include/mbedtls/check_config.h | 9 +++++++-- include/mbedtls/mbedtls_config.h | 8 ++++---- tests/configs/tls13-only.h | 1 - 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index f1bb527700..170cbebbee 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -112,10 +112,6 @@ #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -#endif - -#if !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ - !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) #undef MBEDTLS_SSL_EARLY_DATA #endif diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 4c4bde49b2..f932901ec6 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -842,8 +842,13 @@ "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" #endif -/* Early data requires MBEDTLS_SSL_SESSION_TICKETS defined */ -#if defined(MBEDTLS_SSL_EARLY_DATA) && !defined(MBEDTLS_SSL_SESSION_TICKETS) +/* Early data requires MBEDTLS_SSL_SESSION_TICKETS and SOME_PSK related + * mode defined + */ +#if defined(MBEDTLS_SSL_EARLY_DATA) && \ + ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ + !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) ) #error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 3c46971758..12d503e389 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1637,12 +1637,12 @@ * * Enable support for RFC 8446 TLS 1.3 early data. * -* Requires: MBEDTLS_SSL_SESSION_TICKETS +* Requires: MBEDTLS_SSL_SESSION_TICKETS and either +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED * * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 -* is not enabled or both MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and -* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled, -* this option does not have any effect on the build. +* is not enabled, this option does not have any effect on the build. * * This feature is experimental, not completed and thus not ready for * production. diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index a4dcb92ba3..7483f1cd97 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -24,7 +24,6 @@ /* Enable TLS 1.3 and core 1.3 features */ #define MBEDTLS_SSL_PROTO_TLS1_3 -#define MBEDTLS_SSL_EARLY_DATA #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE /* Disable TLS 1.2 and 1.2-specific features */ From 733c76e08a32b81905fb0a50a486c203d3699776 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 14 Nov 2022 08:33:21 +0100 Subject: [PATCH 160/413] Fix style issues pointed by pylint Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index f78af68f3c..2cdad692b9 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -60,7 +60,7 @@ def analyze_coverage(results, outcomes): # fixed this branch to have full coverage of test cases. results.warning('Test case not executed: {}', key) -def analyze_driver_vs_reference(outcomes, component_ref,component_driver, ignored_tests): +def analyze_driver_vs_reference(outcomes, component_ref, component_driver, ignored_tests): """Check that all tests executed in the reference component are also executed in the corresponding driver component. Skip test suites provided in ignored_tests list. @@ -143,12 +143,14 @@ TASKS = { 'args': { 'component_ref': 'test_psa_crypto_config_reference_hash_use_psa', 'component_driver': 'test_psa_crypto_config_accel_hash_use_psa', - 'ignored_suites': ['shax','mdx', # the software implementations that are being excluded + 'ignored_suites': ['shax', 'mdx', # the software implementations that are being excluded 'md', # the legacy abstraction layer that's being excluded - 'entropy','hmac_drbg','random', # temporary limitation (see RNG EPIC) + 'entropy', 'hmac_drbg', 'random', # temporary limitation + # (see RNG EPIC) 'psa_crypto_init', # doesn't work with external RNG - 'hkdf', # legacy still depends on MD, but there's a PSA interface that doesn't - 'pkcs7 ' # recent addition, will be addressed later + 'hkdf', # legacy still depends on MD, + # but there's a PSA interface that doesn't + 'pkcs7' # recent addition, will be addressed later ]}} } From 8b6826d309fcf90d6f7bde72e2fad184b56a6d8b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 14 Nov 2022 08:33:47 +0100 Subject: [PATCH 161/413] Revert "Add fake dependency to test CI" This reverts commit a380b06c26086e695345a04163c1d174c3eb7d20. Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_error.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data index 65f0daa847..dec5639ee0 100644 --- a/tests/suites/test_suite_error.data +++ b/tests/suites/test_suite_error.data @@ -3,7 +3,7 @@ depends_on:MBEDTLS_AES_C error_strerror:-0x0020:"AES - Invalid key length" Single high error -depends_on:MBEDTLS_RSA_C:MBEDTLS_ENTROPY_C +depends_on:MBEDTLS_RSA_C error_strerror:-0x4080:"RSA - Bad input parameters to function" Low and high error From 48e8fc737a58c50e0c8a267a4de669265ef7b381 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 19 Oct 2022 15:14:29 +0200 Subject: [PATCH 162/413] Adding unit test for mbedtls_x509write_csr_set_extension() The already existing "x509_csr_check()" function is extended in order to support/test also CSR's extensions. The test is performed by adding an extended key usage. Signed-off-by: Valerio Setti --- tests/data_files/Makefile | 5 ++ tests/data_files/server1.req.sha256.ext | 17 +++++++ tests/suites/test_suite_x509write.data | 28 ++++++----- tests/suites/test_suite_x509write.function | 56 +++++++++++++++++++++- 4 files changed, 93 insertions(+), 13 deletions(-) create mode 100644 tests/data_files/server1.req.sha256.ext diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6187d17bc3..cd4285c153 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -881,6 +881,11 @@ server1.req.sha256: server1.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA256 all_final += server1.req.sha256 +server1.req.sha256.ext: server1.key + # Generating this with OpenSSL as a comparison point to test we're getting the same result + openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -addext "extendedKeyUsage=serverAuth" +all_final += server1.req.sha256.ext + server1.req.sha384: server1.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA384 all_final += server1.req.sha384 diff --git a/tests/data_files/server1.req.sha256.ext b/tests/data_files/server1.req.sha256.ext new file mode 100644 index 0000000000..3f26f09ef0 --- /dev/null +++ b/tests/data_files/server1.req.sha256.ext @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpzCCAY8CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow +GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ +ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ +HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF +W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs +FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/ +DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAmMCQGCSqGSIb3DQEJDjEX +MBUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHi0yEGu +Fh5tuLiLuT95UrRnly55+lTY9xchFiKtlcoEdSheybYxqk3JHuSSqojOFKZBlRdk +oG6Azg56/aMHPWyvtCMSRQX4b+FgjeQsm9IfhYNMquQOxyPxm62vjuU3MfZIofXH +hKdI6Ci2CDF4Fyvw50KBWniV38eE9+kjsvDLdXD3ESZJGhjjuFl8ReUiA2wdBTcP +XEZaXUIc6B4tUnlPeqn/2zp4GBqqWzNZx6TXBpApASGG3BEJnM52FVPC7E9p+8YZ +qIGuiF5Cz/rYZkpwffBWIfS2zZakHLm5TB8FgZkWlyReJU9Ihk2Tl/sZ1kllFdYa +xLPnLCL82KFL1Co= +-----END CERTIFICATE REQUEST----- diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 1844e5cf68..5793ff8d86 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -1,30 +1,30 @@ Certificate Request check Server1 SHA1 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0:0 Certificate Request check Server1 SHA224 depends_on:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0:0 Certificate Request check Server1 SHA256 depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0:0 Certificate Request check Server1 SHA384 depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0:0 Certificate Request check Server1 SHA512 depends_on:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0:0 Certificate Request check Server1 MD5 depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0:0 Certificate Request check Server1 key_usage depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0 Certificate Request check opaque Server1 key_usage depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 @@ -32,23 +32,27 @@ x509_csr_check_opaque:"data_files/server1.key":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_D Certificate Request check Server1 key_usage empty depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0:0 Certificate Request check Server1 ns_cert_type depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server1 ns_cert_type empty depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1:0 Certificate Request check Server1 key_usage + ns_cert_type depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server5 ECDSA, key_usage depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0 +x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0 + +Certificate Request check Server1, set_extension +depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256.ext":MBEDTLS_MD_SHA256:0:0:0:0:1 Certificate Request check opaque Server5 ECDSA, key_usage depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 1120bee146..f37b7b8eeb 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -5,6 +5,7 @@ #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "mbedtls/rsa.h" +#include "mbedtls/asn1write.h" #include "hash_info.h" #include "mbedtls/legacy_or_psa.h" @@ -74,6 +75,56 @@ cleanup: } #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ +#if defined(MBEDTLS_X509_CSR_WRITE_C) + +/* + * The size of this temporary buffer is given by the sequence of functions + * called hereinafter: + * - mbedtls_asn1_write_oid() + * - 8 bytes for MBEDTLS_OID_EXTENDED_KEY_USAGE raw value + * - 1 byte for MBEDTLS_OID_EXTENDED_KEY_USAGE length + * - 1 byte for MBEDTLS_ASN1_OID tag + * - mbedtls_asn1_write_len() + * - 1 byte since we're dealing with sizes which are less than 0x80 + * - mbedtls_asn1_write_tag() + * - 1 byte + * + * This length is fine as long as this function is called using the + * MBEDTLS_OID_SERVER_AUTH OID. If this is changed in the future, then this + * buffer's length should be adjusted accordingly. + * Unfortunately there's no predefined max size for OIDs which can be used + * to set an overall upper boundary which is always guaranteed. + */ +#define EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH 12 + +static int csr_set_extended_key_usage( mbedtls_x509write_csr *ctx, + const char *oid, size_t oid_len ) +{ + unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 }; + unsigned char *p = buf + sizeof( buf ); + int ret; + size_t len = 0; + + /* + * Following functions fail anyway if the temporary buffer is not large, + * but we set an extra check here to emphasize a possible source of errors + */ + if ( oid_len > EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH ) + { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } + + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &p, buf, oid, oid_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, ret ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); + + ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_EXTENDED_KEY_USAGE, + MBEDTLS_OID_SIZE( MBEDTLS_OID_EXTENDED_KEY_USAGE ), 0, p, len ); + + return ret; +} +#endif /* MBEDTLS_X509_CSR_WRITE_C */ /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -84,7 +135,7 @@ cleanup: /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, int key_usage, int set_key_usage, int cert_type, - int set_cert_type ) + int set_cert_type, int set_extension ) { mbedtls_pk_context key; mbedtls_x509write_csr req; @@ -117,6 +168,9 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); if( set_cert_type != 0 ) TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); + if ( set_extension != 0 ) + TEST_ASSERT( csr_set_extended_key_usage( &req, MBEDTLS_OID_SERVER_AUTH, + MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) == 0 ); ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), mbedtls_test_rnd_pseudo_rand, &rnd_info ); From d3068af2a8b6067e0c8a5574fa984eecd8027782 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 14 Nov 2022 16:15:19 +0100 Subject: [PATCH 163/413] Optimize code (tasks list initialization, task verification) Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 2cdad692b9..ba38ec2808 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -175,17 +175,15 @@ def main(): result = True - tasks = [] if options.task == 'all': - for task in TASKS: - tasks.append(task) + tasks = TASKS.keys() else: tasks = options.task.split(',') - for task in tasks: - if task not in TASKS: - print('Error: invalid task: {}'.format(task)) - sys.exit(1) + for task in tasks: + if task not in TASKS: + print('Error: invalid task: {}'.format(task)) + sys.exit(1) for task in TASKS: if task in tasks: From 9a0aafbe79dc362aecd284a6e24ff3c52949bc89 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 10 Nov 2022 10:45:43 +0000 Subject: [PATCH 164/413] Enable/disable MBEDTLS_SSL_EARLY_DATA for cases in ssl-opt.sh Signed-off-by: Xiaokang Qian --- programs/ssl/ssl_client2.c | 7 +++++++ tests/scripts/all.sh | 3 +++ tests/ssl-opt.sh | 9 +++++---- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 9685e69d4b..186ac18ded 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -64,6 +64,7 @@ int main( void ) #define DFL_KEY_OPAQUE 0 #define DFL_KEY_PWD "" #define DFL_PSK "" +#define DFL_EARLY_DATA MBEDTLS_SSL_EARLY_DATA_DISABLED #define DFL_PSK_OPAQUE 0 #define DFL_PSK_IDENTITY "Client_identity" #define DFL_ECJPAKE_PW NULL @@ -430,6 +431,7 @@ int main( void ) USAGE_REPRODUCIBLE \ USAGE_CURVES \ USAGE_SIG_ALGS \ + USAGE_EARLY_DATA \ USAGE_DHMLEN \ USAGE_KEY_OPAQUE_ALGS \ "\n" @@ -541,7 +543,9 @@ struct options * after renegotiation */ int reproducible; /* make communication reproducible */ int skip_close_notify; /* skip sending the close_notify alert */ +#if defined(MBEDTLS_SSL_EARLY_DATA) int early_data; /* support for early data */ +#endif int query_config_mode; /* whether to read config */ int use_srtp; /* Support SRTP */ int force_srtp_profile; /* SRTP protection profile to use or all */ @@ -941,6 +945,9 @@ int main( int argc, char *argv[] ) opt.alpn_string = DFL_ALPN_STRING; opt.curves = DFL_CURVES; opt.sig_algs = DFL_SIG_ALGS; +#if defined(MBEDTLS_SSL_EARLY_DATA) + opt.early_data = DFL_EARLY_DATA; +#endif opt.transport = DFL_TRANSPORT; opt.hs_to_min = DFL_HS_TO_MIN; opt.hs_to_max = DFL_HS_TO_MAX; diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9295c9d00f..32e920d22e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2105,6 +2105,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" @@ -3221,6 +3222,7 @@ component_build_armcc () { component_test_tls13_only () { msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2" + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test: TLS 1.3 only, all key exchange modes enabled" @@ -3300,6 +3302,7 @@ component_test_tls13_only_psk_all () { component_test_tls13_only_ephemeral_all () { msg "build: TLS 1.3 only from default, without PSK key exchange mode" scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ccca83b739..20c1b0f4d7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13047,14 +13047,15 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ - "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ 1 \ -c "client hello, adding early_data extension" \ -c "Reconnecting with saved session" \ - -c "unsupported extension found: 42" \ + -c "EncryptedExtensions: early_data(42) extension is unsupported" \ -s "Parsing extension 'Early Data/42' (0 bytes)" \ -s "Sending extension Early Data/42 (0 bytes)" From 72b9b17e1120f5c4c8ff7911697c57d73a26f8ee Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 11 Nov 2022 06:08:51 +0000 Subject: [PATCH 165/413] Add comments to fix mini format issue Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 02685e1f85..5294ec28bc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -813,9 +813,9 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; typedef uint8_t mbedtls_ssl_tls13_ticket_flags; #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */ #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA \ MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION << 1 From f90111b2b59c26a9a0ed18184a93fa2445f48f06 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Tue, 15 Nov 2022 06:15:15 +0000 Subject: [PATCH 166/413] Must call mbedtls_mpi_mod_modulus_init() before anything else in tests Fixes (new) Coverity issues 381893 and 381894 Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum_mod_raw.function | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index d0ffd27b0f..ff766b9dca 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -300,9 +300,11 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X ) mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *A = NULL; mbedtls_mpi_uint *X = NULL; - mbedtls_mpi_mod_modulus m; size_t n_limbs, a_limbs, x_limbs, x_bytes; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init( &m ); + /* Read inputs */ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) ); @@ -312,7 +314,6 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X ) /* Test that input does not require more limbs than modulo */ TEST_LE_U(a_limbs, n_limbs); - mbedtls_mpi_mod_modulus_init( &m ); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); @@ -335,9 +336,11 @@ void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X ) mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *A = NULL; mbedtls_mpi_uint *X = NULL; - mbedtls_mpi_mod_modulus m; size_t n_limbs, a_limbs, x_limbs, x_bytes; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init( &m ); + /* Read inputs */ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) ); @@ -347,7 +350,6 @@ void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X ) /* Test that input does not require more limbs than modulo */ TEST_LE_U(a_limbs, n_limbs); - mbedtls_mpi_mod_modulus_init( &m ); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); From 2cd5ce0c6b41dbe69c39c3cda2bd491a04d9effb Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 15 Nov 2022 10:33:53 +0000 Subject: [PATCH 167/413] Fix various issues cause rebase to latest code Signed-off-by: Xiaokang Qian --- include/mbedtls/check_config.h | 3 --- include/mbedtls/mbedtls_config.h | 2 +- include/mbedtls/ssl.h | 7 +++++-- library/ssl_tls13_client.c | 1 - library/ssl_tls13_generic.c | 5 +++-- programs/ssl/ssl_client2.c | 12 ------------ 6 files changed, 9 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index f932901ec6..3918639719 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -842,9 +842,6 @@ "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx" #endif -/* Early data requires MBEDTLS_SSL_SESSION_TICKETS and SOME_PSK related - * mode defined - */ #if defined(MBEDTLS_SSL_EARLY_DATA) && \ ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \ ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 12d503e389..3f869b9ffc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1648,7 +1648,7 @@ * production. * */ -//#define MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_EARLY_DATA /** * \def MBEDTLS_SSL_PROTO_DTLS diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 5294ec28bc..6829fd7b67 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -816,9 +816,12 @@ typedef uint8_t mbedtls_ssl_tls13_ticket_flags; MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */ -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA \ - MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION << 1 +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 ) +#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK \ + ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION | \ + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION | \ + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ /** * \brief Callback type: server-side session cache getter diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 405cce031f..d276a95660 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2542,7 +2542,6 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, switch( extension_type ) { case MBEDTLS_TLS_EXT_EARLY_DATA: - MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) ); if( extension_data_len != 4 ) { MBEDTLS_SSL_PEND_FATAL_ALERT( diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 04790387a6..761c00ec52 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1395,13 +1395,14 @@ int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, ((void) ssl); MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "client hello, adding early_data extension" ) ); MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 ); MBEDTLS_PUT_UINT16_BE( 0, p, 2 ); *out_len = 4; + + mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_EARLY_DATA ); + return( 0 ); } #endif /* MBEDTLS_SSL_EARLY_DATA */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 186ac18ded..6aa295d662 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2504,12 +2504,6 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) - /* TODO: We can log the actual early data status after we define - * the API mbedtls_ssl_get_early_data_status. - */ -#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ - #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) /* * 5. Verify the server certificate @@ -3220,12 +3214,6 @@ reconnect: mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) - /* TODO: We can log the actual early data status when reconnect - * after we define the API mbedtls_ssl_get_early_data_status. - */ -#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ - goto send_request; } From aa88e0b86b5df3d70b9b6fb80d8116a61e984450 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 15 Nov 2022 13:21:14 +0100 Subject: [PATCH 168/413] Make configurations (driver, reference) as close as possible Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 83 +++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 40 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6a7501a978..9fba034cde 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2041,6 +2041,45 @@ component_test_psa_crypto_config_accel_hash () { make test } +# Auxiliary function to build config for hashes with and without drivers +config_psa_crypto_hash_use_psa () { + DRIVER_ONLY="$1" + # start with config full for maximum coverage (also enables USE_PSA) + scripts/config.py full + # enable support for configuring PSA-only algorithms + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + if [ "$DRIVER_ONLY" -eq 1 ]; then + # enable support for drivers + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + # disable the built-in implementation of hashes + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + scripts/config.py unset MBEDTLS_SHA1_C + scripts/config.py unset MBEDTLS_SHA224_C + scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA384_C + scripts/config.py unset MBEDTLS_SHA512_C + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + fi + # Use an external RNG as currently internal RNGs depend on entropy.c + # which in turn hard-depends on SHA256_C (or SHA512_C). + # See component_test_psa_external_rng_no_drbg_use_psa. + scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + scripts/config.py unset MBEDTLS_ENTROPY_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former + # Also unset MD_C and things that depend on it; + # see component_test_crypto_full_no_md. + if [ "$DRIVER_ONLY" -eq 1 ]; then + scripts/config.py unset MBEDTLS_MD_C + fi + scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA +} + # Note that component_test_psa_crypto_config_reference_hash_use_psa # is related to this component and both components need to be kept in sync. # For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. @@ -2056,35 +2095,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - # start with config full for maximum coverage (also enables USE_PSA) - scripts/config.py full - # enable support for drivers and configuring PSA-only algorithms - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # disable the built-in implementation of hashes - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - # Use an external RNG as currently internal RNGs depend on entropy.c - # which in turn hard-depends on SHA256_C (or SHA512_C). - # See component_test_psa_external_rng_no_drbg_use_psa. - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former - # Also unset MD_C and things that depend on it; - # see component_test_crypto_full_no_md. - scripts/config.py unset MBEDTLS_MD_C - scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + config_psa_crypto_hash_use_psa 1 loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all @@ -2105,7 +2116,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () { tests/ssl-opt.sh msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" - tests/compat.sh + #tests/compat.sh } # This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa @@ -2114,16 +2125,8 @@ component_test_psa_crypto_config_accel_hash_use_psa () { # Both components need to be kept in sync. component_test_psa_crypto_config_reference_hash_use_psa() { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" - # start with full - scripts/config.py full - # use PSA config and disable driver-less algs as in the component - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - # disable options as in the component - # (no need to disable whole modules, we'll just skip their test suite) - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + + config_psa_crypto_hash_use_psa 0 make From 9f0ec53c4c876c02dd75f89c3c0ab0eb7917d560 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 8 Nov 2022 13:03:24 +0100 Subject: [PATCH 169/413] add a test for EC-JPAKE compatibility in TLS1.2 This is to ensure that the MbedTLS based implementation of EC-JPAKE is compatible with the PSA crypto one Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9295c9d00f..b2af01c380 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1437,6 +1437,31 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { tests/ssl-opt.sh -f "TLS 1.2" } +# We're not aware of any other (open source) implementation of EC J-PAKE in TLS +# that we could use for interop testing. However, we now have sort of two +# implementations ourselves: one using PSA, the other not. At least test that +# these two interoperate with each other. +component_test_tls1_2_ecjpake_compatibility() { + msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" + scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + make -C programs ssl/ssl_server2 ssl/ssl_client2 + cp programs/ssl/ssl_server2 s2_no_use_psa + cp programs/ssl/ssl_client2 c2_no_use_psa + + msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + make clean + make -C programs ssl/ssl_server2 ssl/ssl_client2 + make -C programs test/udp_proxy test/query_compile_time_config + + msg "test: server w/o USE_PSA - client w/ USE_PSA" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f ECJPAKE + msg "test: client w/o USE_PSA - server w/ USE_PSA" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f ECJPAKE + + rm s2_no_use_psa c2_no_use_psa +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From 72ee1e3f3c4b7045cca770577d70cc88cb7b5460 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:34:09 +0100 Subject: [PATCH 170/413] Unify mbedtls_mpi_add_mpi and mbedtls_mpi_sub_mpi mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() have the same logic, just with one bit to flip in the sign calculation. Move the shared logic to a new auxiliary function. This slightly reduces the code size (if the compiler doesn't inline) and reduces the maintenance burden. Signed-off-by: Gilles Peskine --- library/bignum.c | 47 +++++++++++++++-------------------------------- 1 file changed, 15 insertions(+), 32 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 521787d749..abbf9b8a45 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -972,10 +972,12 @@ cleanup: return( ret ); } -/* - * Signed addition: X = A + B +/* Common function for signed addition and subtraction. + * Calculate A + B * flip_B where flip_B is 1 or -1. */ -int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) +static int add_sub_mpi( mbedtls_mpi *X, + const mbedtls_mpi *A, const mbedtls_mpi *B, + int flip_B ) { int ret, s; MPI_VALIDATE_RET( X != NULL ); @@ -983,7 +985,7 @@ int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi MPI_VALIDATE_RET( B != NULL ); s = A->s; - if( A->s * B->s < 0 ) + if( A->s * B->s * flip_B < 0 ) { if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) { @@ -1007,39 +1009,20 @@ cleanup: return( ret ); } +/* + * Signed addition: X = A + B + */ +int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) +{ + return( add_sub_mpi( X, A, B, 1 ) ); +} + /* * Signed subtraction: X = A - B */ int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B ) { - int ret, s; - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( A != NULL ); - MPI_VALIDATE_RET( B != NULL ); - - s = A->s; - if( A->s * B->s > 0 ) - { - if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) - { - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) ); - X->s = s; - } - else - { - MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) ); - X->s = -s; - } - } - else - { - MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) ); - X->s = s; - } - -cleanup: - - return( ret ); + return( add_sub_mpi( X, A, B, -1 ) ); } /* From 128895775d4ccb64977f1d3f7020b85f19428fa8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:55:33 +0100 Subject: [PATCH 171/413] Document invariants of MPI objects Note that s must be +1 for zero. Note that p may be NULL for zero, when n is 0. Signed-off-by: Gilles Peskine --- include/mbedtls/bignum.h | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 9d15955f34..3bd1ca0260 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -188,9 +188,27 @@ extern "C" { */ typedef struct mbedtls_mpi { - int MBEDTLS_PRIVATE(s); /*!< Sign: -1 if the mpi is negative, 1 otherwise */ - size_t MBEDTLS_PRIVATE(n); /*!< total # of limbs */ - mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); /*!< pointer to limbs */ + /** Sign: -1 if the mpi is negative, 1 otherwise. + * + * The number 0 must be represented with `s = +1`. Although many library + * functions treat all-limbs-zero as equivalent to a valid representation + * of 0 regardless of the sign bit, there are exceptions, so bignum + * functions and external callers must always set \c s to +1 for the + * number zero. + * + * Note that this implies that calloc() or `... = {0}` does not create + * a valid MPI representation. You must call mbedtls_mpi_init(). + */ + int MBEDTLS_PRIVATE(s); + + /** Total number of limbs in \c p. */ + size_t MBEDTLS_PRIVATE(n); + + /** Pointer to limbs. + * + * This may be \c NULL if \c n is 0. + */ + mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); } mbedtls_mpi; From 4cbbfd8d4ee6c724c385688467f23ca5a73071fc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:57:52 +0100 Subject: [PATCH 172/413] For binary operations, test both x op y and y op x This exposes a bug in mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() which will be fixed in a subsequent commit. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/bignum_common.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 279668fd5f..c2891fc617 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -57,15 +57,8 @@ def limbs_mpi(val: int, bits_in_limb: int) -> int: return (val.bit_length() + bits_in_limb - 1) // bits_in_limb def combination_pairs(values: List[T]) -> List[Tuple[T, T]]: - """Return all pair combinations from input values. - - The return value is cast, as older versions of mypy are unable to derive - the specific type returned by itertools.combinations_with_replacement. - """ - return typing.cast( - List[Tuple[T, T]], - list(itertools.combinations_with_replacement(values, 2)) - ) + """Return all pair combinations from input values.""" + return [(x, y) for x in values for y in values] class OperationCommon: From 4a768dd17d9910e0e90ae739ecdaf68de1ee78f9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 22:02:16 +0100 Subject: [PATCH 173/413] Fix negative zero created by (-A) + (+A) or (-A) - (-A) In mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi(), and by extention mbedtls_mpi_add_int() and mbedtls_mpi_sub_int(), when the resulting value was zero, the sign bit of the result was incorrectly set to -1 when the left-hand operand was negative. This is not a valid mbedtls_mpi representation. Fix this: always set the sign to +1 when the result is 0. Signed-off-by: Gilles Peskine --- library/bignum.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index abbf9b8a45..42be815ba8 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -987,14 +987,19 @@ static int add_sub_mpi( mbedtls_mpi *X, s = A->s; if( A->s * B->s * flip_B < 0 ) { - if( mbedtls_mpi_cmp_abs( A, B ) >= 0 ) + int cmp = mbedtls_mpi_cmp_abs( A, B ); + if( cmp >= 0 ) { MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) ); - X->s = s; + /* If |A| = |B|, the result is 0 and we must set the sign bit + * to +1 regardless of which of A or B was negative. Otherwise, + * since |A| > |B|, the sign is the sign of A. */ + X->s = cmp == 0 ? 1 : s; } else { MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) ); + /* Since |A| < |B|, the sign is the opposite of A. */ X->s = -s; } } From 806c9588ef424af188c5afe3c0932acee131bd63 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 22:05:52 +0100 Subject: [PATCH 174/413] Changelog entry for the negative zero from add/sub Signed-off-by: Gilles Peskine --- ChangeLog.d/negative-zero-from-add.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/negative-zero-from-add.txt diff --git a/ChangeLog.d/negative-zero-from-add.txt b/ChangeLog.d/negative-zero-from-add.txt new file mode 100644 index 0000000000..107d858d36 --- /dev/null +++ b/ChangeLog.d/negative-zero-from-add.txt @@ -0,0 +1,6 @@ +Bugfix + * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) + with A > 0 created an unintended representation of the value 0 which was + not processed correctly by some bignum operations. Fix this. This had no + consequence on cryptography code, but might affect applications that call + bignum directly and use negative numbers. From ca6e8aac587966c726c25723c67c3680edc57ef5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 21:08:44 +0100 Subject: [PATCH 175/413] Support negative zero as MPI test input The bignum module does not officially support "negative zero" (an mbedtls_mpi object with s=-1 and all limbs zero). However, we have a history of bugs where a function that should produce an official zero (with s=1), produces a negative zero in some circumstances. So it's good to check that the bignum functions are robust when passed a negative zero as input. And for that, we need a way to construct a negative zero from test case arguments. There are checks that functions don't produce negative zeros as output in the test suite. Skip those checks if there's a negative zero input: we don't want functions to _create_ negative zeros, but we don't mind if they _propagate_ negative zeros. Signed-off-by: Gilles Peskine --- tests/include/test/helpers.h | 26 +++++++++++++++++----- tests/src/helpers.c | 28 ++++++++++++++++++++++-- tests/suites/test_suite_bignum.function | 17 +++++++++++--- tests/suites/test_suite_bignum.misc.data | 24 ++++++++++++++++++++ 4 files changed, 84 insertions(+), 11 deletions(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index e0e6fd27fe..568d5e5273 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -295,13 +295,19 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, /** Read an MPI from a hexadecimal string. * - * Like mbedtls_mpi_read_string(), but size the resulting bignum based - * on the number of digits in the string. In particular, construct a - * bignum with 0 limbs for an empty string, and a bignum with leading 0 - * limbs if the string has sufficiently many leading 0 digits. + * Like mbedtls_mpi_read_string(), but with tighter guarantees around + * edge cases. * - * This is important so that the "0 (null)" and "0 (1 limb)" and - * "leading zeros" test cases do what they claim. + * - This function guarantees that if \p s begins with '-' then the sign + * bit of the result will be negative, even if the value is 0. + * When this function encounters such a "negative 0", it + * increments #mbedtls_test_read_mpi. + * - The size of the result is exactly the minimum number of limbs needed + * to fit the digits in the input. In particular, this function constructs + * a bignum with 0 limbs for an empty string, and a bignum with leading 0 + * limbs if the string has sufficiently many leading 0 digits. + * This is important so that the "0 (null)" and "0 (1 limb)" and + * "leading zeros" test cases do what they claim. * * \param[out] X The MPI object to populate. It must be initialized. * \param[in] s The null-terminated hexadecimal string to read from. @@ -309,6 +315,14 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, * \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise. */ int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s ); + +/** Nonzero if the current test case had an input parsed with + * mbedtls_test_read_mpi() that is a negative 0 (`"-"`, `"-0"`, `"-00"`, etc., + * constructing a result with the sign bit set to -1 and the value being + * all-limbs-0, which is not a valid representation in #mbedtls_mpi but is + * tested for robustness). + */ +extern unsigned mbedtls_test_case_uses_negative_0; #endif /* MBEDTLS_BIGNUM_C */ #endif /* TEST_HELPERS_H */ diff --git a/tests/src/helpers.c b/tests/src/helpers.c index cc23fd7c4d..7c83714f19 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -89,6 +89,10 @@ void mbedtls_test_set_step( unsigned long step ) mbedtls_test_info.step = step; } +#if defined(MBEDTLS_BIGNUM_C) +unsigned mbedtls_test_case_uses_negative_0 = 0; +#endif + void mbedtls_test_info_reset( void ) { mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SUCCESS; @@ -98,6 +102,9 @@ void mbedtls_test_info_reset( void ) mbedtls_test_info.filename = 0; memset( mbedtls_test_info.line1, 0, sizeof( mbedtls_test_info.line1 ) ); memset( mbedtls_test_info.line2, 0, sizeof( mbedtls_test_info.line2 ) ); +#if defined(MBEDTLS_BIGNUM_C) + mbedtls_test_case_uses_negative_0 = 0; +#endif } int mbedtls_test_equal( const char *test, int line_no, const char* filename, @@ -396,6 +403,15 @@ exit: int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s ) { + int negative = 0; + /* Always set the sign bit to -1 if the input has a minus sign, even for 0. + * This creates an invalid representation, which mbedtls_mpi_read_string() + * avoids but we want to be able to create that in test data. */ + if( s[0] == '-' ) + { + ++s; + negative = 1; + } /* mbedtls_mpi_read_string() currently retains leading zeros. * It always allocates at least one limb for the value 0. */ if( s[0] == 0 ) @@ -403,7 +419,15 @@ int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s ) mbedtls_mpi_free( X ); return( 0 ); } - else - return( mbedtls_mpi_read_string( X, 16, s ) ); + int ret = mbedtls_mpi_read_string( X, 16, s ); + if( ret != 0 ) + return( ret ); + if( negative ) + { + if( mbedtls_mpi_cmp_int( X, 0 ) == 0 ) + ++mbedtls_test_case_uses_negative_0; + X->s = -1; + } + return( 0 ); } #endif diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 5c3d776f09..b75f534f46 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -13,10 +13,21 @@ * constructing the value. */ static int sign_is_valid( const mbedtls_mpi *X ) { + /* Only +1 and -1 are valid sign bits, not e.g. 0 */ if( X->s != 1 && X->s != -1 ) - return( 0 ); // invalid sign bit, e.g. 0 - if( mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 ) - return( 0 ); // negative zero + return( 0 ); + + /* The value 0 must be represented with the sign +1. A "negative zero" + * with s=-1 is an invalid representation. Forbid that. As an exception, + * we sometimes test the robustness of library functions when given + * a negative zero input. If a test case has a negative zero as input, + * we don't mind if the function has a negative zero output. */ + if( ! mbedtls_test_case_uses_negative_0 && + mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 ) + { + return( 0 ); + } + return( 1 ); } diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 0b8aa334ac..818f3613b0 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1144,6 +1144,18 @@ mpi_div_mpi:"":"1":"":"":0 Test mbedtls_mpi_div_mpi: 0 (null) / -1 mpi_div_mpi:"":"-1":"":"":0 +Test mbedtls_mpi_div_mpi: -0 (null) / 1 +mpi_div_mpi:"-":"1":"":"":0 + +Test mbedtls_mpi_div_mpi: -0 (null) / -1 +mpi_div_mpi:"-":"-1":"":"":0 + +Test mbedtls_mpi_div_mpi: -0 (null) / 42 +mpi_div_mpi:"-":"2a":"":"":0 + +Test mbedtls_mpi_div_mpi: -0 (null) / -42 +mpi_div_mpi:"-":"-2a":"":"":0 + Test mbedtls_mpi_div_mpi #1 mpi_div_mpi:"9e22d6da18a33d1ef28d2a82242b3f6e9c9742f63e5d440f58a190bfaf23a7866e67589adb80":"22":"4a6abf75b13dc268ea9cc8b5b6aaf0ac85ecd437a4e0987fb13cf8d2acc57c0306c738c1583":"1a":0 @@ -1204,6 +1216,18 @@ mpi_mod_mpi:"":"1":"":0 Test mbedtls_mpi_mod_mpi: 0 (null) % -1 mpi_mod_mpi:"":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE +Test mbedtls_mpi_mod_mpi: -0 (null) % 1 +mpi_mod_mpi:"-":"1":"":0 + +Test mbedtls_mpi_mod_mpi: -0 (null) % -1 +mpi_mod_mpi:"-":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE + +Test mbedtls_mpi_mod_mpi: -0 (null) % 42 +mpi_mod_mpi:"-":"2a":"":0 + +Test mbedtls_mpi_mod_mpi: -0 (null) % -42 +mpi_mod_mpi:"-":"-2a":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE + Base test mbedtls_mpi_mod_int #1 mpi_mod_int:"3e8":"d":"c":0 From 35af02171d186b29c746e9e54c32387f75dcd30d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 20:43:33 +0100 Subject: [PATCH 176/413] Add negative zero as an input to automatically generated tests Although negative zero is officially unsupported, we've had bugs related to it in the past. So do test functions with a negative zero input. There will likely be cases where we don't want to accept negative zero as if it was valid, because it's too hard to handle. We'll add exceptions on a case by case basis. For the functions that are currently tested by the generated tests, the new test cases pass. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/bignum_common.py | 8 +++++++- tests/scripts/generate_bignum_tests.py | 28 +++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index c2891fc617..1eb4ca7dfb 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -38,7 +38,13 @@ def invmod(a: int, n: int) -> int: raise ValueError("Not invertible") def hex_to_int(val: str) -> int: - return int(val, 16) if val else 0 + """Implement the syntax accepted by mbedtls_test_read_mpi(). + + This is a superset of what is accepted by mbedtls_test_read_mpi_core(). + """ + if val == '' or val == '-': + return 0 + return int(val, 16) def quote_str(val) -> str: return "\"{}\"".format(val) diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index a105203b04..f1b24409ea 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -78,11 +78,16 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC #pylint: disable=abstract-method """Common features for bignum operations in legacy tests.""" input_values = [ - "", "0", "7b", "-7b", + "", "0", "-", "-0", + "7b", "-7b", "0000000000000000123", "-0000000000000000123", "1230000000000000000", "-1230000000000000000" ] + def description_suffix(self) -> str: + """Text to add at the end of the test case description.""" + return "" + def description(self) -> str: """Generate a description for the test case. @@ -96,6 +101,9 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC self.symbol, self.value_description(self.arg_b) ) + description_suffix = self.description_suffix() + if description_suffix: + self.case_description += " " + description_suffix return super().description() @staticmethod @@ -107,6 +115,8 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC """ if val == "": return "0 (null)" + if val == "-": + return "negative 0 (null)" if val == "0": return "0 (1 limb)" @@ -171,9 +181,21 @@ class BignumAdd(BignumOperation): ] ) - def result(self) -> List[str]: - return [bignum_common.quote_str("{:x}").format(self.int_a + self.int_b)] + def __init__(self, val_a: str, val_b: str) -> None: + super().__init__(val_a, val_b) + self._result = self.int_a + self.int_b + def description_suffix(self) -> str: + if (self.int_a >= 0 and self.int_b >= 0): + return "" # obviously positive result or 0 + if (self.int_a <= 0 and self.int_b <= 0): + return "" # obviously negative result or 0 + # The sign of the result is not obvious, so indicate it + return ", result{}0".format('>' if self._result > 0 else + '<' if self._result < 0 else '=') + + def result(self) -> List[str]: + return [bignum_common.quote_str("{:x}".format(self._result))] if __name__ == '__main__': # Use the section of the docstring relevant to the CLI as description From b9b9026c531e0f6c6df02a1025cdabc48cfa0e99 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Nov 2022 09:15:21 +0100 Subject: [PATCH 177/413] Pacify pylint Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/bignum_common.py | 5 +---- tests/scripts/generate_bignum_tests.py | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 1eb4ca7dfb..8b11bc283c 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -14,9 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -import itertools -import typing - from abc import abstractmethod from typing import Iterator, List, Tuple, TypeVar @@ -42,7 +39,7 @@ def hex_to_int(val: str) -> int: This is a superset of what is accepted by mbedtls_test_read_mpi_core(). """ - if val == '' or val == '-': + if val in ['', '-']: return 0 return int(val, 16) diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index f1b24409ea..eee2f657ad 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -85,6 +85,7 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC ] def description_suffix(self) -> str: + #pylint: disable=no-self-use # derived classes need self """Text to add at the end of the test case description.""" return "" From 23875ceb112cc2dd66b034a76f7357c641987338 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 11 Nov 2022 15:59:51 +0100 Subject: [PATCH 178/413] Fix autocucumber in documentation Signed-off-by: Gilles Peskine --- tests/include/test/helpers.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 568d5e5273..5f9bde697b 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -301,7 +301,7 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, * - This function guarantees that if \p s begins with '-' then the sign * bit of the result will be negative, even if the value is 0. * When this function encounters such a "negative 0", it - * increments #mbedtls_test_read_mpi. + * increments #mbedtls_test_case_uses_negative_0. * - The size of the result is exactly the minimum number of limbs needed * to fit the digits in the input. In particular, this function constructs * a bignum with 0 limbs for an empty string, and a bignum with leading 0 From 348410f7097bfffdd73d9c370d2d1eb7a75b9b2c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 15 Nov 2022 22:22:07 +0100 Subject: [PATCH 179/413] Make a copy of the key in operation while setting pake password Additionally use psa_get_and_lock_key_slot_with_policy() to obtain key. This requires making this function public. This will have to be solved while adding driver dipatch for EC-JPAKE. Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 5 ++-- library/psa_crypto.c | 2 +- library/psa_crypto_pake.c | 59 +++++++++++++++++++++++++++++--------- 3 files changed, 49 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 4f65398e24..d527e579b6 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1829,7 +1829,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation ); */ #if defined(MBEDTLS_PSA_BUILTIN_PAKE) #define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, 0, 0, \ - MBEDTLS_SVC_KEY_ID_INIT, \ + NULL, 0 , \ PSA_PAKE_ROLE_NONE, {0}, 0, 0, \ {.dummy = 0}} #else @@ -1920,7 +1920,8 @@ struct psa_pake_operation_s #if defined(MBEDTLS_PSA_BUILTIN_PAKE) unsigned int MBEDTLS_PRIVATE(input_step); unsigned int MBEDTLS_PRIVATE(output_step); - mbedtls_svc_key_id_t MBEDTLS_PRIVATE(password); + uint8_t* MBEDTLS_PRIVATE(password_data); + size_t MBEDTLS_PRIVATE(password_bytes); psa_pake_role_t MBEDTLS_PRIVATE(role); uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); size_t MBEDTLS_PRIVATE(buffer_length); diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2ce5e4320d..55319c4bdb 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -890,7 +890,7 @@ static psa_status_t psa_restrict_key_policy( * On success, the returned key slot is locked. It is the responsibility of * the caller to unlock the key slot when it does not access it anymore. */ -static psa_status_t psa_get_and_lock_key_slot_with_policy( +psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, psa_key_usage_t usage, diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 870b5b5654..1deb48875f 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -33,6 +33,11 @@ #include #include +extern psa_status_t psa_get_and_lock_key_slot_with_policy( + mbedtls_svc_key_id_t key, + psa_key_slot_t **p_slot, + psa_key_usage_t usage, + psa_algorithm_t alg ); /* * State sequence: * @@ -248,6 +253,7 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, psa_key_attributes_t attributes = psa_key_attributes_init(); psa_key_type_t type; psa_key_usage_t usage; + psa_key_slot_t *slot = NULL; if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) @@ -255,6 +261,9 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, return( PSA_ERROR_BAD_STATE ); } + if( psa_is_valid_key_id( password, 1 ) == 0 ) + return( PSA_ERROR_BAD_STATE ); + status = psa_get_key_attributes( password, &attributes ); if( status != PSA_SUCCESS ) return( status ); @@ -273,7 +282,33 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) return( PSA_ERROR_NOT_PERMITTED ); - operation->password = password; + status = psa_get_and_lock_key_slot_with_policy( password, &slot, + PSA_KEY_USAGE_DERIVE, + PSA_ALG_JPAKE ); + if( status != PSA_SUCCESS ) + return( status ); + + if( slot->key.data == NULL || slot->key.bytes == 0 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + if( operation->password_data != NULL ) + { + mbedtls_free( operation->password_data ); + operation->password_bytes = 0; + } + + operation->password_data = mbedtls_calloc( 1, slot->key.bytes ); + if( operation->password_data == NULL ) + { + status = psa_unlock_key_slot( slot ); + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + } + memcpy( operation->password_data, slot->key.data, slot->key.bytes ); + operation->password_bytes = slot->key.bytes; + + status = psa_unlock_key_slot( slot ); + if( status != PSA_SUCCESS ) + return( status ); return( PSA_SUCCESS ); } @@ -348,9 +383,7 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_ecjpake_role role; - psa_key_slot_t *slot = NULL; if( operation->role == PSA_PAKE_ROLE_CLIENT ) role = MBEDTLS_ECJPAKE_CLIENT; @@ -359,22 +392,18 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) else return( PSA_ERROR_BAD_STATE ); - if( psa_is_valid_key_id( operation->password, 1 ) == 0 ) + if (operation->password_data == NULL || + operation->password_bytes == 0 ) + { return( PSA_ERROR_BAD_STATE ); - - status = psa_get_and_lock_key_slot( operation->password, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - + } ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake, role, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, - slot->key.data, slot->key.bytes ); - - psa_unlock_key_slot( slot ); - slot = NULL; + operation->password_data, + operation->password_bytes ); if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); @@ -840,7 +869,9 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation) { operation->input_step = PSA_PAKE_STEP_INVALID; operation->output_step = PSA_PAKE_STEP_INVALID; - operation->password = MBEDTLS_SVC_KEY_ID_INIT; + mbedtls_free( operation->password_data ); + operation->password_data = NULL; + operation->password_bytes = 0; operation->role = PSA_PAKE_ROLE_NONE; mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; From 6110a16555bcb185c825fbfcccaca200a1c98c95 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 21:22:27 +0100 Subject: [PATCH 180/413] Document mbedtls_mpi_uint and mbedtls_mpi_sint Since they're part of the public API (even if only through a few functions), they should be documented. I deliberately skipped documenting how to configure the size of the type. Right now, MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 have no Doxygen documentation, so it's ambiguous whether they're part of the public API. Resolving this ambiguity is out of scope of my current work. Signed-off-by: Gilles Peskine --- include/mbedtls/bignum.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 9d15955f34..5800d4acba 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -179,6 +179,20 @@ #endif /* !MBEDTLS_NO_UDBL_DIVISION */ #endif /* !MBEDTLS_HAVE_INT64 */ +/** \typedef mbedtls_mpi_uint + * \brief The type of machine digits in a bignum, called _limbs_. + * + * This is always an unsigned integer type with no padding bits. The size + * is platform-dependent. + */ + +/** \typedef mbedtls_mpi_sint + * \brief The signed type corresponding to #mbedtls_mpi_uint. + * + * This is always an signed integer type with no padding bits. The size + * is platform-dependent. + */ + #ifdef __cplusplus extern "C" { #endif From db14a9d180069e8a6cb63455e75463aad9f68889 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 22:59:00 +0100 Subject: [PATCH 181/413] Fix NULL+0 in addition 0 + 0 Fix undefined behavior (typically harmless in practice) of mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() when both operands are 0 and the left operand is represented with 0 limbs. Signed-off-by: Gilles Peskine --- ChangeLog.d/mpi-add-0-ub.txt | 4 ++++ library/bignum.c | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 ChangeLog.d/mpi-add-0-ub.txt diff --git a/ChangeLog.d/mpi-add-0-ub.txt b/ChangeLog.d/mpi-add-0-ub.txt new file mode 100644 index 0000000000..9f131a4300 --- /dev/null +++ b/ChangeLog.d/mpi-add-0-ub.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix undefined behavior (typically harmless in practice) of + mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() + when both operands are 0 and the left operand is represented with 0 limbs. diff --git a/library/bignum.c b/library/bignum.c index 521787d749..497ccbc817 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -889,6 +889,11 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi if( B->p[j - 1] != 0 ) break; + /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0 + * and B is 0 (of any size). */ + if( j == 0 ) + return( 0 ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) ); /* j is the number of non-zero limbs of B. Add those to X. */ From af601f97519f90cc4b669984dd3fcf215b8b2792 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 23:02:14 +0100 Subject: [PATCH 182/413] Fix undefined behavior with the most negative mbedtls_mpi_sint When x is the most negative value of a two's complement type, `(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x` has well-defined behavior and does what was intended. Signed-off-by: Gilles Peskine --- ChangeLog.d/mpi-most-negative-sint.txt | 4 + library/bignum.c | 10 +- tests/suites/test_suite_bignum.function | 144 +++++++++++++++++++++++ tests/suites/test_suite_bignum.misc.data | 3 + 4 files changed, 156 insertions(+), 5 deletions(-) create mode 100644 ChangeLog.d/mpi-most-negative-sint.txt diff --git a/ChangeLog.d/mpi-most-negative-sint.txt b/ChangeLog.d/mpi-most-negative-sint.txt new file mode 100644 index 0000000000..5e775c4825 --- /dev/null +++ b/ChangeLog.d/mpi-most-negative-sint.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix undefined behavior (typically harmless in practice) when some bignum + functions receive the most negative value of mbedtls_mpi_sint. Credit + to OSS-Fuzz. Fixes #6597. diff --git a/library/bignum.c b/library/bignum.c index 497ccbc817..04aca69e80 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -263,7 +263,7 @@ int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z ) MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) ); memset( X->p, 0, X->n * ciL ); - X->p[0] = ( z < 0 ) ? -z : z; + X->p[0] = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z; X->s = ( z < 0 ) ? -1 : 1; cleanup: @@ -853,7 +853,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z ) mbedtls_mpi_uint p[1]; MPI_VALIDATE_RET( X != NULL ); - *p = ( z < 0 ) ? -z : z; + *p = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z; Y.s = ( z < 0 ) ? -1 : 1; Y.n = 1; Y.p = p; @@ -1057,7 +1057,7 @@ int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -b : b; + p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b; B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1075,7 +1075,7 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -b : b; + p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b; B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1413,7 +1413,7 @@ int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, mbedtls_mpi_uint p[1]; MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -b : b; + p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b; B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function index 5c3d776f09..3238467598 100644 --- a/tests/suites/test_suite_bignum.function +++ b/tests/suites/test_suite_bignum.function @@ -1447,6 +1447,150 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void most_negative_mpi_sint( ) +{ + /* Ad hoc tests for n = -p = -2^(biL-1) as a mbedtls_mpi_sint. We + * guarantee that mbedtls_mpi_sint is a two's complement type, so this + * is a valid value. However, negating it (`-n`) has undefined behavior + * (although in practice `-n` evaluates to the value n). + * + * This function has ad hoc tests for this value. It's separated from other + * functions because the test framework makes it hard to pass this value + * into test cases. + * + * In the comments here: + * - biL = number of bits in limbs + * - p = 2^(biL-1) (smallest positive value not in mbedtls_mpi_sint range) + * - n = -2^(biL-1) (largest negative value in mbedtls_mpi_sint range) + */ + + mbedtls_mpi A, R, X; + mbedtls_mpi_init( &A ); + mbedtls_mpi_init( &R ); + mbedtls_mpi_init( &X ); + + const size_t biL = 8 * sizeof( mbedtls_mpi_sint ); + mbedtls_mpi_uint most_positive_plus_1 = (mbedtls_mpi_uint) 1 << ( biL - 1 ); + const mbedtls_mpi_sint most_positive = most_positive_plus_1 - 1; + const mbedtls_mpi_sint most_negative = - most_positive - 1; + TEST_EQUAL( (mbedtls_mpi_uint) most_negative, + (mbedtls_mpi_uint) 1 << ( biL - 1 ) ); + TEST_EQUAL( (mbedtls_mpi_uint) most_negative << 1, 0 ); + + /* Test mbedtls_mpi_lset() */ + TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 ); + TEST_EQUAL( A.s, -1 ); + TEST_EQUAL( A.n, 1 ); + TEST_EQUAL( A.p[0], most_positive_plus_1 ); + + /* Test mbedtls_mpi_cmp_int(): -p == -p */ + TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), 0 ); + + /* Test mbedtls_mpi_cmp_int(): -(p+1) < -p */ + A.p[0] = most_positive_plus_1 + 1; + TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), -1 ); + + /* Test mbedtls_mpi_cmp_int(): -(p-1) > -p */ + A.p[0] = most_positive_plus_1 - 1; + TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), 1 ); + + /* Test mbedtls_mpi_add_int(): (p-1) + (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 ); + TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -1 ), 0 ); + + /* Test mbedtls_mpi_add_int(): (0) + (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, 0 ), 0 ); + TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, most_negative ), 0 ); + + /* Test mbedtls_mpi_add_int(): (-p) + (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 ); + TEST_EQUAL( X.s, -1 ); + TEST_EQUAL( X.n, 2 ); + TEST_EQUAL( X.p[0], 0 ); + TEST_EQUAL( X.p[1], 1 ); + + /* Test mbedtls_mpi_sub_int(): (p) - (-p) */ + mbedtls_mpi_free( &X ); + TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 ); + TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 ); + TEST_EQUAL( X.s, 1 ); + TEST_EQUAL( X.n, 1 ); + TEST_EQUAL( X.p[0], ~(mbedtls_mpi_uint)0 ); + + /* Test mbedtls_mpi_sub_int(): (0) - (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, 0 ), 0 ); + TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 ); + TEST_EQUAL( X.s, 1 ); + TEST_EQUAL( X.n, 1 ); + TEST_EQUAL( X.p[0], most_positive_plus_1 ); + + /* Test mbedtls_mpi_sub_int(): (-p) - (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 ); + + /* Test mbedtls_mpi_div_int(): (-p+1) / (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, -most_positive ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, -most_positive ), 0 ); + + /* Test mbedtls_mpi_div_int(): (-p) / (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 ); + + /* Test mbedtls_mpi_div_int(): (-2*p) / (-p) */ + TEST_EQUAL( mbedtls_mpi_shift_l( &A, 1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 2 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 ); + + /* Test mbedtls_mpi_div_int(): (-2*p+1) / (-p) */ + TEST_EQUAL( mbedtls_mpi_add_int( &A, &A, 1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, -most_positive ), 0 ); + + /* Test mbedtls_mpi_div_int(): (p-1) / (-p) */ + TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, most_positive ), 0 ); + + /* Test mbedtls_mpi_div_int(): (p) / (-p) */ + TEST_EQUAL( mbedtls_mpi_add_int( &A, &A, 1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 ); + + /* Test mbedtls_mpi_div_int(): (2*p) / (-p) */ + TEST_EQUAL( mbedtls_mpi_shift_l( &A, 1 ), 0 ); + TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -2 ), 0 ); + TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 ); + + /* Test mbedtls_mpi_mod_int(): never valid */ + TEST_EQUAL( mbedtls_mpi_mod_int( X.p, &A, most_negative ), + MBEDTLS_ERR_MPI_NEGATIVE_VALUE ); + + /* Test mbedtls_mpi_random(): never valid */ + TEST_EQUAL( mbedtls_mpi_random( &X, most_negative, &A, + mbedtls_test_rnd_std_rand, NULL ), + MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); + +exit: + mbedtls_mpi_free( &A ); + mbedtls_mpi_free( &R ); + mbedtls_mpi_free( &X ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ void mpi_selftest( ) { diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data index 0b8aa334ac..7aaacbe73d 100644 --- a/tests/suites/test_suite_bignum.misc.data +++ b/tests/suites/test_suite_bignum.misc.data @@ -1934,6 +1934,9 @@ mpi_random_fail:2:"01":MBEDTLS_ERR_MPI_BAD_INPUT_DATA MPI random bad arguments: min > N = 1, 0 limb in upper bound mpi_random_fail:2:"000000000000000001":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Most negative mbedtls_mpi_sint +most_negative_mpi_sint: + MPI Selftest depends_on:MBEDTLS_SELF_TEST mpi_selftest: From ef7f4e47b183549784239d2d5bd3bb5c856e93c6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 23:25:27 +0100 Subject: [PATCH 183/413] Express abs(z) in a way that satisfies GCC and MSVC Signed-off-by: Gilles Peskine --- library/bignum.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 04aca69e80..53a9aa5e71 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -252,6 +252,17 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ) memcpy( Y, &T, sizeof( mbedtls_mpi ) ); } +static inline mbedtls_mpi_uint mpi_sint_abs( mbedtls_mpi_sint z ) +{ + if( z >= 0 ) + return( z ); + /* Take care to handle the most negative value (-2^(biL-1)) correctly. + * A naive -z would have undefined behavior. + * Write this in a way that makes popular compilers happy (GCC, Clang, + * MSVC). */ + return( (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z ); +} + /* * Set value from integer */ @@ -263,7 +274,7 @@ int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z ) MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) ); memset( X->p, 0, X->n * ciL ); - X->p[0] = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z; + X->p[0] = mpi_sint_abs( z ); X->s = ( z < 0 ) ? -1 : 1; cleanup: @@ -853,7 +864,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z ) mbedtls_mpi_uint p[1]; MPI_VALIDATE_RET( X != NULL ); - *p = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z; + *p = mpi_sint_abs( z ); Y.s = ( z < 0 ) ? -1 : 1; Y.n = 1; Y.p = p; @@ -1057,7 +1068,7 @@ int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b; + p[0] = mpi_sint_abs( b ); B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1075,7 +1086,7 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b; + p[0] = mpi_sint_abs( b ); B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; @@ -1413,7 +1424,7 @@ int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, mbedtls_mpi_uint p[1]; MPI_VALIDATE_RET( A != NULL ); - p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b; + p[0] = mpi_sint_abs( b ); B.s = ( b < 0 ) ? -1 : 1; B.n = 1; B.p = p; From 298f781948d4bd69cfe826ce86de907ac9dbb6c2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Nov 2022 23:54:26 +0100 Subject: [PATCH 184/413] Use .datax for `make test`, not .data Looking for the .data file doesn't work in out-of-tree builds. Use the .datax file instead. `make clean` removes all .datax files, so this resolves the issue of executables not present on the current branch being left behind after a branch change followed by a `make clean`. Signed-off-by: Gilles Peskine --- tests/scripts/run-test-suites.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl index 8a5bb937dc..cedc0bfa5a 100755 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -50,10 +50,10 @@ GetOptions( 'verbose|v:1' => \$verbose, ) or die; -# All test suites = executable files derived from a .data file. +# All test suites = executable files with a .datax file. my @suites = (); -for my $data_file (glob 'suites/test_suite_*.data') { - (my $base = $data_file) =~ s#^suites/(.*)\.data$#$1#; +for my $data_file (glob 'test_suite_*.datax') { + (my $base = $data_file) =~ s/\.datax$//; push @suites, $base if -x $base; push @suites, "$base.exe" if -e "$base.exe"; } From 2dbfedae4a269c72438f6fff8e5cf6974e37c1ea Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 15 Nov 2022 10:52:57 +0000 Subject: [PATCH 185/413] Update early data test cases with latest code message Signed-off-by: Xiaokang Qian --- tests/scripts/all.sh | 3 +-- tests/ssl-opt.sh | 61 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 59 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 32e920d22e..4b6a4cbb94 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3222,7 +3222,6 @@ component_build_armcc () { component_test_tls13_only () { msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2" - scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test: TLS 1.3 only, all key exchange modes enabled" @@ -3255,6 +3254,7 @@ component_test_tls13_only_ephemeral () { msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" @@ -3302,7 +3302,6 @@ component_test_tls13_only_psk_all () { component_test_tls13_only_ephemeral_all () { msg "build: TLS 1.3 only from default, without PSK key exchange mode" scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 20c1b0f4d7..5576320ff9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13050,14 +13050,69 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_EARLY_DATA run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ + "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + 1 \ + -c "Reconnecting with saved session" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ + -s "Parsing extension 'Early Data/42' (0 bytes)" \ + -s "Sending extension Early Data/42 (0 bytes)" \ + -s "early data accepted" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3 m->G: EarlyData: hybrid check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ 1 \ - -c "client hello, adding early_data extension" \ -c "Reconnecting with saved session" \ - -c "EncryptedExtensions: early_data(42) extension is unsupported" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ -s "Parsing extension 'Early Data/42' (0 bytes)" \ - -s "Sending extension Early Data/42 (0 bytes)" + -s "Sending extension Early Data/42 (0 bytes)" \ + -s "early data accepted" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3 m->G: EarlyData: negative check, fail" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + 0 \ + -c "Reconnecting with saved session" \ + -C "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension does not exist." \ + -C "EncryptedExtensions: early_data(42) extension received." \ + -C "EncryptedExtensions: early_data(42) extension ( ignored )." + +#TODO openssl compatible mode can't work currently, it will need external psk. +skip_next_test +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3, ext PSK, early data" \ + "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ + "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + 1 \ + -c "Reconnecting with saved session" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension ( ignored )." # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From f3cefb4f4cf3b0720a6f56fe70371ba6889aefac Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 16 Nov 2022 03:23:46 +0000 Subject: [PATCH 186/413] Move early data test cases to tls13-misc.sh Signed-off-by: Xiaokang Qian --- tests/opt-testcases/tls13-misc.sh | 72 +++++++++++++++++++++++++++++++ tests/ssl-opt.sh | 72 ------------------------------- 2 files changed, 72 insertions(+), 72 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 4ad6faa48f..cc650c1e1f 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -282,3 +282,75 @@ run_test "TLS 1.3: G->m: PSK: configured ephemeral only, good." \ 0 \ -s "key exchange mode: ephemeral$" +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ + "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + 1 \ + -c "Reconnecting with saved session" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ + -s "Parsing extension 'Early Data/42' (0 bytes)" \ + -s "Sending extension Early Data/42 (0 bytes)" \ + -s "early data accepted" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3 m->G: EarlyData: hybrid check, good" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + 1 \ + -c "Reconnecting with saved session" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ + -s "Parsing extension 'Early Data/42' (0 bytes)" \ + -s "Sending extension Early Data/42 (0 bytes)" \ + -s "early data accepted" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3 m->G: EarlyData: negative check, fail" \ + "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + 0 \ + -c "Reconnecting with saved session" \ + -C "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension does not exist." \ + -C "EncryptedExtensions: early_data(42) extension received." \ + -C "EncryptedExtensions: early_data(42) extension ( ignored )." + +#TODO openssl compatible mode can't work currently, it will need external psk. +skip_next_test +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_EARLY_DATA +run_test "TLS 1.3, ext PSK, early data" \ + "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ + "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + 1 \ + -c "Reconnecting with saved session" \ + -c "NewSessionTicket: early_data(42) extension received." \ + -c "ClientHello: early_data(42) extension exists." \ + -c "EncryptedExtensions: early_data(42) extension received." \ + -c "EncryptedExtensions: early_data(42) extension ( ignored )." + diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5576320ff9..fdbb310506 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13042,78 +13042,6 @@ run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_EARLY_DATA -run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ - "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ - "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ - 1 \ - -c "Reconnecting with saved session" \ - -c "NewSessionTicket: early_data(42) extension received." \ - -c "ClientHello: early_data(42) extension exists." \ - -c "EncryptedExtensions: early_data(42) extension received." \ - -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ - -s "Parsing extension 'Early Data/42' (0 bytes)" \ - -s "Sending extension Early Data/42 (0 bytes)" \ - -s "early data accepted" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_EARLY_DATA -run_test "TLS 1.3 m->G: EarlyData: hybrid check, good" \ - "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ - 1 \ - -c "Reconnecting with saved session" \ - -c "NewSessionTicket: early_data(42) extension received." \ - -c "ClientHello: early_data(42) extension exists." \ - -c "EncryptedExtensions: early_data(42) extension received." \ - -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ - -s "Parsing extension 'Early Data/42' (0 bytes)" \ - -s "Sending extension Early Data/42 (0 bytes)" \ - -s "early data accepted" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_EARLY_DATA -run_test "TLS 1.3 m->G: EarlyData: negative check, fail" \ - "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ - 0 \ - -c "Reconnecting with saved session" \ - -C "NewSessionTicket: early_data(42) extension received." \ - -c "ClientHello: early_data(42) extension does not exist." \ - -C "EncryptedExtensions: early_data(42) extension received." \ - -C "EncryptedExtensions: early_data(42) extension ( ignored )." - -#TODO openssl compatible mode can't work currently, it will need external psk. -skip_next_test -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_EARLY_DATA -run_test "TLS 1.3, ext PSK, early data" \ - "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ - "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ - 1 \ - -c "Reconnecting with saved session" \ - -c "NewSessionTicket: early_data(42) extension received." \ - -c "ClientHello: early_data(42) extension exists." \ - -c "EncryptedExtensions: early_data(42) extension received." \ - -c "EncryptedExtensions: early_data(42) extension ( ignored )." - # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 51c5a8b561f4e509ed69ea3761c89248410146a9 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 16 Nov 2022 08:32:51 +0000 Subject: [PATCH 187/413] Update ticket flag macros Define the ALLOW_PSK_RESUMPTION and ALLOW_PSK_EPHEMERAL_RESUMPTION to the key exchange mode EXCHANGE_MODE_PSK and EXCHANGE_MODE_PSK_EPHEMERAL to facilate later check. Since they are 1( 1u<<0 ) and 4( 1u<<2 ), so define ALLOW_EARLY_DATA to 8( 1u<<3 ). Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6829fd7b67..d0558511a8 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -810,19 +810,20 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) - typedef uint8_t mbedtls_ssl_tls13_ticket_flags; -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */ -#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 ) -#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK \ - ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION | \ - MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION | \ +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */ +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */ +#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 ) + +#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK \ + ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION | \ + MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION | \ MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ + /** * \brief Callback type: server-side session cache getter * From 0cc4320e16fc58dfab6dbe277e4115032b9c0220 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 16 Nov 2022 08:43:50 +0000 Subject: [PATCH 188/413] Add EARLY_DATA guard to the early data extension in session ticket Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index d276a95660..0372f2d98d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2541,6 +2541,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, switch( extension_type ) { +#if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_TLS_EXT_EARLY_DATA: if( extension_data_len != 4 ) { @@ -2555,6 +2556,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA; } break; +#endif /* MBEDTLS_SSL_EARLY_DATA */ default: MBEDTLS_SSL_PRINT_EXT( From e7bab00825c42bb39ed63d42a98c306cb9869edd Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 16 Nov 2022 08:51:01 +0000 Subject: [PATCH 189/413] Update enabled guards for early data cases Signed-off-by: Xiaokang Qian --- tests/opt-testcases/tls13-misc.sh | 22 +++++++++++++++------- tests/scripts/all.sh | 1 - 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index cc650c1e1f..8b9d5750f8 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -287,8 +287,9 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_EARLY_DATA +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ @@ -307,8 +308,9 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_EARLY_DATA +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: hybrid check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ @@ -327,9 +329,10 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_EARLY_DATA -run_test "TLS 1.3 m->G: EarlyData: negative check, fail" \ +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good." \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ 0 \ @@ -339,11 +342,16 @@ run_test "TLS 1.3 m->G: EarlyData: negative check, fail" \ -C "EncryptedExtensions: early_data(42) extension received." \ -C "EncryptedExtensions: early_data(42) extension ( ignored )." -#TODO openssl compatible mode can't work currently, it will need external psk. +#TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked. skip_next_test -requires_config_enabled MBEDTLS_SSL_SRV_C +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_EARLY_DATA +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_EARLY_DATA +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3, ext PSK, early data" \ "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \ "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 4b6a4cbb94..245324a5f3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2105,7 +2105,6 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC - scripts/config.py unset MBEDTLS_SSL_EARLY_DATA scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" From f3be7ccadebd605ad23c4b46bfce1aa2af02666a Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 16 Nov 2022 12:53:20 +0100 Subject: [PATCH 190/413] Keep drivers enabled also in reference build Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9fba034cde..c76a94fcf4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2046,11 +2046,10 @@ config_psa_crypto_hash_use_psa () { DRIVER_ONLY="$1" # start with config full for maximum coverage (also enables USE_PSA) scripts/config.py full - # enable support for configuring PSA-only algorithms + # enable support for drivers and configuring PSA-only algorithms scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS if [ "$DRIVER_ONLY" -eq 1 ]; then - # enable support for drivers - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS # disable the built-in implementation of hashes scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C From 02c25b5f83f6f607007133b1f49931fe7c2630f5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 15 Nov 2022 14:08:42 +0100 Subject: [PATCH 191/413] tls12: psa_pake: use common code for parsing/writing round one and round two data Share a common parsing code for both server and client for parsing round one and two. Signed-off-by: Valerio Setti --- library/ssl_misc.h | 212 +++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 22 ++-- library/ssl_tls12_client.c | 179 +++++-------------------------- library/ssl_tls12_server.c | 125 +++++----------------- 4 files changed, 279 insertions(+), 259 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8b96243507..d4ce35c5a1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2364,6 +2364,218 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) } #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +/** + * \brief Parse the provided input buffer for getting the first round + * of key exchange. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [in] input buffer to parse + * \param len [in] length of the input buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_parse_ecjpake_round_one( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len ) +{ + psa_status_t status; + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1; x <= 2; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + } + + return( 0 ); +} + +/** + * \brief Parse the provided input buffer for getting the second round + * of key exchange. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [in] input buffer to parse + * \param len [in] length of the input buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_parse_ecjpake_round_two( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, int role ) +{ + psa_status_t status; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + size_t length; + + /* + * On its 2nd round, the server sends 3 extra bytes which identify the + * curve. Therefore we should skip them only on the client side + */ + if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && + ( role == MBEDTLS_SSL_IS_CLIENT ) ) + { + /* Length is stored after the 3 bytes for the curve */ + length = buf[input_offset + 3]; + input_offset += 3 + 1; + } + else + { + /* Length is stored at the first byte */ + length = buf[input_offset]; + input_offset += 1; + } + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + + return( 0 ); +} + +/** + * \brief Write the first round of key exchange into the provided output + * buffer. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [out] the output buffer in which data will be written to + * \param len [in] length of the output buffer + * \param olen [out] the length of the data really written on the buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_write_ecjpake_round_one( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(buf + output_offset) = 65; + } else { + *(buf + output_offset) = 32; + } + output_offset += 1; + + status = psa_pake_output( pake_ctx, step, + buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + } + + *olen = output_offset; + + return( 0 ); +} + +/** + * \brief Write the second round of key exchange into the provided output + * buffer. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [out] the output buffer in which data will be written to + * \param len [in] length of the output buffer + * \param olen [out] the length of the data really written on the buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_write_ecjpake_round_two( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(buf + output_offset) = 65; + } else { + *(buf + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( pake_ctx, + step, buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + *olen = output_offset; + + return( 0 ); +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + /** * \brief TLS record protection modes */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ebada7a394..8771c595b9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1616,23 +1616,19 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, /* * Set EC J-PAKE password for current handshake */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_pake_role_t psa_role; psa_status_t status; -#else - mbedtls_ecjpake_role role; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake == NULL || ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) psa_role = PSA_PAKE_ROLE_SERVER; else @@ -1688,7 +1684,17 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, ssl->handshake->psa_pake_ctx_is_ok = 1; return( 0 ); -#else +} +#else /* MBEDTLS_USE_PSA_CRYPTO */ +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ) +{ + mbedtls_ecjpake_role role; + + if( ssl->handshake == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) role = MBEDTLS_ECJPAKE_SERVER; else @@ -1699,8 +1705,8 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) @@ -3734,6 +3740,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif + #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_pake_abort( &handshake->psa_pake_ctx ); @@ -6042,7 +6049,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } - /* Compute master secret if needed */ ret = ssl_compute_master( ssl->handshake, ssl->session_negotiate->master, diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 3d25e4003f..c90ed2e46b 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -130,13 +130,9 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, const unsigned char *end, size_t *olen ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; - size_t kkpp_len; + size_t kkpp_len = 0; *olen = 0; @@ -168,41 +164,15 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t output_offset = 0; - size_t output_len; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + ret = psa_tls12_write_ecjpake_round_one(&ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len ); + if ( ret != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(p + 2 + output_offset) = 65; - } else { - *(p + 2 + output_offset) = 32; - } - output_offset += 1; - - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, p + 2 + output_offset, - end - p - output_offset - 2, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); } - - kkpp_len = output_offset; #else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, @@ -924,9 +894,6 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, size_t len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake->ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) @@ -941,50 +908,21 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t input_offset = 0; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + if( ( ret = psa_tls12_parse_ecjpake_round_one( + &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto psa_pake_error; - } - - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_error; - } - - input_offset += length; - } + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( ret ); } return( 0 ); - -psa_pake_error: - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - - MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); - mbedtls_ssl_send_alert_message( - ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - - return( ret ); #else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) @@ -2395,48 +2333,9 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; - size_t len = end - p; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - size_t length; - - if( step == PSA_PAKE_STEP_KEY_SHARE ) - { - /* Length is stored after 3bytes curve */ - length = p[input_offset + 3]; - input_offset += 3 + 1; - } - else - { - /* Length is stored at the first byte */ - length = p[input_offset]; - input_offset += 1; - } - - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - goto psa_pake_out; - } - - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - p + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_out; - } - - input_offset += length; - } - -psa_pake_out: - if( ret != 0 ) + if( ( ret = psa_tls12_parse_ecjpake_round_two( + &ssl->handshake->psa_pake_ctx, p, end - p, + ssl->conf->endpoint ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -3393,37 +3292,15 @@ ecdh_calc_secret: unsigned char *out_p = ssl->out_msg + header_len; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - header_len; - psa_status_t status; - size_t output_offset = 0; - size_t output_len; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) + ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + out_p, end_p - out_p, &content_len ); + if ( ret != 0 ) { - /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(out_p + output_offset) = 65; - } else { - *(out_p + output_offset) = 32; - } - output_offset += 1; - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, out_p + output_offset, - end_p - out_p - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); } - - content_len = output_offset; #else ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + header_len, diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 68b4d09883..806efd21b5 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -290,12 +290,9 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, const unsigned char *buf, - size_t len ) + size_t len) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) @@ -308,35 +305,19 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t input_offset = 0; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + if ( ( ret = psa_tls12_parse_ecjpake_round_one( + &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto psa_pake_error; - } + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_error; - } - - input_offset += length; - } + return( ret ); } #else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, @@ -353,20 +334,6 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; return( 0 ); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -psa_pake_error: - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - - MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); - mbedtls_ssl_send_alert_message( - ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - - return( ret ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -2903,13 +2870,13 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_USE_PSA_CRYPTO) unsigned char *out_p = ssl->out_msg + ssl->out_msglen; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen; - psa_status_t status; size_t output_offset = 0; - size_t output_len; + size_t output_len = 0; size_t ec_len; #if !defined(MBEDTLS_ECJPAKE_ALT) @@ -2931,34 +2898,20 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #endif //MBEDTLS_PSA_BUILTIN_ALG_JPAKE output_offset += ec_len; - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) + ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + out_p + output_offset, + end_p - out_p - output_offset, &output_len ); + if( ret != 0 ) { - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(out_p + output_offset) = 65; - } else { - *(out_p + output_offset) = 32; - } - output_offset += 1; - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, out_p + output_offset, - end_p - out_p - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); } + output_offset += output_len; ssl->out_msglen += output_offset; #else - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; ret = mbedtls_ecjpake_write_round_two( @@ -4192,37 +4145,9 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t len = end - p; - psa_status_t status; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = p[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto psa_pake_out; - } - - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - p + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_out; - } - - input_offset += length; - } - -psa_pake_out: - if( ret != 0 ) + if( ( ret = psa_tls12_parse_ecjpake_round_two( + &ssl->handshake->psa_pake_ctx, p, end - p, + ssl->conf->endpoint ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); From fbbc1f3812cd13ccf86c2e8d090f62ef6a27705a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 15 Nov 2022 16:39:55 +0100 Subject: [PATCH 192/413] tls12: psa_pake: use proper defines for the output size of each step in ECJPAKE Signed-off-by: Valerio Setti --- library/ssl_misc.h | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d4ce35c5a1..34879a18cd 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2366,6 +2366,18 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) + +/* Currently JPAKE only supports elliptic curve secp256r1 */ +#define MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE \ + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, \ + PSA_ECC_FAMILY_SECP_R1, 256 ) + +/* Expected output data size for each "step" of EC-JPAKE key echange */ +#define MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ) \ + PSA_PAKE_OUTPUT_SIZE( PSA_ALG_JPAKE, \ + MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE, \ + step ) + /** * \brief Parse the provided input buffer for getting the first round * of key exchange. This code is common between server and client @@ -2376,7 +2388,7 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_parse_ecjpake_round_one( +static inline int psa_tls12_parse_ecjpake_round_one( psa_pake_operation_t *pake_ctx, const unsigned char *buf, size_t len ) @@ -2502,11 +2514,7 @@ static inline int psa_tls12_write_ecjpake_round_one( ++step ) { /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(buf + output_offset) = 65; - } else { - *(buf + output_offset) = 32; - } + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); output_offset += 1; status = psa_pake_output( pake_ctx, step, @@ -2552,11 +2560,7 @@ static inline int psa_tls12_write_ecjpake_round_two( ++step ) { /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(buf + output_offset) = 65; - } else { - *(buf + output_offset) = 32; - } + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); output_offset += 1; status = psa_pake_output( pake_ctx, step, buf + output_offset, From 4a9caaa0c9cae90d5cc4a7e08f92752698cee6cc Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 16 Nov 2022 08:17:09 +0100 Subject: [PATCH 193/413] tls12: psa_pake: check elliptic curve's TLS ID on handshake Signed-off-by: Valerio Setti --- library/ssl_misc.h | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 34879a18cd..807e7811da 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2452,22 +2452,27 @@ static inline int psa_tls12_parse_ecjpake_round_two( /* * On its 2nd round, the server sends 3 extra bytes which identify the - * curve. Therefore we should skip them only on the client side + * curve: + * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE + * - the 2nd and 3rd represent curve's TLS ID + * Validate this data before moving forward */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && + if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && ( role == MBEDTLS_SSL_IS_CLIENT ) ) { - /* Length is stored after the 3 bytes for the curve */ - length = buf[input_offset + 3]; - input_offset += 3 + 1; - } - else - { - /* Length is stored at the first byte */ - length = buf[input_offset]; - input_offset += 1; + uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); + + if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + input_offset += 3; } + /* Length is stored at the first byte */ + length = buf[input_offset]; + input_offset += 1; + if( input_offset + length > len ) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; From 6f1b5741ae239433414b772adb06e8515c1bd353 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 16 Nov 2022 10:00:32 +0100 Subject: [PATCH 194/413] tls12: psa_pake: simplify EC info parsing in server's 2nd round Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 806efd21b5..38899f9528 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2877,26 +2877,24 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, ssl->out_msglen; size_t output_offset = 0; size_t output_len = 0; - size_t ec_len; - -#if !defined(MBEDTLS_ECJPAKE_ALT) - psa_pake_operation_t* pake_op = &(ssl->handshake->psa_pake_ctx); - - mbedtls_ecp_tls_write_group( &(pake_op->ctx.ecjpake.grp), - &ec_len, out_p + output_offset, - end_p - out_p); -#else const mbedtls_ecp_curve_info *curve_info; - if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we hardcode its + * TLS ID here + */ + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; - - MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p + 1, 0 ); - ec_len = 3; -#endif //MBEDTLS_PSA_BUILTIN_ALG_JPAKE - output_offset += ec_len; + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); + output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, out_p + output_offset, From 52d8e96ff6f729c9f64222c56f1088458f023dce Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 16 Nov 2022 12:55:27 +0100 Subject: [PATCH 195/413] Disable PSA_WANT_ALG_STREAM_CIPHER, PSA_WANT_ALG_ECB_NO_PADDING also in reference config Signed-off-by: Przemek Stekiel Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c76a94fcf4..22c3f760ed 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2115,7 +2115,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () { tests/ssl-opt.sh msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" - #tests/compat.sh + tests/compat.sh } # This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa @@ -2125,6 +2125,9 @@ component_test_psa_crypto_config_accel_hash_use_psa () { component_test_psa_crypto_config_reference_hash_use_psa() { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA" + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + config_psa_crypto_hash_use_psa 0 make From 6419ab5299a723684f7ada8d69f0e8046ecc7d26 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 16 Nov 2022 12:57:06 +0100 Subject: [PATCH 196/413] Reduce number of skipped suites (after making configs more similar) Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index ba38ec2808..508933718d 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -145,12 +145,6 @@ TASKS = { 'component_driver': 'test_psa_crypto_config_accel_hash_use_psa', 'ignored_suites': ['shax', 'mdx', # the software implementations that are being excluded 'md', # the legacy abstraction layer that's being excluded - 'entropy', 'hmac_drbg', 'random', # temporary limitation - # (see RNG EPIC) - 'psa_crypto_init', # doesn't work with external RNG - 'hkdf', # legacy still depends on MD, - # but there's a PSA interface that doesn't - 'pkcs7' # recent addition, will be addressed later ]}} } From 0f0b54851944c7c4523061810711850e8851ad73 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 16 Nov 2022 14:23:51 +0000 Subject: [PATCH 197/413] Limit ChangeLog entry to 80 characters Signed-off-by: Tom Cosgrove --- ...-possible-false-success-in-mbedtls_cipher_check_tag.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt index 01492438aa..1f9e0aa350 100644 --- a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt +++ b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt @@ -1,4 +1,5 @@ Changes - * Calling AEAD tag-specific functions for non-AEAD algorithms (which should not - be done - they are documented for use only by AES-GCM and ChaCha20+Poly1305) - now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE instead of success (0). + * Calling AEAD tag-specific functions for non-AEAD algorithms (which + should not be done - they are documented for use only by AES-GCM and + ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE + instead of success (0). From 7c7954842b6e287f95168a5dafdc00f0491e1675 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 15 Nov 2022 22:26:12 +0100 Subject: [PATCH 198/413] Adapt ec-jpake_setup test Now when operation holds pointer to dynamically allocated buffer for password key we can't do copy of the operation object in test instead we need to re-initialize operation object after error. Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto.function | 54 ++++++++++++++++----- 1 file changed, 41 insertions(+), 13 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 779f594dca..60befa73f4 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -31,6 +31,29 @@ #define ASSERT_OPERATION_IS_ACTIVE( operation ) TEST_ASSERT( operation.id != 0 ) #define ASSERT_OPERATION_IS_INACTIVE( operation ) TEST_ASSERT( operation.id == 0 ) +#if defined(PSA_WANT_ALG_JPAKE) +void ecjpake_operation_setup( psa_pake_operation_t *operation, + psa_pake_cipher_suite_t *cipher_suite, + psa_pake_role_t role, + mbedtls_svc_key_id_t key, + size_t key_available ) +{ + *operation = psa_pake_operation_init(); + + TEST_EQUAL( psa_pake_setup( operation, cipher_suite ), + PSA_SUCCESS ); + + TEST_EQUAL( psa_pake_set_role( operation, role), + PSA_SUCCESS ); + + if( key_available ) + TEST_EQUAL( psa_pake_set_password_key( operation, key ), + PSA_SUCCESS ); +exit: + return; +} +#endif + /** An invalid export length that will never be set by psa_export_key(). */ static const size_t INVALID_EXPORT_LENGTH = ~0U; @@ -8740,7 +8763,6 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); - psa_pake_operation_t op_copy = psa_pake_operation_init(); psa_algorithm_t alg = alg_arg; psa_pake_primitive_t primitive = primitive_arg; psa_key_type_t key_type_pw = key_type_pw_arg; @@ -8839,22 +8861,25 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, if( input_first ) { /* Invalid parameters (input) */ - op_copy = operation; - TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF, + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid parameters (step) */ - op_copy = operation; - TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF + 10, + ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ); + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, size_zk_proof ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ - op_copy = operation; - TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF, + ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ); + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, output_buffer, size_zk_proof ), PSA_ERROR_BAD_STATE ); /* Possibly valid */ + ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, size_key_share ), expected_status_input_output); @@ -8875,22 +8900,25 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, else { /* Invalid parameters (output) */ - op_copy = operation; - TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF, + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0, NULL ), PSA_ERROR_INVALID_ARGUMENT ); - op_copy = operation; /* Invalid parameters (step) */ - TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF + 10, + ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, buf_size, &output_len ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ - op_copy = operation; - TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF, + ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, output_buffer, buf_size, &output_len ), PSA_ERROR_BAD_STATE ); /* Possibly valid */ + ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, buf_size, &output_len ), expected_status_input_output ); From 1def5becc285b9150b334d7626e98d413b29a026 Mon Sep 17 00:00:00 2001 From: Przemyslaw Stekiel Date: Wed, 16 Nov 2022 12:00:26 +0100 Subject: [PATCH 199/413] Add psa_get_and_lock_key_slot_with_policy to header file Signed-off-by: Przemyslaw Stekiel --- library/psa_crypto_core.h | 8 ++++++++ library/psa_crypto_pake.c | 5 ----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 98638481c8..37f8162de7 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -183,6 +183,14 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number( } #endif +/** Get the description of a key given its identifier and policy constraints + * and lock it. + */ +psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, + psa_key_slot_t **p_slot, + psa_key_usage_t usage, + psa_algorithm_t alg ); + /** Completely wipe a slot in memory, including its policy. * * Persistent storage is not affected. diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 1deb48875f..224f922dbc 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -33,11 +33,6 @@ #include #include -extern psa_status_t psa_get_and_lock_key_slot_with_policy( - mbedtls_svc_key_id_t key, - psa_key_slot_t **p_slot, - psa_key_usage_t usage, - psa_algorithm_t alg ); /* * State sequence: * From 542d9323521434bb5b4533eec244e95f79e73eae Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 17 Nov 2022 09:43:34 +0100 Subject: [PATCH 200/413] Fix handling of default value for task argument Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 508933718d..4ebd5f6304 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -153,7 +153,7 @@ def main(): parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('outcomes', metavar='OUTCOMES.CSV', help='Outcome file to analyze') - parser.add_argument('task', default='all', + parser.add_argument('task', default='all', nargs='?', help='Analysis to be done. By default, run all tasks. ' 'With one or more TASK, run only those. ' 'TASK can be the name of a single task or ' From 8c0eb9744ce3a8bc9cf7bb5c0fec21ccfc6d8cc3 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 17 Nov 2022 08:48:12 +0000 Subject: [PATCH 201/413] Must call mbedtls_mpi_mod_modulus_init() before anything else in tests Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum_mod_raw.function | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index ff766b9dca..4adccce25b 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -117,10 +117,12 @@ void mpi_mod_raw_cond_assign( char * input_X, mbedtls_mpi_uint *X = NULL; mbedtls_mpi_uint *Y = NULL; mbedtls_mpi_uint *buff_m = NULL; - mbedtls_mpi_mod_modulus m; size_t limbs_X; size_t limbs_Y; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init( &m ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &X, &limbs_X, input_X ), 0 ); TEST_EQUAL( mbedtls_test_read_mpi_core( &Y, &limbs_Y, input_Y ), 0 ); @@ -129,8 +131,6 @@ void mpi_mod_raw_cond_assign( char * input_X, size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); size_t copy_bytes = copy_limbs * sizeof( mbedtls_mpi_uint ); - mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( limbs_X, limbs_Y ); TEST_ASSERT( copy_limbs <= limbs ); @@ -190,10 +190,12 @@ void mpi_mod_raw_cond_swap( char * input_X, mbedtls_mpi_uint *X = NULL; mbedtls_mpi_uint *Y = NULL; mbedtls_mpi_uint *buff_m = NULL; - mbedtls_mpi_mod_modulus m; size_t limbs_X; size_t limbs_Y; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init( &m ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_X, &limbs_X, input_X ), 0 ); TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_Y, &limbs_Y, input_Y ), 0 ); @@ -202,8 +204,6 @@ void mpi_mod_raw_cond_swap( char * input_X, size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); size_t copy_bytes = copy_limbs * sizeof( mbedtls_mpi_uint ); - mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( limbs_X, limbs_Y ); TEST_ASSERT( copy_limbs <= limbs ); From e9622ac4bac64a2c0b5550b30be5b23f63fa7f60 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 17 Nov 2022 09:23:32 +0000 Subject: [PATCH 202/413] Remove the fore_tls13 option case from client side Signed-off-by: Xiaokang Qian --- tests/opt-testcases/tls13-misc.sh | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 8b9d5750f8..3e2fd0b202 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -291,27 +291,6 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ - "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ - "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ - 1 \ - -c "Reconnecting with saved session" \ - -c "NewSessionTicket: early_data(42) extension received." \ - -c "ClientHello: early_data(42) extension exists." \ - -c "EncryptedExtensions: early_data(42) extension received." \ - -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ - -s "Parsing extension 'Early Data/42' (0 bytes)" \ - -s "Sending extension Early Data/42 (0 bytes)" \ - -s "early data accepted" - -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_EARLY_DATA -requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -run_test "TLS 1.3 m->G: EarlyData: hybrid check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ 1 \ @@ -332,7 +311,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_EARLY_DATA requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good." \ +run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ 0 \ From 85c54ea3613f44c0f8c4c52d265128dcf478aaf4 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 17 Nov 2022 11:50:23 +0100 Subject: [PATCH 203/413] Allow providing space sepatated tasks Signed-off-by: Przemek Stekiel --- tests/scripts/analyze_outcomes.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 4ebd5f6304..bb44396534 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -9,6 +9,7 @@ less likely to be useful. import argparse import sys import traceback +import re import check_test_cases @@ -157,7 +158,7 @@ def main(): help='Analysis to be done. By default, run all tasks. ' 'With one or more TASK, run only those. ' 'TASK can be the name of a single task or ' - 'coma-separated list of tasks. ') + 'comma/space-separated list of tasks. ') parser.add_argument('--list', action='store_true', help='List all available tasks and exit.') options = parser.parse_args() @@ -172,7 +173,7 @@ def main(): if options.task == 'all': tasks = TASKS.keys() else: - tasks = options.task.split(',') + tasks = re.split(r'[, ]+', options.task) for task in tasks: if task not in TASKS: From 152ae07682a7c7630b03fc2337721b4b0a19df01 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 17 Nov 2022 13:24:36 +0100 Subject: [PATCH 204/413] Change password ec j-pake operation fields to more suitable Signed-off-by: Przemek Stekiel --- include/psa/crypto_extra.h | 4 ++-- library/psa_crypto_pake.c | 28 ++++++++++++++-------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index d527e579b6..33e2e77b99 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -1920,8 +1920,8 @@ struct psa_pake_operation_s #if defined(MBEDTLS_PSA_BUILTIN_PAKE) unsigned int MBEDTLS_PRIVATE(input_step); unsigned int MBEDTLS_PRIVATE(output_step); - uint8_t* MBEDTLS_PRIVATE(password_data); - size_t MBEDTLS_PRIVATE(password_bytes); + uint8_t* MBEDTLS_PRIVATE(password); + size_t MBEDTLS_PRIVATE(password_len); psa_pake_role_t MBEDTLS_PRIVATE(role); uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]); size_t MBEDTLS_PRIVATE(buffer_length); diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 224f922dbc..b89954830f 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -286,20 +286,20 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( slot->key.data == NULL || slot->key.bytes == 0 ) return( PSA_ERROR_INVALID_ARGUMENT ); - if( operation->password_data != NULL ) + if( operation->password != NULL ) { - mbedtls_free( operation->password_data ); - operation->password_bytes = 0; + mbedtls_free( operation->password ); + operation->password_len = 0; } - operation->password_data = mbedtls_calloc( 1, slot->key.bytes ); - if( operation->password_data == NULL ) + operation->password = mbedtls_calloc( 1, slot->key.bytes ); + if( operation->password == NULL ) { status = psa_unlock_key_slot( slot ); return( PSA_ERROR_INSUFFICIENT_MEMORY ); } - memcpy( operation->password_data, slot->key.data, slot->key.bytes ); - operation->password_bytes = slot->key.bytes; + memcpy( operation->password, slot->key.data, slot->key.bytes ); + operation->password_len = slot->key.bytes; status = psa_unlock_key_slot( slot ); if( status != PSA_SUCCESS ) @@ -387,8 +387,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) else return( PSA_ERROR_BAD_STATE ); - if (operation->password_data == NULL || - operation->password_bytes == 0 ) + if (operation->password == NULL || + operation->password_len == 0 ) { return( PSA_ERROR_BAD_STATE ); } @@ -397,8 +397,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) role, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, - operation->password_data, - operation->password_bytes ); + operation->password, + operation->password_len ); if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); @@ -864,9 +864,9 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation) { operation->input_step = PSA_PAKE_STEP_INVALID; operation->output_step = PSA_PAKE_STEP_INVALID; - mbedtls_free( operation->password_data ); - operation->password_data = NULL; - operation->password_bytes = 0; + mbedtls_free( operation->password ); + operation->password = NULL; + operation->password_len = 0; operation->role = PSA_PAKE_ROLE_NONE; mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE ); operation->buffer_length = 0; From 369ae0afc35079979d32b93ba824898a23e1f733 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 17 Nov 2022 14:14:31 +0100 Subject: [PATCH 205/413] Zeroize pake password buffer before free Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index b89954830f..ef31af4204 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -288,6 +288,7 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( operation->password != NULL ) { + mbedtls_platform_zeroize( operation->password, operation->password_len ); mbedtls_free( operation->password ); operation->password_len = 0; } @@ -864,6 +865,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation) { operation->input_step = PSA_PAKE_STEP_INVALID; operation->output_step = PSA_PAKE_STEP_INVALID; + mbedtls_platform_zeroize( operation->password, operation->password_len ); mbedtls_free( operation->password ); operation->password = NULL; operation->password_len = 0; From 96a0fd951f8995b381ba31b104ce971b0c56007a Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Tue, 8 Nov 2022 17:09:56 +0000 Subject: [PATCH 206/413] Fix signature algorithms list entry getting overwritten by length. Fix bug whereby the supported signature algorithm list sent by the server in the certificate request would not leave enough space for the length to be written, and thus the first element would get overwritten, leaving two random bytes in the last entry. Signed-off-by: Paul Elliott --- ChangeLog.d/fix-tls12server-sent-sigalgs.txt | 5 +++++ library/ssl_tls12_server.c | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/fix-tls12server-sent-sigalgs.txt diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt new file mode 100644 index 0000000000..9abde2b521 --- /dev/null +++ b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix a bug whereby the the list of signature algorithms sent as part of the + TLS 1.2 server certificate request would get corrupted, meaning the first + algorithm would not get sent and an entry consisting of two random bytes + would be sent instead. Found by Serban Bejan and Dudek Sebastian. diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 71f703c7ff..3dab2467c6 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2531,10 +2531,15 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) ) continue; - MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len ); + /* Write elements at offsets starting from 1 (offset 0 is for the + * length). Thus the offset of each element is the length of the + * partial list including that element. */ sa_len += 2; + MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len ); + } + /* Fill in list length. */ MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 ); sa_len += 2; p += sa_len; From ec71b0937f74a84a781f955ecb10ca89ba1577b2 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 15 Nov 2022 10:21:50 -0500 Subject: [PATCH 207/413] Introduce a test for single signature algorithm correctness The value of the first sent signature algorithm is overwritten. This test forces only a single algorithm to be sent and then validates that the client received such algorithm. 04 03 is the expected value for SECP256R1_SHA256. Signed-off-by: Andrzej Kurek --- library/ssl_tls12_client.c | 2 +- tests/ssl-opt.sh | 29 +++++++++++++++++++++-------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 1c53a09903..21b3ba6216 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2654,7 +2654,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) for( size_t i = 0; i < sig_alg_len; i += 2 ) { MBEDTLS_SSL_DEBUG_MSG( 3, - ( "Supported Signature Algorithm found: %d,%d", + ( "Supported Signature Algorithm found: %02x %02x", sig_alg[i], sig_alg[i + 1] ) ); } #endif diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fc892a18bc..c5d0d9ada6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2371,6 +2371,19 @@ run_test "Unique IV in GCM" \ -u "IV used" \ -U "IV used" +# Test for correctness of sent single supported algorithm +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_hash_alg SHA_256 +run_test "Single supported algorithm sending" \ + "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ + "$P_CLI sig_algs=ecdsa_secp256r1_sha256 debug_level=3" \ + 0 \ + -c "Supported Signature Algorithm found: 04 03" + # Tests for certificate verification callback requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Configuration-specific CRT verification callback" \ @@ -5274,8 +5287,8 @@ run_test "Authentication: client SHA256, server required" \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ 0 \ - -c "Supported Signature Algorithm found: 4," \ - -c "Supported Signature Algorithm found: 5," + -c "Supported Signature Algorithm found: 04 " \ + -c "Supported Signature Algorithm found: 05 " requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5285,8 +5298,8 @@ run_test "Authentication: client SHA384, server required" \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ 0 \ - -c "Supported Signature Algorithm found: 4," \ - -c "Supported Signature Algorithm found: 5," + -c "Supported Signature Algorithm found: 04 " \ + -c "Supported Signature Algorithm found: 05 " requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client has no cert, server required (TLS)" \ @@ -5687,8 +5700,8 @@ run_test "Authentication, CA callback: client SHA256, server required" \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ 0 \ -s "use CA callback for X.509 CRT verification" \ - -c "Supported Signature Algorithm found: 4," \ - -c "Supported Signature Algorithm found: 5," + -c "Supported Signature Algorithm found: 04 " \ + -c "Supported Signature Algorithm found: 05 " requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -5700,8 +5713,8 @@ run_test "Authentication, CA callback: client SHA384, server required" \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ 0 \ -s "use CA callback for X.509 CRT verification" \ - -c "Supported Signature Algorithm found: 4," \ - -c "Supported Signature Algorithm found: 5," + -c "Supported Signature Algorithm found: 04 " \ + -c "Supported Signature Algorithm found: 05 " requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From 3b4cedaa713427e609bebfa59538a77d5eac74ce Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 17 Nov 2022 12:47:10 +0000 Subject: [PATCH 208/413] Add SSL_SRV requirement to test Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c5d0d9ada6..41dd491f70 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2376,6 +2376,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 run_test "Single supported algorithm sending" \ From f6e342cae29c68c4e598962c3f9553aa7e1b92c2 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 17 Nov 2022 12:50:29 +0000 Subject: [PATCH 209/413] Add test for single signature alg with openssl Test supplied by Gilles Peskine. Also rename previous test to fit to naming pattern. Signed-off-by: Paul Elliott --- tests/ssl-opt.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 41dd491f70..f2e3f0cc73 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2379,12 +2379,23 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 -run_test "Single supported algorithm sending" \ +run_test "Single supported algorithm sending: mbedtls client" \ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ "$P_CLI sig_algs=ecdsa_secp256r1_sha256 debug_level=3" \ 0 \ -c "Supported Signature Algorithm found: 04 03" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_hash_alg SHA_256 +run_test "Single supported algorithm sending: openssl client" \ + "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ + "$O_CLI -cert data_files/server6.crt \ + -key data_files/server6.key" \ + 0 + # Tests for certificate verification callback requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Configuration-specific CRT verification callback" \ From a08b1a40a0ff0a69fa7114280f3b1e31772466ee Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 15:10:02 +0100 Subject: [PATCH 210/413] tls: psa_pake: move move key exchange read/write functions to ssl_tls.c Inlined functions might cause the compiled code to have different sizes depending on the usage and this not acceptable in some cases. Therefore read/write functions used in the initial key exchange are moved to a standard C file. Signed-off-by: Valerio Setti --- library/ssl_misc.h | 159 ++--------------------------------- library/ssl_tls.c | 167 +++++++++++++++++++++++++++++++++++++ library/ssl_tls12_client.c | 8 +- library/ssl_tls12_server.c | 6 +- 4 files changed, 182 insertions(+), 158 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 807e7811da..d022721a7f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2388,43 +2388,10 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_parse_ecjpake_round_one( +int mbedtls_psa_ecjpake_read_round_one( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len ) -{ - psa_status_t status; - size_t input_offset = 0; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1; x <= 2; ++x ) - { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; - step <= PSA_PAKE_STEP_ZK_PROOF; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - } - - status = psa_pake_input( pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - return psa_ssl_status_to_mbedtls( status ); - } - - input_offset += length; - } - } - - return( 0 ); -} + size_t len ); /** * \brief Parse the provided input buffer for getting the second round @@ -2436,60 +2403,10 @@ static inline int psa_tls12_parse_ecjpake_round_one( * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_parse_ecjpake_round_two( +int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len, int role ) -{ - psa_status_t status; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - size_t length; - - /* - * On its 2nd round, the server sends 3 extra bytes which identify the - * curve: - * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE - * - the 2nd and 3rd represent curve's TLS ID - * Validate this data before moving forward - */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && - ( role == MBEDTLS_SSL_IS_CLIENT ) ) - { - uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); - - if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || - ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - input_offset += 3; - } - - /* Length is stored at the first byte */ - length = buf[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - status = psa_pake_input( pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - return psa_ssl_status_to_mbedtls( status ); - } - - input_offset += length; - } - - return( 0 ); -} + size_t len, int role ); /** * \brief Write the first round of key exchange into the provided output @@ -2502,43 +2419,10 @@ static inline int psa_tls12_parse_ecjpake_round_two( * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_write_ecjpake_round_one( +int mbedtls_psa_ecjpake_write_round_one( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ) -{ - psa_status_t status; - size_t output_offset = 0; - size_t output_len; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) - { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - - status = psa_pake_output( pake_ctx, step, - buf + output_offset, - len - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } - } - - *olen = output_offset; - - return( 0 ); -} + size_t len, size_t *olen ); /** * \brief Write the second round of key exchange into the provided output @@ -2551,38 +2435,11 @@ static inline int psa_tls12_write_ecjpake_round_one( * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_write_ecjpake_round_two( +int mbedtls_psa_ecjpake_write_round_two( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ) -{ - psa_status_t status; - size_t output_offset = 0; - size_t output_len; + size_t len, size_t *olen ); - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - status = psa_pake_output( pake_ctx, - step, buf + output_offset, - len - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } - - *olen = output_offset; - - return( 0 ); -} #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8771c595b9..35262cb885 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8194,6 +8194,173 @@ end: return( ret ); } +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_psa_ecjpake_read_round_one( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len ) +{ + psa_status_t status; + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1; x <= 2; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + } + + return( 0 ); +} + +int mbedtls_psa_ecjpake_read_round_two( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, int role ) +{ + psa_status_t status; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + size_t length; + + /* + * On its 2nd round, the server sends 3 extra bytes which identify the + * curve: + * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE + * - the 2nd and 3rd represent curve's TLS ID + * Validate this data before moving forward + */ + if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && + ( role == MBEDTLS_SSL_IS_CLIENT ) ) + { + uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); + + if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + input_offset += 3; + } + + /* Length is stored at the first byte */ + length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + + return( 0 ); +} + +int mbedtls_psa_ecjpake_write_round_one( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); + output_offset += 1; + + status = psa_pake_output( pake_ctx, step, + buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + } + + *olen = output_offset; + + return( 0 ); +} + +int mbedtls_psa_ecjpake_write_round_two( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); + output_offset += 1; + status = psa_pake_output( pake_ctx, + step, buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + *olen = output_offset; + + return( 0 ); +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index c90ed2e46b..4e986d1dff 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -164,7 +164,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = psa_tls12_write_ecjpake_round_one(&ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round_one(&ssl->handshake->psa_pake_ctx, p + 2, end - p - 2, &kkpp_len ); if ( ret != 0 ) { @@ -908,7 +908,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = psa_tls12_parse_ecjpake_round_one( + if( ( ret = mbedtls_psa_ecjpake_read_round_one( &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2333,7 +2333,7 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = psa_tls12_parse_ecjpake_round_two( + if( ( ret = mbedtls_psa_ecjpake_read_round_two( &ssl->handshake->psa_pake_ctx, p, end - p, ssl->conf->endpoint ) ) != 0 ) { @@ -3292,7 +3292,7 @@ ecdh_calc_secret: unsigned char *out_p = ssl->out_msg + header_len; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - header_len; - ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, out_p, end_p - out_p, &content_len ); if ( ret != 0 ) { diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 38899f9528..f5c50ea671 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -305,7 +305,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( ( ret = psa_tls12_parse_ecjpake_round_one( + if ( ( ret = mbedtls_psa_ecjpake_read_round_one( &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2896,7 +2896,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); - ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, out_p + output_offset, end_p - out_p - output_offset, &output_len ); if( ret != 0 ) @@ -4143,7 +4143,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = psa_tls12_parse_ecjpake_round_two( + if( ( ret = mbedtls_psa_ecjpake_read_round_two( &ssl->handshake->psa_pake_ctx, p, end - p, ssl->conf->endpoint ) ) != 0 ) { From a98836476782db7fc3883b02c25707fe3da2cd3a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 15:34:59 +0100 Subject: [PATCH 211/413] tls: psa_pake: fix missing new round one parsing function on tls12 server Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 43 +++++++------------------------------- 1 file changed, 7 insertions(+), 36 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index f5c50ea671..2e480636a0 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1995,11 +1995,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; size_t kkpp_len; @@ -2023,40 +2019,15 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, p += 2; #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t output_offset = 0; - size_t output_len; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + ret = mbedtls_psa_ecjpake_write_round_one( &ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len ); + if ( ret != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(p + 2 + output_offset) = 65; - } else { - *(p + 2 + output_offset) = 32; - } - output_offset += 1; - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, p + 2 + output_offset, - end - p - output_offset - 2, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return; - } - - output_offset += output_len; - } + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return; } - - kkpp_len = output_offset; #else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, From 30ebe11f869ef6c04396e77bc091ca2d31a45c17 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 16:23:34 +0100 Subject: [PATCH 212/413] tls: psa_pake: add a check on read size on both rounds Signed-off-by: Valerio Setti --- library/ssl_tls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 35262cb885..06a5ec53dc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8231,6 +8231,9 @@ int mbedtls_psa_ecjpake_read_round_one( } } + if ( input_offset != len ) + return PSA_ERROR_INVALID_ARGUMENT; + return( 0 ); } @@ -8286,6 +8289,9 @@ int mbedtls_psa_ecjpake_read_round_two( input_offset += length; } + if ( input_offset != len ) + return PSA_ERROR_INVALID_ARGUMENT; + return( 0 ); } From 9bed8ec5d85536275ca32b0cd6bb738612ea98e6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 16:36:19 +0100 Subject: [PATCH 213/413] tls: psa_pake: make round two reading function symmatric to the writing one Signed-off-by: Valerio Setti --- library/ssl_misc.h | 3 +-- library/ssl_tls.c | 21 +-------------------- library/ssl_tls12_client.c | 26 ++++++++++++++++++++++++-- library/ssl_tls12_server.c | 3 +-- 4 files changed, 27 insertions(+), 26 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d022721a7f..82a951a581 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2405,8 +2405,7 @@ int mbedtls_psa_ecjpake_read_round_one( */ int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, - const unsigned char *buf, - size_t len, int role ); + const unsigned char *buf, size_t len ); /** * \brief Write the first round of key exchange into the provided output diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 06a5ec53dc..ae12c7ebdf 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8240,7 +8240,7 @@ int mbedtls_psa_ecjpake_read_round_one( int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len, int role ) + size_t len ) { psa_status_t status; size_t input_offset = 0; @@ -8251,25 +8251,6 @@ int mbedtls_psa_ecjpake_read_round_two( { size_t length; - /* - * On its 2nd round, the server sends 3 extra bytes which identify the - * curve: - * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE - * - the 2nd and 3rd represent curve's TLS ID - * Validate this data before moving forward - */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && - ( role == MBEDTLS_SSL_IS_CLIENT ) ) - { - uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); - - if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || - ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - input_offset += 3; - } - /* Length is stored at the first byte */ length = buf[input_offset]; input_offset += 1; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 4e986d1dff..6dd8ef50fe 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2333,9 +2333,31 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we check only + * that TLS ID here + */ + uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 ); + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( read_tls_id != curve_info->tls_id ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + p += 3; + if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p, - ssl->conf->endpoint ) ) != 0 ) + &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 2e480636a0..3bc7217b79 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4115,8 +4115,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p, - ssl->conf->endpoint ) ) != 0 ) + &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); From 6b3dab03b5f0c3fe42ebfb83cf171192c08dd88f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 17:14:54 +0100 Subject: [PATCH 214/413] tls: psa_pake: use a single function for round one and two in key exchange read/write Signed-off-by: Valerio Setti --- library/ssl_misc.h | 48 +++++------------- library/ssl_tls.c | 101 +++++++------------------------------ library/ssl_tls12_client.c | 20 +++++--- library/ssl_tls12_server.c | 20 +++++--- 4 files changed, 57 insertions(+), 132 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 82a951a581..0f43a18f42 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2378,6 +2378,11 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE, \ step ) +typedef enum { + MBEDTLS_ECJPAKE_ROUND_ONE, + MBEDTLS_ECJPAKE_ROUND_TWO +} mbedtls_ecjpake_rounds_t; + /** * \brief Parse the provided input buffer for getting the first round * of key exchange. This code is common between server and client @@ -2385,27 +2390,15 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) * \param pake_ctx [in] the PAKE's operation/context structure * \param buf [in] input buffer to parse * \param len [in] length of the input buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO * * \return 0 on success or a negative error code in case of failure */ -int mbedtls_psa_ecjpake_read_round_one( +int mbedtls_psa_ecjpake_read_round( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len ); - -/** - * \brief Parse the provided input buffer for getting the second round - * of key exchange. This code is common between server and client - * - * \param pake_ctx [in] the PAKE's operation/context structure - * \param buf [in] input buffer to parse - * \param len [in] length of the input buffer - * - * \return 0 on success or a negative error code in case of failure - */ -int mbedtls_psa_ecjpake_read_round_two( - psa_pake_operation_t *pake_ctx, - const unsigned char *buf, size_t len ); + size_t len, mbedtls_ecjpake_rounds_t round ); /** * \brief Write the first round of key exchange into the provided output @@ -2415,29 +2408,16 @@ int mbedtls_psa_ecjpake_read_round_two( * \param buf [out] the output buffer in which data will be written to * \param len [in] length of the output buffer * \param olen [out] the length of the data really written on the buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO * * \return 0 on success or a negative error code in case of failure */ -int mbedtls_psa_ecjpake_write_round_one( +int mbedtls_psa_ecjpake_write_round( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ); - -/** - * \brief Write the second round of key exchange into the provided output - * buffer. This code is common between server and client - * - * \param pake_ctx [in] the PAKE's operation/context structure - * \param buf [out] the output buffer in which data will be written to - * \param len [in] length of the output buffer - * \param olen [out] the length of the data really written on the buffer - * - * \return 0 on success or a negative error code in case of failure - */ -int mbedtls_psa_ecjpake_write_round_two( - psa_pake_operation_t *pake_ctx, - unsigned char *buf, - size_t len, size_t *olen ); + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ); #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ae12c7ebdf..a1fa8697b0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8196,16 +8196,20 @@ end: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) -int mbedtls_psa_ecjpake_read_round_one( +int mbedtls_psa_ecjpake_read_round( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len ) + size_t len, mbedtls_ecjpake_rounds_t round ) { psa_status_t status; size_t input_offset = 0; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1; x <= 2; ++x ) + for( ; remaining_steps > 0; remaining_steps-- ) { for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; step <= PSA_PAKE_STEP_ZK_PROOF; @@ -8237,59 +8241,25 @@ int mbedtls_psa_ecjpake_read_round_one( return( 0 ); } -int mbedtls_psa_ecjpake_read_round_two( - psa_pake_operation_t *pake_ctx, - const unsigned char *buf, - size_t len ) -{ - psa_status_t status; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - size_t length; - - /* Length is stored at the first byte */ - length = buf[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - status = psa_pake_input( pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - return psa_ssl_status_to_mbedtls( status ); - } - - input_offset += length; - } - - if ( input_offset != len ) - return PSA_ERROR_INVALID_ARGUMENT; - - return( 0 ); -} - -int mbedtls_psa_ecjpake_write_round_one( +int mbedtls_psa_ecjpake_write_round( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ) + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ) { psa_status_t status; size_t output_offset = 0; size_t output_len; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + for( ; remaining_steps > 0; remaining_steps-- ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; ++step ) { /* For each step, prepend 1 byte with the length of the data */ @@ -8313,39 +8283,6 @@ int mbedtls_psa_ecjpake_write_round_one( return( 0 ); } - -int mbedtls_psa_ecjpake_write_round_two( - psa_pake_operation_t *pake_ctx, - unsigned char *buf, - size_t len, size_t *olen ) -{ - psa_status_t status; - size_t output_offset = 0; - size_t output_len; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - status = psa_pake_output( pake_ctx, - step, buf + output_offset, - len - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } - - *olen = output_offset; - - return( 0 ); -} #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 6dd8ef50fe..8fcf5a4f5e 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -164,8 +164,9 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = mbedtls_psa_ecjpake_write_round_one(&ssl->handshake->psa_pake_ctx, - p + 2, end - p - 2, &kkpp_len ); + ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); if ( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -908,8 +909,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = mbedtls_psa_ecjpake_read_round_one( - &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -2356,8 +2358,9 @@ start_processing: p += 3; - if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -3314,8 +3317,9 @@ ecdh_calc_secret: unsigned char *out_p = ssl->out_msg + header_len; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - header_len; - ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, - out_p, end_p - out_p, &content_len ); + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + out_p, end_p - out_p, &content_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); if ( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 3bc7217b79..e6dee49c14 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -305,8 +305,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( ( ret = mbedtls_psa_ecjpake_read_round_one( - &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) + if ( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -2019,8 +2020,9 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, p += 2; #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = mbedtls_psa_ecjpake_write_round_one( &ssl->handshake->psa_pake_ctx, - p + 2, end - p - 2, &kkpp_len ); + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); if ( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2867,9 +2869,10 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); - ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, out_p + output_offset, - end_p - out_p - output_offset, &output_len ); + end_p - out_p - output_offset, &output_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); if( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -4114,8 +4117,9 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); From 819de86895383292f26ae83619f20eb853a00a75 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 18:05:19 +0100 Subject: [PATCH 215/413] tls: removed extra white spaces and other minor fix Signed-off-by: Valerio Setti --- library/ssl_tls.c | 6 +++--- library/ssl_tls12_server.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a1fa8697b0..fa415a8947 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8203,7 +8203,7 @@ int mbedtls_psa_ecjpake_read_round( { psa_status_t status; size_t input_offset = 0; - /* + /* * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice * At round two perform a single cycle */ @@ -8235,7 +8235,7 @@ int mbedtls_psa_ecjpake_read_round( } } - if ( input_offset != len ) + if( input_offset != len ) return PSA_ERROR_INVALID_ARGUMENT; return( 0 ); @@ -8250,7 +8250,7 @@ int mbedtls_psa_ecjpake_write_round( psa_status_t status; size_t output_offset = 0; size_t output_len; - /* + /* * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice * At round two perform a single cycle */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index e6dee49c14..1e9e51b309 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -305,8 +305,8 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( ( ret = mbedtls_psa_ecjpake_read_round( - &ssl->handshake->psa_pake_ctx, buf, len, + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2867,7 +2867,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); - output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); + output_offset += 3; ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, out_p + output_offset, From aca21b717c26407f146f2bcf7ee7241854209639 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 18:17:01 +0100 Subject: [PATCH 216/413] tls: psa_pake: enforce not empty passwords Signed-off-by: Valerio Setti --- include/mbedtls/ecjpake.h | 2 +- include/mbedtls/ssl.h | 3 ++- library/ssl_tls.c | 35 ++++++++++++++++------------------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index e7ca1b2354..3dd3361a1b 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -113,7 +113,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * \param curve The identifier of the elliptic curve to use, * for example #MBEDTLS_ECP_DP_SECP256R1. * \param secret The pre-shared secret (passphrase). This must be - * a readable buffer of length \p len Bytes. It need + * a readable not empty buffer of length \p len Bytes. It need * only be valid for the duration of this call. * \param len The length of the pre-shared secret \p secret. * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 01ede4088d..085235721a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3824,9 +3824,10 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, * \note The SSL context needs to be already set up. The right place * to call this function is between \c mbedtls_ssl_setup() or * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). + * Password cannot be empty (see RFC 8236). * * \param ssl SSL context - * \param pw EC J-PAKE password (pre-shared secret) + * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty * \param pw_len length of pw in bytes * * \return 0 on success, or a negative error code. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fa415a8947..062ff25dd8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1634,18 +1634,18 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, else psa_role = PSA_PAKE_ROLE_CLIENT; + /* Empty password is not valid */ + if( ( pw == NULL) || ( pw_len == 0 ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( pw_len > 0 ) - { - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); - status = psa_import_key( &attributes, pw, pw_len, - &ssl->handshake->psa_pake_password ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } + status = psa_import_key( &attributes, pw, pw_len, + &ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); psa_pake_cs_set_primitive( &cipher_suite, @@ -1669,16 +1669,13 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - if( pw_len > 0 ) + psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, + ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) { - psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, - ssl->handshake->psa_pake_password ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } ssl->handshake->psa_pake_ctx_is_ok = 1; From 4e83173bb7b6770d99022d79ac2d3624c80b8c37 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 18 Nov 2022 10:57:46 +0000 Subject: [PATCH 217/413] Skip early data basic check temp Signed-off-by: Xiaokang Qian --- tests/opt-testcases/tls13-misc.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 3e2fd0b202..edece456b3 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -282,6 +282,9 @@ run_test "TLS 1.3: G->m: PSK: configured ephemeral only, good." \ 0 \ -s "key exchange mode: ephemeral$" +# skip the basic check now cause it will randomly trigger the anti-replay protection in gnutls_server +# Add it back once we fix the issue +skip_next_test requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C From 61ea17d30a2da481987e634e100082fccc46062f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 18 Nov 2022 12:11:00 +0100 Subject: [PATCH 218/413] tls: psa_pake: fix return values in parse functions Ensure they all belong to the MBEDTLS_ERR_SSL_* group Signed-off-by: Valerio Setti --- library/ssl_tls.c | 2 +- library/ssl_tls12_client.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 062ff25dd8..c1436c5321 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8233,7 +8233,7 @@ int mbedtls_psa_ecjpake_read_round( } if( input_offset != len ) - return PSA_ERROR_INVALID_ARGUMENT; + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return( 0 ); } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 8fcf5a4f5e..7c293ec9e4 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2354,7 +2354,7 @@ start_processing: if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || ( read_tls_id != curve_info->tls_id ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); p += 3; From 6969eee5d2a19b0aab2ffeece3d8a128e7f4e550 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 10 Oct 2022 10:25:26 +0800 Subject: [PATCH 219/413] Remove `Terminated` message on 22.04 Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fdbb310506..53b3885c78 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1362,7 +1362,7 @@ do_run_test_once() { if [ -n "$PXY_CMD" ]; then kill $PXY_PID >/dev/null 2>&1 - wait $PXY_PID + wait $PXY_PID >> $PXY_OUT 2>&1 fi } From 0b61217c36b19dadc278d6793a59e1b42475ec82 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 12 Oct 2022 15:29:58 +0800 Subject: [PATCH 220/413] set new_session_ticket_* to handshake_over Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d0558511a8..3665545874 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4651,7 +4651,9 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); */ static inline int mbedtls_ssl_is_handshake_over( mbedtls_ssl_context *ssl ) { - return( ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_HANDSHAKE_OVER ); + return( ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_HANDSHAKE_OVER || + ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_NEW_SESSION_TICKET || + ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH); } /** From e219c11b4e61b9f3f5077175fc083b26dc76e523 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 24 Oct 2022 01:27:01 +0000 Subject: [PATCH 221/413] Replace internal usage of mbedtls_ssl_is_handshake_over Signed-off-by: Jerry Yu --- library/ssl_msg.c | 28 ++++++++++++++-------------- library/ssl_tls.c | 12 ++++++------ 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index dbc6391885..c4af7bf6de 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1883,7 +1883,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) { len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) timeout = ssl->handshake->retransmit_timeout; else timeout = ssl->conf->read_timeout; @@ -1907,7 +1907,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); mbedtls_ssl_set_timer( ssl, 0 ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ssl_double_retransmit_timeout( ssl ) != 0 ) { @@ -2343,7 +2343,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) return( ret ); /* Update state and set timer */ - if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; else { @@ -2936,9 +2936,9 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - ( ( mbedtls_ssl_is_handshake_over( ssl ) == 0 && + ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && recv_msg_seq != ssl->handshake->in_msg_seq ) || - ( mbedtls_ssl_is_handshake_over( ssl ) == 1 && + ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) { if( recv_msg_seq > ssl->handshake->in_msg_seq ) @@ -3004,7 +3004,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_params * const hs = ssl->handshake; - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 && hs != NULL ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) { ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); } @@ -3651,7 +3651,7 @@ static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl ) */ if( rec_epoch == 0 && ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - mbedtls_ssl_is_handshake_over( ssl ) == 1 && + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_left > 13 && ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) @@ -4821,7 +4821,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) /* Drop unexpected ApplicationData records, * except at the beginning of renegotiations */ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && - mbedtls_ssl_is_handshake_over( ssl ) == 0 + ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER #if defined(MBEDTLS_SSL_RENEGOTIATION) && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->state == MBEDTLS_SSL_SERVER_HELLO ) @@ -4833,7 +4833,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); } @@ -5258,7 +5258,7 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) int in_ctr_cmp; int out_ctr_cmp; - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 || + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) { @@ -5502,7 +5502,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake( ssl ); if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && @@ -5613,7 +5613,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* We're going to return something now, cancel timer, * except if handshake (renegotiation) is in progress */ - if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) mbedtls_ssl_set_timer( ssl, 0 ); #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -5758,7 +5758,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { @@ -5786,7 +5786,7 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ( ret = mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_WARNING, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da90b2350f..5eca7eec00 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -168,7 +168,7 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, *enabled = MBEDTLS_SSL_CID_DISABLED; if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || - mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3602,7 +3602,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ssl == NULL || ssl->conf == NULL || ssl->handshake == NULL || - mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3706,7 +3706,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); /* Main handshake loop */ - while( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake_step( ssl ); @@ -3807,7 +3807,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) /* On server, just send the request */ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; @@ -3827,7 +3827,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) */ if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) { - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 ) @@ -4130,7 +4130,7 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, * (only DTLS) but are currently used to simplify the implementation. */ /* The initial handshake must be over */ - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); From 6848a619229a9d12542ab721009002bef92cf245 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 27 Oct 2022 13:03:26 +0800 Subject: [PATCH 222/413] Revert "Replace internal usage of mbedtls_ssl_is_handshake_over" This reverts commit 1d3ed2975e7ef0d84050a3aece02eec1f890dec3. Signed-off-by: Jerry Yu --- library/ssl_msg.c | 28 ++++++++++++++-------------- library/ssl_tls.c | 12 ++++++------ 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c4af7bf6de..dbc6391885 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1883,7 +1883,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) { len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) timeout = ssl->handshake->retransmit_timeout; else timeout = ssl->conf->read_timeout; @@ -1907,7 +1907,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); mbedtls_ssl_set_timer( ssl, 0 ); - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) { if( ssl_double_retransmit_timeout( ssl ) != 0 ) { @@ -2343,7 +2343,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) return( ret ); /* Update state and set timer */ - if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; else { @@ -2936,9 +2936,9 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && + ( ( mbedtls_ssl_is_handshake_over( ssl ) == 0 && recv_msg_seq != ssl->handshake->in_msg_seq ) || - ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && + ( mbedtls_ssl_is_handshake_over( ssl ) == 1 && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) { if( recv_msg_seq > ssl->handshake->in_msg_seq ) @@ -3004,7 +3004,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_params * const hs = ssl->handshake; - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 && hs != NULL ) { ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); } @@ -3651,7 +3651,7 @@ static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl ) */ if( rec_epoch == 0 && ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && + mbedtls_ssl_is_handshake_over( ssl ) == 1 && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_left > 13 && ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) @@ -4821,7 +4821,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) /* Drop unexpected ApplicationData records, * except at the beginning of renegotiations */ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && - ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER + mbedtls_ssl_is_handshake_over( ssl ) == 0 #if defined(MBEDTLS_SSL_RENEGOTIATION) && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->state == MBEDTLS_SSL_SERVER_HELLO ) @@ -4833,7 +4833,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + mbedtls_ssl_is_handshake_over( ssl ) == 1 ) { mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); } @@ -5258,7 +5258,7 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) int in_ctr_cmp; int out_ctr_cmp; - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 || ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) { @@ -5502,7 +5502,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) { ret = mbedtls_ssl_handshake( ssl ); if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && @@ -5613,7 +5613,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* We're going to return something now, cancel timer, * except if handshake (renegotiation) is in progress */ - if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) mbedtls_ssl_set_timer( ssl, 0 ); #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -5758,7 +5758,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } #endif - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) { if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { @@ -5786,7 +5786,7 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); - if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) { if( ( ret = mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_WARNING, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5eca7eec00..da90b2350f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -168,7 +168,7 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, *enabled = MBEDTLS_SSL_CID_DISABLED; if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || - ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + mbedtls_ssl_is_handshake_over( ssl ) == 0 ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3602,7 +3602,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ssl == NULL || ssl->conf == NULL || ssl->handshake == NULL || - ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + mbedtls_ssl_is_handshake_over( ssl ) == 1 ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3706,7 +3706,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); /* Main handshake loop */ - while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + while( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) { ret = mbedtls_ssl_handshake_step( ssl ); @@ -3807,7 +3807,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) /* On server, just send the request */ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; @@ -3827,7 +3827,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) */ if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) { - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 ) @@ -4130,7 +4130,7 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, * (only DTLS) but are currently used to simplify the implementation. */ /* The initial handshake must be over */ - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); From 5ed73ff6de713a91c5486f09136c08947d84819a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 27 Oct 2022 13:08:42 +0800 Subject: [PATCH 223/413] Add NEW_SESSION_TICKET* into handshake over states All state list after HANDSHAKE_OVER as is_handshakeover Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 8 +++----- library/ssl_tls.c | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3665545874..8c4d76c861 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -661,8 +661,6 @@ typedef enum MBEDTLS_SSL_SERVER_FINISHED, MBEDTLS_SSL_FLUSH_BUFFERS, MBEDTLS_SSL_HANDSHAKE_WRAPUP, - MBEDTLS_SSL_HANDSHAKE_OVER, - MBEDTLS_SSL_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, @@ -671,6 +669,8 @@ typedef enum MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST, + MBEDTLS_SSL_HANDSHAKE_OVER, + MBEDTLS_SSL_NEW_SESSION_TICKET, MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH, } mbedtls_ssl_states; @@ -4651,9 +4651,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); */ static inline int mbedtls_ssl_is_handshake_over( mbedtls_ssl_context *ssl ) { - return( ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_HANDSHAKE_OVER || - ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_NEW_SESSION_TICKET || - ssl->MBEDTLS_PRIVATE( state ) == MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH); + return( ssl->MBEDTLS_PRIVATE( state ) >= MBEDTLS_SSL_HANDSHAKE_OVER ); } /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index da90b2350f..df57c9f966 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7544,7 +7544,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) #endif mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); - ssl->state++; + ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); } From 1fb3299ad76abb608fe667a83169d65383d31e50 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 27 Oct 2022 13:18:19 +0800 Subject: [PATCH 224/413] Replace internal usage of is_handshake_over. NEW_SESSION_TICKETS* are processed in handshake_step. Change the stop condition from `mbedtls_ssl_is_handshake_over` to directly check. Signed-off-by: Jerry Yu --- library/ssl_msg.c | 16 ++++++++-------- library/ssl_tls.c | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index dbc6391885..5d56dd6f46 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1883,7 +1883,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) { len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) timeout = ssl->handshake->retransmit_timeout; else timeout = ssl->conf->read_timeout; @@ -1907,7 +1907,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); mbedtls_ssl_set_timer( ssl, 0 ); - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ssl_double_retransmit_timeout( ssl ) != 0 ) { @@ -2936,9 +2936,9 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - ( ( mbedtls_ssl_is_handshake_over( ssl ) == 0 && + ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && recv_msg_seq != ssl->handshake->in_msg_seq ) || - ( mbedtls_ssl_is_handshake_over( ssl ) == 1 && + ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) { if( recv_msg_seq > ssl->handshake->in_msg_seq ) @@ -3004,7 +3004,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_params * const hs = ssl->handshake; - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 && hs != NULL ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) { ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); } @@ -4833,7 +4833,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); } @@ -5502,7 +5502,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake( ssl ); if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && @@ -5758,7 +5758,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } #endif - if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index df57c9f966..506333d777 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3602,7 +3602,7 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ssl == NULL || ssl->conf == NULL || ssl->handshake == NULL || - mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -3706,7 +3706,7 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); /* Main handshake loop */ - while( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) + while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { ret = mbedtls_ssl_handshake_step( ssl ); From c5826eaba2e2770e25492e71a27bc5262947faa4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 27 Oct 2022 17:20:26 +0800 Subject: [PATCH 225/413] Add debug message Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 53b3885c78..3ec345caaa 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11139,8 +11139,8 @@ not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ + "$G_NEXT_SRV -u --mtu 512 -d 10" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 debug_level=5" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" From cfda4bbeac554a4f77249d456e3c1946e17145b3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 27 Oct 2022 22:20:49 +0800 Subject: [PATCH 226/413] Replace handshake over in flight transmit Fix deadloop in DTLS resumption test. Signed-off-by: Jerry Yu --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 5d56dd6f46..eae1ddead6 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2343,7 +2343,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) return( ret ); /* Update state and set timer */ - if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) + if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; else { From a8d3c5048f2553e11d6837724bbf4e1ceb89fcc9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 30 Oct 2022 14:51:23 +0800 Subject: [PATCH 227/413] Rename new session ticket name for TLS 1.3 NewSessionTicket is different with TLS 1.2. It should not share same state. Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 6 ++++-- library/ssl_msg.c | 2 +- library/ssl_tls13_client.c | 4 ++-- library/ssl_tls13_server.c | 18 +++++++++--------- tests/ssl-opt.sh | 20 ++++++++++---------- 5 files changed, 26 insertions(+), 24 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8c4d76c861..afb634e2f8 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -661,6 +661,8 @@ typedef enum MBEDTLS_SSL_SERVER_FINISHED, MBEDTLS_SSL_FLUSH_BUFFERS, MBEDTLS_SSL_HANDSHAKE_WRAPUP, + + MBEDTLS_SSL_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, @@ -670,8 +672,8 @@ typedef enum MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST, MBEDTLS_SSL_HANDSHAKE_OVER, - MBEDTLS_SSL_NEW_SESSION_TICKET, - MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH, } mbedtls_ssl_states; diff --git a/library/ssl_msg.c b/library/ssl_msg.c index eae1ddead6..0a414abf9d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5299,7 +5299,7 @@ static int ssl_tls13_check_new_session_ticket( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket received" ) ); mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_NEW_SESSION_TICKET ); + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); return( MBEDTLS_ERR_SSL_WANT_READ ); } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0372f2d98d..db8476c759 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2743,7 +2743,7 @@ static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl, } /* - * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl ) @@ -2857,7 +2857,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) - case MBEDTLS_SSL_NEW_SESSION_TICKET: + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: ret = ssl_tls13_process_new_session_ticket( ssl ); if( ret != 0 ) break; diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 3cd03108f6..ce8767c5fd 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2628,7 +2628,7 @@ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) mbedtls_ssl_tls13_handshake_wrapup( ssl ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); #else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); #endif @@ -2636,7 +2636,7 @@ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) } /* - * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ #define SSL_NEW_SESSION_TICKET_SKIP 0 #define SSL_NEW_SESSION_TICKET_WRITE 1 @@ -2872,7 +2872,7 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl, } /* - * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET + * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl ) { @@ -2908,8 +2908,8 @@ static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl ) else ssl->handshake->new_session_tickets_count--; - mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH ); + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH ); } else { @@ -3045,7 +3045,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) - case MBEDTLS_SSL_NEW_SESSION_TICKET: + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: ret = ssl_tls13_write_new_session_ticket( ssl ); if( ret != 0 ) { @@ -3054,9 +3054,9 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ret ); } break; - case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH: + case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH: /* This state is necessary to do the flush of the New Session - * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET + * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET * as part of ssl_prepare_handshake_step. */ ret = 0; @@ -3064,7 +3064,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) if( ssl->handshake->new_session_tickets_count == 0 ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); else - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET ); break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 3ec345caaa..062e68858a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12920,8 +12920,8 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, O->m" \ "$O_NEXT_CLI -msg -debug -tls1_3 -reconnect" \ 0 \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS @@ -12937,8 +12937,8 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \ -c "Connecting again- trying to resume previous session" \ -c "NEW SESSION TICKET (4) was received" \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \ -s "key exchange mode: ephemeral" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" @@ -12960,8 +12960,8 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \ -c "Reconnecting with saved session" \ -c "HTTP/1.0 200 OK" \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \ -s "key exchange mode: ephemeral" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" @@ -13015,8 +13015,8 @@ run_test "TLS 1.3: NewSessionTicket: servername check, m->m" \ -c "Reconnecting with saved session" \ -c "HTTP/1.0 200 OK" \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" \ -s "key exchange mode: ephemeral" \ -s "key exchange mode: psk_ephemeral" \ -s "found pre_shared_key extension" @@ -13039,8 +13039,8 @@ run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \ -c "Reconnecting with saved session" \ -c "Hostname mismatch the session ticket, disable session resumption." \ -s "=> write NewSessionTicket msg" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \ - -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH" + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET" \ + -s "server state: MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From 668070d5f41b425ce98a14f4f5e048e4366899a1 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 9 Nov 2022 22:49:19 +0800 Subject: [PATCH 228/413] Remove unnecessary replace Signed-off-by: Jerry Yu --- library/ssl_msg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 0a414abf9d..9eb1b79674 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1883,7 +1883,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) { len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ) timeout = ssl->handshake->retransmit_timeout; else timeout = ssl->conf->read_timeout; @@ -3004,7 +3004,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_params * const hs = ssl->handshake; - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 0 && hs != NULL ) { ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); } From 9b421456b05c0b0c8354bb965e9e431159cd0c00 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 18 Nov 2022 21:09:41 +0800 Subject: [PATCH 229/413] Revert change in dtls1.2 Signed-off-by: Jerry Yu --- library/ssl_msg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9eb1b79674..cacedcaf99 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2936,9 +2936,9 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && + ( ( mbedtls_ssl_is_handshake_over( ssl ) == 0 && recv_msg_seq != ssl->handshake->in_msg_seq ) || - ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && + ( mbedtls_ssl_is_handshake_over( ssl ) == 1 && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) { if( recv_msg_seq > ssl->handshake->in_msg_seq ) @@ -4833,7 +4833,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } if( ssl->handshake != NULL && - ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + mbedtls_ssl_is_handshake_over( ssl ) == 1 ) { mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); } From dddd35ccf37b8372ff99c71faba367cec3e5714b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 20 Nov 2022 12:30:58 +0800 Subject: [PATCH 230/413] remvoe unrelative change Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 062e68858a..a4789db816 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11139,8 +11139,8 @@ not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_NEXT_SRV -u --mtu 512 -d 10" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 debug_level=5" \ + "$G_NEXT_SRV -u --mtu 512" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" From 0cd8967ba10a8f1d6a2b9be1e4f1a8289e8484ee Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Nov 2022 12:14:14 +0000 Subject: [PATCH 231/413] Split test generator base class The class BaseTarget served two purposes: - track test cases and target files for generation - provide an abstract base class for individual test groups Splitting these allows decoupling these two and to have further common superclasses across targets. No intended change in generated test cases. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 5 ++-- scripts/mbedtls_dev/bignum_core.py | 14 +++++------ scripts/mbedtls_dev/bignum_mod.py | 6 ++--- scripts/mbedtls_dev/bignum_mod_raw.py | 4 +-- scripts/mbedtls_dev/test_data_generation.py | 28 +++++++++++++-------- tests/scripts/generate_bignum_tests.py | 6 ++--- 6 files changed, 35 insertions(+), 28 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 8b11bc283c..ba30be40ee 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -17,6 +17,8 @@ from abc import abstractmethod from typing import Iterator, List, Tuple, TypeVar +from . import test_data_generation + T = TypeVar('T') #pylint: disable=invalid-name def invmod(a: int, n: int) -> int: @@ -63,8 +65,7 @@ def combination_pairs(values: List[T]) -> List[Tuple[T, T]]: """Return all pair combinations from input values.""" return [(x, y) for x in values for y in values] - -class OperationCommon: +class OperationCommon(test_data_generation.BaseTest): """Common features for bignum binary operations. This adds functionality common in binary operation tests. diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 0cc86b8096..db9d1b7ca7 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -16,20 +16,19 @@ import random -from abc import ABCMeta from typing import Dict, Iterator, List, Tuple from . import test_case from . import test_data_generation from . import bignum_common -class BignumCoreTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): - #pylint: disable=abstract-method +class BignumCoreTarget(test_data_generation.BaseTarget): + #pylint: disable=abstract-method, too-few-public-methods """Target for bignum core test case generation.""" target_basename = 'test_suite_bignum_core.generated' -class BignumCoreShiftR(BignumCoreTarget, metaclass=ABCMeta): +class BignumCoreShiftR(BignumCoreTarget, test_data_generation.BaseTest): """Test cases for mbedtls_bignum_core_shift_r().""" count = 0 test_function = "mpi_core_shift_r" @@ -69,7 +68,7 @@ class BignumCoreShiftR(BignumCoreTarget, metaclass=ABCMeta): for count in counts: yield cls(input_hex, descr, count).create_test_case() -class BignumCoreCTLookup(BignumCoreTarget, metaclass=ABCMeta): +class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest): """Test cases for mbedtls_mpi_core_ct_uint_table_lookup().""" test_function = "mpi_core_ct_uint_table_lookup" test_name = "Constant time MPI table lookup" @@ -107,7 +106,8 @@ class BignumCoreCTLookup(BignumCoreTarget, metaclass=ABCMeta): yield (cls(bitsize, bitsize_description, window_size) .create_test_case()) -class BignumCoreOperation(bignum_common.OperationCommon, BignumCoreTarget, metaclass=ABCMeta): +class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon, + metaclass=ABCMeta): #pylint: disable=abstract-method """Common features for bignum core operations.""" input_values = [ @@ -297,7 +297,7 @@ class BignumCoreMLA(BignumCoreOperation): yield cur_op.create_test_case() -class BignumCoreMontmul(BignumCoreTarget): +class BignumCoreMontmul(BignumCoreTarget, test_data_generation.BaseTest): """Test cases for Montgomery multiplication.""" count = 0 test_function = "mpi_core_montmul" diff --git a/scripts/mbedtls_dev/bignum_mod.py b/scripts/mbedtls_dev/bignum_mod.py index 2bd7fbbda3..a604cc0c59 100644 --- a/scripts/mbedtls_dev/bignum_mod.py +++ b/scripts/mbedtls_dev/bignum_mod.py @@ -14,12 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -from abc import ABCMeta - from . import test_data_generation -class BignumModTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): - #pylint: disable=abstract-method +class BignumModTarget(test_data_generation.BaseTarget): + #pylint: disable=abstract-method, too-few-public-methods """Target for bignum mod test case generation.""" target_basename = 'test_suite_bignum_mod.generated' diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index bd694a6084..4f12d9a865 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -21,8 +21,8 @@ from . import test_case from . import test_data_generation from . import bignum_common -class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): - #pylint: disable=abstract-method +class BignumModRawTarget(test_data_generation.BaseTarget): + #pylint: disable=abstract-method, too-few-public-methods """Target for bignum mod_raw test case generation.""" target_basename = 'test_suite_bignum_mod_raw.generated' diff --git a/scripts/mbedtls_dev/test_data_generation.py b/scripts/mbedtls_dev/test_data_generation.py index eec0f9d978..3d703eec7d 100644 --- a/scripts/mbedtls_dev/test_data_generation.py +++ b/scripts/mbedtls_dev/test_data_generation.py @@ -25,6 +25,7 @@ import argparse import os import posixpath import re +import inspect from abc import ABCMeta, abstractmethod from typing import Callable, Dict, Iterable, Iterator, List, Type, TypeVar @@ -35,12 +36,8 @@ from . import test_case T = TypeVar('T') #pylint: disable=invalid-name -class BaseTarget(metaclass=ABCMeta): - """Base target for test case generation. - - Child classes of this class represent an output file, and can be referred - to as file targets. These indicate where test cases will be written to for - all subclasses of the file target, which is set by `target_basename`. +class BaseTest(metaclass=ABCMeta): + """Base class for test case generation. Attributes: count: Counter for test cases from this class. @@ -48,8 +45,6 @@ class BaseTarget(metaclass=ABCMeta): automatically generated using the class, or manually set. dependencies: A list of dependencies required for the test case. show_test_count: Toggle for inclusion of `count` in the test description. - target_basename: Basename of file to write generated tests to. This - should be specified in a child class of BaseTarget. test_function: Test function which the class generates cases for. test_name: A common name or description of the test function. This can be `test_function`, a clearer equivalent, or a short summary of the @@ -59,7 +54,6 @@ class BaseTarget(metaclass=ABCMeta): case_description = "" dependencies = [] # type: List[str] show_test_count = True - target_basename = "" test_function = "" test_name = "" @@ -121,6 +115,20 @@ class BaseTarget(metaclass=ABCMeta): """ raise NotImplementedError + +class BaseTarget: + """Base target for test case generation. + + Child classes of this class represent an output file, and can be referred + to as file targets. These indicate where test cases will be written to for + all subclasses of the file target, which is set by `target_basename`. + + Attributes: + target_basename: Basename of file to write generated tests to. This + should be specified in a child class of BaseTarget. + """ + target_basename = "" + @classmethod def generate_tests(cls) -> Iterator[test_case.TestCase]: """Generate test cases for the class and its subclasses. @@ -132,7 +140,7 @@ class BaseTarget(metaclass=ABCMeta): yield from `generate_tests()` in each. Calling this method on a class X will yield test cases from all classes derived from X. """ - if cls.test_function: + if issubclass(cls, BaseTest) and not inspect.isabstract(cls): yield from cls.generate_function_tests() for subclass in sorted(cls.__subclasses__(), key=lambda c: c.__name__): yield from subclass.generate_tests() diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index eee2f657ad..9e5db3a11f 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -68,13 +68,13 @@ from mbedtls_dev import bignum_common # the framework from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import -class BignumTarget(test_data_generation.BaseTarget, metaclass=ABCMeta): - #pylint: disable=abstract-method +class BignumTarget(test_data_generation.BaseTarget): """Target for bignum (legacy) test case generation.""" target_basename = 'test_suite_bignum.generated' -class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABCMeta): +class BignumOperation(bignum_common.OperationCommon, BignumTarget, + metaclass=ABCMeta): #pylint: disable=abstract-method """Common features for bignum operations in legacy tests.""" input_values = [ From 87df373e0e52949dbe394893ad768e563c2683a4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Nov 2022 12:31:23 +0000 Subject: [PATCH 232/413] Bignum test: Move identical function to superclass No intended change in generated test cases. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 6 ++++++ scripts/mbedtls_dev/bignum_core.py | 5 ----- tests/scripts/generate_bignum_tests.py | 5 ----- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index ba30be40ee..02241141f9 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -17,6 +17,7 @@ from abc import abstractmethod from typing import Iterator, List, Tuple, TypeVar +from . import test_case from . import test_data_generation T = TypeVar('T') #pylint: disable=invalid-name @@ -122,6 +123,11 @@ class OperationCommon(test_data_generation.BaseTest): ) yield from cls.input_cases + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + for a_value, b_value in cls.get_value_pairs(): + yield cls(a_value, b_value).create_test_case() + # BEGIN MERGE SLOT 1 # END MERGE SLOT 1 diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index db9d1b7ca7..a1c2e1bc63 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -144,11 +144,6 @@ class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon, ) return super().description() - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - yield cls(a_value, b_value).create_test_case() - class BignumCoreOperationArchSplit(BignumCoreOperation): #pylint: disable=abstract-method diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index 9e5db3a11f..d923828cec 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -132,11 +132,6 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, tmp = "large " + tmp return tmp - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - yield cls(a_value, b_value).create_test_case() - class BignumCmp(BignumOperation): """Test cases for bignum value comparison.""" From 3aeb60add6038855fc63704947824a016a6e79fc Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Nov 2022 13:24:46 +0000 Subject: [PATCH 233/413] Bignum test: move archsplit to superclass We need arch split tests in different modules, moving it to the common module makes it reusable. No intended changes in the generated tests. (The position of the core_add_if tests changed, but they are still all there.) Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 46 +++++++++++++++ scripts/mbedtls_dev/bignum_core.py | 88 +++++++++------------------- 2 files changed, 73 insertions(+), 61 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 02241141f9..7ab788be0a 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -97,6 +97,19 @@ class OperationCommon(test_data_generation.BaseTest): quote_str(self.arg_a), quote_str(self.arg_b) ] + self.result() + def description(self) -> str: + """Generate a description for the test case. + + If not set, case_description uses the form A `symbol` B, where symbol + is used to represent the operation. Descriptions of each value are + generated to provide some context to the test case. + """ + if not self.case_description: + self.case_description = "{:x} {} {:x}".format( + self.int_a, self.symbol, self.int_b + ) + return super().description() + @abstractmethod def result(self) -> List[str]: """Get the result of the operation. @@ -128,6 +141,39 @@ class OperationCommon(test_data_generation.BaseTest): for a_value, b_value in cls.get_value_pairs(): yield cls(a_value, b_value).create_test_case() + +class OperationCommonArchSplit(OperationCommon): + #pylint: disable=abstract-method + """Common features for operations where the result depends on + the limb size.""" + + def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: + super().__init__(val_a, val_b) + bound_val = max(self.int_a, self.int_b) + self.bits_in_limb = bits_in_limb + self.bound = bound_mpi(bound_val, self.bits_in_limb) + limbs = limbs_mpi(bound_val, self.bits_in_limb) + byte_len = limbs * self.bits_in_limb // 8 + self.hex_digits = 2 * byte_len + if self.bits_in_limb == 32: + self.dependencies = ["MBEDTLS_HAVE_INT32"] + elif self.bits_in_limb == 64: + self.dependencies = ["MBEDTLS_HAVE_INT64"] + else: + raise ValueError("Invalid number of bits in limb!") + self.arg_a = self.arg_a.zfill(self.hex_digits) + self.arg_b = self.arg_b.zfill(self.hex_digits) + + def pad_to_limbs(self, val) -> str: + return "{:x}".format(val).zfill(self.hex_digits) + + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + for a_value, b_value in cls.get_value_pairs(): + yield cls(a_value, b_value, 32).create_test_case() + yield cls(a_value, b_value, 64).create_test_case() + + # BEGIN MERGE SLOT 1 # END MERGE SLOT 1 diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index a1c2e1bc63..591e53c203 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -106,75 +106,41 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest): yield (cls(bitsize, bitsize_description, window_size) .create_test_case()) -class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon, - metaclass=ABCMeta): +INPUT_VALUES = [ + "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000", + "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f", + "8000000000000000", "fefefefefefefefe", "fffffffffffffffe", + "ffffffffffffffff", "10000000000000000", "1234567890abcdef0", + "fffffffffffffffffefefefefefefefe", "fffffffffffffffffffffffffffffffe", + "ffffffffffffffffffffffffffffffff", "100000000000000000000000000000000", + "1234567890abcdef01234567890abcdef0", + "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe", + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe", + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "10000000000000000000000000000000000000000000000000000000000000000", + "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0", + ( + "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f34029" + "643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf179298bd9947" + "c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38edf0c5889eca4a0" + "cfa99b45fbdeee4c696b328ddceae4723945901ec025076b12b" + ) +] + + +class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon): #pylint: disable=abstract-method """Common features for bignum core operations.""" - input_values = [ - "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000", - "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f", - "8000000000000000", "fefefefefefefefe", "fffffffffffffffe", - "ffffffffffffffff", "10000000000000000", "1234567890abcdef0", - "fffffffffffffffffefefefefefefefe", "fffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffff", "100000000000000000000000000000000", - "1234567890abcdef01234567890abcdef0", - "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe", - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "10000000000000000000000000000000000000000000000000000000000000000", - "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0", - ( - "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f34029" - "643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf179298bd9947" - "c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38edf0c5889eca4a0" - "cfa99b45fbdeee4c696b328ddceae4723945901ec025076b12b" - ) - ] - - def description(self) -> str: - """Generate a description for the test case. - - If not set, case_description uses the form A `symbol` B, where symbol - is used to represent the operation. Descriptions of each value are - generated to provide some context to the test case. - """ - if not self.case_description: - self.case_description = "{:x} {} {:x}".format( - self.int_a, self.symbol, self.int_b - ) - return super().description() + input_values = INPUT_VALUES -class BignumCoreOperationArchSplit(BignumCoreOperation): +class BignumCoreOperationArchSplit(BignumCoreTarget, + bignum_common.OperationCommonArchSplit): #pylint: disable=abstract-method """Common features for bignum core operations where the result depends on the limb size.""" + input_values = INPUT_VALUES - def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: - super().__init__(val_a, val_b) - bound_val = max(self.int_a, self.int_b) - self.bits_in_limb = bits_in_limb - self.bound = bignum_common.bound_mpi(bound_val, self.bits_in_limb) - limbs = bignum_common.limbs_mpi(bound_val, self.bits_in_limb) - byte_len = limbs * self.bits_in_limb // 8 - self.hex_digits = 2 * byte_len - if self.bits_in_limb == 32: - self.dependencies = ["MBEDTLS_HAVE_INT32"] - elif self.bits_in_limb == 64: - self.dependencies = ["MBEDTLS_HAVE_INT64"] - else: - raise ValueError("Invalid number of bits in limb!") - self.arg_a = self.arg_a.zfill(self.hex_digits) - self.arg_b = self.arg_b.zfill(self.hex_digits) - - def pad_to_limbs(self, val) -> str: - return "{:x}".format(val).zfill(self.hex_digits) - - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - yield cls(a_value, b_value, 32).create_test_case() - yield cls(a_value, b_value, 64).create_test_case() class BignumCoreAddAndAddIf(BignumCoreOperationArchSplit): """Test cases for bignum core add and add-if.""" From 351e6885f55fd6354b57b51a5dbaadf3231aa7c8 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Nov 2022 16:04:41 +0000 Subject: [PATCH 234/413] Make pylint happy Signed-off-by: Janos Follath --- scripts/mbedtls_dev/test_data_generation.py | 2 ++ tests/scripts/generate_bignum_tests.py | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/test_data_generation.py b/scripts/mbedtls_dev/test_data_generation.py index 3d703eec7d..02aa510518 100644 --- a/scripts/mbedtls_dev/test_data_generation.py +++ b/scripts/mbedtls_dev/test_data_generation.py @@ -117,6 +117,7 @@ class BaseTest(metaclass=ABCMeta): class BaseTarget: + #pylint: disable=too-few-public-methods """Base target for test case generation. Child classes of this class represent an output file, and can be referred @@ -141,6 +142,7 @@ class BaseTarget: will yield test cases from all classes derived from X. """ if issubclass(cls, BaseTest) and not inspect.isabstract(cls): + #pylint: disable=no-member yield from cls.generate_function_tests() for subclass in sorted(cls.__subclasses__(), key=lambda c: c.__name__): yield from subclass.generate_tests() diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index d923828cec..89d0ac29e0 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -57,7 +57,7 @@ of BaseTarget in test_data_generation.py. import sys from abc import ABCMeta -from typing import Iterator, List +from typing import List import scripts_path # pylint: disable=unused-import from mbedtls_dev import test_case @@ -69,6 +69,7 @@ from mbedtls_dev import bignum_common from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import class BignumTarget(test_data_generation.BaseTarget): + #pylint: disable=too-few-public-methods """Target for bignum (legacy) test case generation.""" target_basename = 'test_suite_bignum.generated' From 5b1dbb4cbcdad4f3c37e40219c3f1a2398d7d87d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Nov 2022 13:32:43 +0000 Subject: [PATCH 235/413] Bignum Tests: Move ModOperation to common The class BignumModRawOperation implements functionality that are needed in other modules, therefore we move it to common. No intended changes to test cases. The order of add_and_add_if and sub tests have been switched. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 52 +++++++++++++++++++++++++ scripts/mbedtls_dev/bignum_mod_raw.py | 55 +-------------------------- 2 files changed, 54 insertions(+), 53 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 7ab788be0a..28e27b0392 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -142,6 +142,58 @@ class OperationCommon(test_data_generation.BaseTest): yield cls(a_value, b_value).create_test_case() +class ModOperationCommon(OperationCommon): + #pylint: disable=abstract-method + """Target for bignum mod_raw test case generation.""" + + def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: + super().__init__(val_a=val_a, val_b=val_b) + self.val_n = val_n + self.bits_in_limb = bits_in_limb + + @property + def int_n(self) -> int: + return hex_to_int(self.val_n) + + @property + def boundary(self) -> int: + data_in = [self.int_a, self.int_b, self.int_n] + return max([n for n in data_in if n is not None]) + + @property + def limbs(self) -> int: + return limbs_mpi(self.boundary, self.bits_in_limb) + + @property + def hex_digits(self) -> int: + return 2 * (self.limbs * self.bits_in_limb // 8) + + @property + def hex_n(self) -> str: + return "{:x}".format(self.int_n).zfill(self.hex_digits) + + @property + def hex_a(self) -> str: + return "{:x}".format(self.int_a).zfill(self.hex_digits) + + @property + def hex_b(self) -> str: + return "{:x}".format(self.int_b).zfill(self.hex_digits) + + @property + def r(self) -> int: # pylint: disable=invalid-name + l = limbs_mpi(self.int_n, self.bits_in_limb) + return bound_mpi_limbs(l, self.bits_in_limb) + + @property + def r_inv(self) -> int: + return invmod(self.r, self.int_n) + + @property + def r2(self) -> int: # pylint: disable=invalid-name + return pow(self.r, 2) + + class OperationCommonArchSplit(OperationCommon): #pylint: disable=abstract-method """Common features for operations where the result depends on diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 4f12d9a865..884e2ef4a8 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -14,7 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -from abc import ABCMeta from typing import Dict, Iterator, List from . import test_case @@ -26,58 +25,8 @@ class BignumModRawTarget(test_data_generation.BaseTarget): """Target for bignum mod_raw test case generation.""" target_basename = 'test_suite_bignum_mod_raw.generated' -class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta): - #pylint: disable=abstract-method - """Target for bignum mod_raw test case generation.""" - - def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: - super().__init__(val_a=val_a, val_b=val_b) - self.val_n = val_n - self.bits_in_limb = bits_in_limb - - @property - def int_n(self) -> int: - return bignum_common.hex_to_int(self.val_n) - - @property - def boundary(self) -> int: - data_in = [self.int_a, self.int_b, self.int_n] - return max([n for n in data_in if n is not None]) - - @property - def limbs(self) -> int: - return bignum_common.limbs_mpi(self.boundary, self.bits_in_limb) - - @property - def hex_digits(self) -> int: - return 2 * (self.limbs * self.bits_in_limb // 8) - - @property - def hex_n(self) -> str: - return "{:x}".format(self.int_n).zfill(self.hex_digits) - - @property - def hex_a(self) -> str: - return "{:x}".format(self.int_a).zfill(self.hex_digits) - - @property - def hex_b(self) -> str: - return "{:x}".format(self.int_b).zfill(self.hex_digits) - - @property - def r(self) -> int: # pylint: disable=invalid-name - l = bignum_common.limbs_mpi(self.int_n, self.bits_in_limb) - return bignum_common.bound_mpi_limbs(l, self.bits_in_limb) - - @property - def r_inv(self) -> int: - return bignum_common.invmod(self.r, self.int_n) - - @property - def r2(self) -> int: # pylint: disable=invalid-name - return pow(self.r, 2) - -class BignumModRawOperationArchSplit(BignumModRawOperation): +class BignumModRawOperationArchSplit(bignum_common.ModOperationCommon, + BignumModRawTarget): #pylint: disable=abstract-method """Common features for bignum mod raw operations where the result depends on the limb size.""" From 948afcecb91caed178b85c6c285768ea604a82aa Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Nov 2022 13:38:56 +0000 Subject: [PATCH 236/413] Bignum Tests: move ModOperationArchSplit to common The class BignumModRawOperationArchSplit has functionality that are needed in other modules, therefore moving it to bignum_common. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 22 ++++++++++++++++++++++ scripts/mbedtls_dev/bignum_mod_raw.py | 24 ++---------------------- 2 files changed, 24 insertions(+), 22 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 28e27b0392..b853d11365 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -226,6 +226,28 @@ class OperationCommonArchSplit(OperationCommon): yield cls(a_value, b_value, 64).create_test_case() +class ModOperationCommonArchSplit(ModOperationCommon): + #pylint: disable=abstract-method + """Common features for bignum mod raw operations where the result depends on + the limb size.""" + + limb_sizes = [32, 64] # type: List[int] + + def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: + super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb) + + if bits_in_limb not in self.limb_sizes: + raise ValueError("Invalid number of bits in limb!") + + self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] + + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + for a_value, b_value in cls.get_value_pairs(): + for bil in cls.limb_sizes: + yield cls(a_value, b_value, bits_in_limb=bil).create_test_case() + + # BEGIN MERGE SLOT 1 # END MERGE SLOT 1 diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 884e2ef4a8..58a93fc5d6 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -25,27 +25,6 @@ class BignumModRawTarget(test_data_generation.BaseTarget): """Target for bignum mod_raw test case generation.""" target_basename = 'test_suite_bignum_mod_raw.generated' -class BignumModRawOperationArchSplit(bignum_common.ModOperationCommon, - BignumModRawTarget): - #pylint: disable=abstract-method - """Common features for bignum mod raw operations where the result depends on - the limb size.""" - - limb_sizes = [32, 64] # type: List[int] - - def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: - super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb) - - if bits_in_limb not in self.limb_sizes: - raise ValueError("Invalid number of bits in limb!") - - self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] - - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - for bil in cls.limb_sizes: - yield cls(a_value, b_value, bits_in_limb=bil).create_test_case() # BEGIN MERGE SLOT 1 # END MERGE SLOT 1 @@ -71,7 +50,8 @@ class BignumModRawOperationArchSplit(bignum_common.ModOperationCommon, # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 -class BignumModRawConvertToMont(BignumModRawOperationArchSplit): +class BignumModRawConvertToMont(bignum_common.ModOperationCommonArchSplit, + BignumModRawTarget): """ Test cases for mpi_mod_raw_to_mont_rep(). """ test_function = "mpi_mod_raw_to_mont_rep" From 155ad8c2971973b950c5c730a21fd9815f57fef7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Nov 2022 14:42:40 +0000 Subject: [PATCH 237/413] Bignum Tests: remove ModOperationCommonArchSplit The functionality of ModOperationCommonArchSplit is needed in several subclasses, therefore moving it to a superclass. There is another, redundant ArchSplit class, which will be removed in a later commit. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 49 ++++++++++++--------------- scripts/mbedtls_dev/bignum_mod_raw.py | 3 +- 2 files changed, 24 insertions(+), 28 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index b853d11365..cbbbf9f678 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -80,17 +80,29 @@ class OperationCommon(test_data_generation.BaseTest): unique_combinations_only: Boolean to select if test case combinations must be unique. If True, only A,B or B,A would be included as a test case. If False, both A,B and B,A would be included. + arch_split: Boolean to select if different test cases are needed + depending on the architecture/limb size. This will cause test + objects being generated with different architectures. Individual + test objects can tell their architecture by accessing the + bits_in_limb instance variable. """ symbol = "" input_values = [] # type: List[str] input_cases = [] # type: List[Tuple[str, str]] unique_combinations_only = True + arch_split = False + limb_sizes = [32, 64] # type: List[int] - def __init__(self, val_a: str, val_b: str) -> None: + def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None: self.arg_a = val_a self.arg_b = val_b self.int_a = hex_to_int(val_a) self.int_b = hex_to_int(val_b) + if bits_in_limb not in self.limb_sizes: + raise ValueError("Invalid number of bits in limb!") + if self.arch_split: + self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] + self.bits_in_limb = bits_in_limb def arguments(self) -> List[str]: return [ @@ -139,17 +151,22 @@ class OperationCommon(test_data_generation.BaseTest): @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: for a_value, b_value in cls.get_value_pairs(): - yield cls(a_value, b_value).create_test_case() + if cls.arch_split: + for bil in cls.limb_sizes: + yield cls(a_value, b_value, + bits_in_limb=bil).create_test_case() + else: + yield cls(a_value, b_value).create_test_case() class ModOperationCommon(OperationCommon): #pylint: disable=abstract-method """Target for bignum mod_raw test case generation.""" - def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: - super().__init__(val_a=val_a, val_b=val_b) + def __init__(self, val_n: str, val_a: str, val_b: str = "0", + bits_in_limb: int = 64) -> None: + super().__init__(val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb) self.val_n = val_n - self.bits_in_limb = bits_in_limb @property def int_n(self) -> int: @@ -226,28 +243,6 @@ class OperationCommonArchSplit(OperationCommon): yield cls(a_value, b_value, 64).create_test_case() -class ModOperationCommonArchSplit(ModOperationCommon): - #pylint: disable=abstract-method - """Common features for bignum mod raw operations where the result depends on - the limb size.""" - - limb_sizes = [32, 64] # type: List[int] - - def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: - super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb) - - if bits_in_limb not in self.limb_sizes: - raise ValueError("Invalid number of bits in limb!") - - self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] - - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - for bil in cls.limb_sizes: - yield cls(a_value, b_value, bits_in_limb=bil).create_test_case() - - # BEGIN MERGE SLOT 1 # END MERGE SLOT 1 diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 58a93fc5d6..f44acef73a 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -50,12 +50,13 @@ class BignumModRawTarget(test_data_generation.BaseTarget): # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 -class BignumModRawConvertToMont(bignum_common.ModOperationCommonArchSplit, +class BignumModRawConvertToMont(bignum_common.ModOperationCommon, BignumModRawTarget): """ Test cases for mpi_mod_raw_to_mont_rep(). """ test_function = "mpi_mod_raw_to_mont_rep" test_name = "Convert into Mont: " + arch_split = True test_data_moduli = ["b", "fd", From b41ab926b2dc1808235099bbeed31159dbebc4c1 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Nov 2022 15:13:02 +0000 Subject: [PATCH 238/413] Bignum Tests: move properties to superclass Move properties that are needed in several children to the superclass. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 40 +++++++++++++++------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index cbbbf9f678..7d52749f8d 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -104,6 +104,27 @@ class OperationCommon(test_data_generation.BaseTest): self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] self.bits_in_limb = bits_in_limb + @property + def boundary(self) -> int: + data_in = [self.int_a, self.int_b] + return max([n for n in data_in if n is not None]) + + @property + def limbs(self) -> int: + return limbs_mpi(self.boundary, self.bits_in_limb) + + @property + def hex_digits(self) -> int: + return 2 * (self.limbs * self.bits_in_limb // 8) + + @property + def hex_a(self) -> str: + return "{:x}".format(self.int_a).zfill(self.hex_digits) + + @property + def hex_b(self) -> str: + return "{:x}".format(self.int_b).zfill(self.hex_digits) + def arguments(self) -> List[str]: return [ quote_str(self.arg_a), quote_str(self.arg_b) @@ -177,26 +198,10 @@ class ModOperationCommon(OperationCommon): data_in = [self.int_a, self.int_b, self.int_n] return max([n for n in data_in if n is not None]) - @property - def limbs(self) -> int: - return limbs_mpi(self.boundary, self.bits_in_limb) - - @property - def hex_digits(self) -> int: - return 2 * (self.limbs * self.bits_in_limb // 8) - @property def hex_n(self) -> str: return "{:x}".format(self.int_n).zfill(self.hex_digits) - @property - def hex_a(self) -> str: - return "{:x}".format(self.int_a).zfill(self.hex_digits) - - @property - def hex_b(self) -> str: - return "{:x}".format(self.int_b).zfill(self.hex_digits) - @property def r(self) -> int: # pylint: disable=invalid-name l = limbs_mpi(self.int_n, self.bits_in_limb) @@ -221,9 +226,6 @@ class OperationCommonArchSplit(OperationCommon): bound_val = max(self.int_a, self.int_b) self.bits_in_limb = bits_in_limb self.bound = bound_mpi(bound_val, self.bits_in_limb) - limbs = limbs_mpi(bound_val, self.bits_in_limb) - byte_len = limbs * self.bits_in_limb // 8 - self.hex_digits = 2 * byte_len if self.bits_in_limb == 32: self.dependencies = ["MBEDTLS_HAVE_INT32"] elif self.bits_in_limb == 64: From 6fa3f0653ae081ea43d5414624993d17f9b056dd Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Nov 2022 20:33:51 +0000 Subject: [PATCH 239/413] Bignum Tests: remove OperationCommonArchSplit The ArchSplit functionality was duplicated and moved to OperationCommon from the other copy. The remnants of the functionality is moved to the only subclass using this. There is no semantic change to the generated tests. The order has changed however: core_add tests have been moved before core_mla tests and the order of the 64 and 32 bit versions have been swapped. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 52 ++++++++------------------- scripts/mbedtls_dev/bignum_core.py | 24 +++++++------ scripts/mbedtls_dev/bignum_mod_raw.py | 2 +- 3 files changed, 29 insertions(+), 49 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 7d52749f8d..0784f845ff 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -80,17 +80,18 @@ class OperationCommon(test_data_generation.BaseTest): unique_combinations_only: Boolean to select if test case combinations must be unique. If True, only A,B or B,A would be included as a test case. If False, both A,B and B,A would be included. - arch_split: Boolean to select if different test cases are needed - depending on the architecture/limb size. This will cause test - objects being generated with different architectures. Individual - test objects can tell their architecture by accessing the - bits_in_limb instance variable. + input_style: Controls the way how test data is passed to the functions + in the generated test cases. "variable" passes them as they are + defined in the python source. "arch_split" pads the values with + zeroes depending on the architecture/limb size. If this is set, + test cases are generated for all architectures. """ symbol = "" input_values = [] # type: List[str] input_cases = [] # type: List[Tuple[str, str]] unique_combinations_only = True - arch_split = False + input_styles = ["variable", "arch_split"] # type: List[str] + input_style = "variable" # type: str limb_sizes = [32, 64] # type: List[int] def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None: @@ -100,7 +101,7 @@ class OperationCommon(test_data_generation.BaseTest): self.int_b = hex_to_int(val_b) if bits_in_limb not in self.limb_sizes: raise ValueError("Invalid number of bits in limb!") - if self.arch_split: + if self.input_style == "arch_split": self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)] self.bits_in_limb = bits_in_limb @@ -109,6 +110,10 @@ class OperationCommon(test_data_generation.BaseTest): data_in = [self.int_a, self.int_b] return max([n for n in data_in if n is not None]) + @property + def limb_boundary(self) -> int: + return bound_mpi(self.boundary, self.bits_in_limb) + @property def limbs(self) -> int: return limbs_mpi(self.boundary, self.bits_in_limb) @@ -171,8 +176,10 @@ class OperationCommon(test_data_generation.BaseTest): @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + if cls.input_style not in cls.input_styles: + raise ValueError("Unknown input style!") for a_value, b_value in cls.get_value_pairs(): - if cls.arch_split: + if cls.input_style == "arch_split": for bil in cls.limb_sizes: yield cls(a_value, b_value, bits_in_limb=bil).create_test_case() @@ -216,35 +223,6 @@ class ModOperationCommon(OperationCommon): return pow(self.r, 2) -class OperationCommonArchSplit(OperationCommon): - #pylint: disable=abstract-method - """Common features for operations where the result depends on - the limb size.""" - - def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: - super().__init__(val_a, val_b) - bound_val = max(self.int_a, self.int_b) - self.bits_in_limb = bits_in_limb - self.bound = bound_mpi(bound_val, self.bits_in_limb) - if self.bits_in_limb == 32: - self.dependencies = ["MBEDTLS_HAVE_INT32"] - elif self.bits_in_limb == 64: - self.dependencies = ["MBEDTLS_HAVE_INT64"] - else: - raise ValueError("Invalid number of bits in limb!") - self.arg_a = self.arg_a.zfill(self.hex_digits) - self.arg_b = self.arg_b.zfill(self.hex_digits) - - def pad_to_limbs(self, val) -> str: - return "{:x}".format(val).zfill(self.hex_digits) - - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - yield cls(a_value, b_value, 32).create_test_case() - yield cls(a_value, b_value, 64).create_test_case() - - # BEGIN MERGE SLOT 1 # END MERGE SLOT 1 diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 591e53c203..749403705a 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -106,6 +106,7 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest): yield (cls(bitsize, bitsize_description, window_size) .create_test_case()) + INPUT_VALUES = [ "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000", "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f", @@ -127,38 +128,39 @@ INPUT_VALUES = [ ) ] - class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon): #pylint: disable=abstract-method """Common features for bignum core operations.""" input_values = INPUT_VALUES -class BignumCoreOperationArchSplit(BignumCoreTarget, - bignum_common.OperationCommonArchSplit): - #pylint: disable=abstract-method - """Common features for bignum core operations where the result depends on - the limb size.""" - input_values = INPUT_VALUES - - -class BignumCoreAddAndAddIf(BignumCoreOperationArchSplit): +class BignumCoreAddAndAddIf(BignumCoreOperation): """Test cases for bignum core add and add-if.""" count = 0 symbol = "+" test_function = "mpi_core_add_and_add_if" test_name = "mpi_core_add_and_add_if" + input_style = "arch_split" + + def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: + super().__init__(val_a, val_b) + self.arg_a = self.arg_a.zfill(self.hex_digits) + self.arg_b = self.arg_b.zfill(self.hex_digits) + + def pad_to_limbs(self, val) -> str: + return "{:x}".format(val).zfill(self.hex_digits) def result(self) -> List[str]: result = self.int_a + self.int_b - carry, result = divmod(result, self.bound) + carry, result = divmod(result, self.limb_boundary) return [ bignum_common.quote_str(self.pad_to_limbs(result)), str(carry) ] + class BignumCoreSub(BignumCoreOperation): """Test cases for bignum core sub.""" count = 0 diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index f44acef73a..b330c493d5 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -56,7 +56,7 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, test_function = "mpi_mod_raw_to_mont_rep" test_name = "Convert into Mont: " - arch_split = True + input_style = "arch_split" test_data_moduli = ["b", "fd", From 4c59d35e00d08ae2a6ab51a13077776c05d22a3d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 18 Nov 2022 16:05:46 +0000 Subject: [PATCH 240/413] Bignum tests: make args use input_style Before arg_ attributes were the arguments as they were defined in the python script. Turning these into properties and having them take the form respect the style set in input_style makes the class easier to use and more consistent. This change makes the hex_ properties redundant and therefore they are removed. There are no semantic changes to the generated test cases. (The order of appearance of 64 and 32 bit mpi_core_add_and_add_if test cases has changed.) Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 30 +++++++++++++++++++-------- scripts/mbedtls_dev/bignum_core.py | 10 +-------- scripts/mbedtls_dev/bignum_mod_raw.py | 4 ++-- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 0784f845ff..907c0b6d5f 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -95,8 +95,8 @@ class OperationCommon(test_data_generation.BaseTest): limb_sizes = [32, 64] # type: List[int] def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None: - self.arg_a = val_a - self.arg_b = val_b + self.val_a = val_a + self.val_b = val_b self.int_a = hex_to_int(val_a) self.int_b = hex_to_int(val_b) if bits_in_limb not in self.limb_sizes: @@ -122,13 +122,25 @@ class OperationCommon(test_data_generation.BaseTest): def hex_digits(self) -> int: return 2 * (self.limbs * self.bits_in_limb // 8) - @property - def hex_a(self) -> str: - return "{:x}".format(self.int_a).zfill(self.hex_digits) + def format_arg(self, val) -> str: + if self.input_style not in self.input_styles: + raise ValueError("Unknown input style!") + if self.input_style == "variable": + return val + else: + return val.zfill(self.hex_digits) + + def format_result(self, res) -> str: + res_str = '{:x}'.format(res) + return quote_str(self.format_arg(res_str)) @property - def hex_b(self) -> str: - return "{:x}".format(self.int_b).zfill(self.hex_digits) + def arg_a(self) -> str: + return self.format_arg(self.val_a) + + @property + def arg_b(self) -> str: + return self.format_arg(self.val_b) def arguments(self) -> List[str]: return [ @@ -206,8 +218,8 @@ class ModOperationCommon(OperationCommon): return max([n for n in data_in if n is not None]) @property - def hex_n(self) -> str: - return "{:x}".format(self.int_n).zfill(self.hex_digits) + def arg_n(self) -> str: + return self.format_arg(self.val_n) @property def r(self) -> int: # pylint: disable=invalid-name diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 749403705a..48390b98cb 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -142,21 +142,13 @@ class BignumCoreAddAndAddIf(BignumCoreOperation): test_name = "mpi_core_add_and_add_if" input_style = "arch_split" - def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None: - super().__init__(val_a, val_b) - self.arg_a = self.arg_a.zfill(self.hex_digits) - self.arg_b = self.arg_b.zfill(self.hex_digits) - - def pad_to_limbs(self, val) -> str: - return "{:x}".format(val).zfill(self.hex_digits) - def result(self) -> List[str]: result = self.int_a + self.int_b carry, result = divmod(result, self.limb_boundary) return [ - bignum_common.quote_str(self.pad_to_limbs(result)), + self.format_result(result), str(carry) ] diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index b330c493d5..e2d8cd698d 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -114,8 +114,8 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, return [self.hex_x] def arguments(self) -> List[str]: - return [bignum_common.quote_str(n) for n in [self.hex_n, - self.hex_a, + return [bignum_common.quote_str(n) for n in [self.arg_n, + self.arg_a, self.hex_x]] def description(self) -> str: From abfca8f938e9923a849a0aaa350767e93f10ca5a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 18 Nov 2022 16:48:45 +0000 Subject: [PATCH 241/413] Bignum tests: make n an attribute Having int_ variants as an attribute has the advantage of the input being validated when the object is instantiated. In theory otherwise if a particular int_ attribute is not accessed, then the invalid argument is passed to the tests as it is. (This would in all likelihood detected by the actual test cases, still, it is more robust like this.) There are no semantic changes to the generated test cases. (The order of appearance of 64 and 32 bit mpi_core_add_and_add_if test cases has changed.) Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 907c0b6d5f..58eb11ebd1 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -97,6 +97,8 @@ class OperationCommon(test_data_generation.BaseTest): def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None: self.val_a = val_a self.val_b = val_b + # Setting the int versions here as opposed to making them @properties + # provides earlier/more robust input validation. self.int_a = hex_to_int(val_a) self.int_b = hex_to_int(val_b) if bits_in_limb not in self.limb_sizes: @@ -207,10 +209,9 @@ class ModOperationCommon(OperationCommon): bits_in_limb: int = 64) -> None: super().__init__(val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb) self.val_n = val_n - - @property - def int_n(self) -> int: - return hex_to_int(self.val_n) + # Setting the int versions here as opposed to making them @properties + # provides earlier/more robust input validation. + self.int_n = hex_to_int(val_n) @property def boundary(self) -> int: From a36a3d36b5c749011f8b94f88d37a3f3523ff8a8 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 18 Nov 2022 17:49:13 +0000 Subject: [PATCH 242/413] Bignum tests: add arity Add the ability to control the number of operands, by setting the arity class attribute. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 30 ++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 58eb11ebd1..ecff206a3d 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -85,6 +85,8 @@ class OperationCommon(test_data_generation.BaseTest): defined in the python source. "arch_split" pads the values with zeroes depending on the architecture/limb size. If this is set, test cases are generated for all architectures. + arity: the number of operands for the operation. Currently supported + values are 1 and 2. """ symbol = "" input_values = [] # type: List[str] @@ -93,8 +95,10 @@ class OperationCommon(test_data_generation.BaseTest): input_styles = ["variable", "arch_split"] # type: List[str] input_style = "variable" # type: str limb_sizes = [32, 64] # type: List[int] + arities = [1, 2] + arity = 2 - def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None: + def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: self.val_a = val_a self.val_b = val_b # Setting the int versions here as opposed to making them @properties @@ -109,8 +113,11 @@ class OperationCommon(test_data_generation.BaseTest): @property def boundary(self) -> int: - data_in = [self.int_a, self.int_b] - return max([n for n in data_in if n is not None]) + if self.arity == 1: + return self.int_a + elif self.arity == 2: + return max(self.int_a, self.int_b) + raise ValueError("Unsupported number of operands!") @property def limb_boundary(self) -> int: @@ -142,12 +149,15 @@ class OperationCommon(test_data_generation.BaseTest): @property def arg_b(self) -> str: + if self.arity == 1: + raise AttributeError("Operation is unary and doesn't have arg_b!") return self.format_arg(self.val_b) def arguments(self) -> List[str]: - return [ - quote_str(self.arg_a), quote_str(self.arg_b) - ] + self.result() + args = [quote_str(self.arg_a)] + if self.arity == 2: + args.append(quote_str(self.arg_b)) + return args + self.result() def description(self) -> str: """Generate a description for the test case. @@ -192,6 +202,8 @@ class OperationCommon(test_data_generation.BaseTest): def generate_function_tests(cls) -> Iterator[test_case.TestCase]: if cls.input_style not in cls.input_styles: raise ValueError("Unknown input style!") + if cls.arity not in cls.arities: + raise ValueError("Unsupported number of operands!") for a_value, b_value in cls.get_value_pairs(): if cls.input_style == "arch_split": for bil in cls.limb_sizes: @@ -215,13 +227,15 @@ class ModOperationCommon(OperationCommon): @property def boundary(self) -> int: - data_in = [self.int_a, self.int_b, self.int_n] - return max([n for n in data_in if n is not None]) + return self.int_n @property def arg_n(self) -> str: return self.format_arg(self.val_n) + def arguments(self) -> List[str]: + return [quote_str(self.arg_n)] + super().arguments() + @property def r(self) -> int: # pylint: disable=invalid-name l = limbs_mpi(self.int_n, self.bits_in_limb) From 1921fd585cb0314bb7e6e165727664c52052dd97 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 18 Nov 2022 17:51:02 +0000 Subject: [PATCH 243/413] Bignum tests: use arity in bignum_mod_raw This makes a couple of properties redundant which are cleaned up. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_mod_raw.py | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index e2d8cd698d..6c217c235d 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -57,6 +57,7 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, test_function = "mpi_mod_raw_to_mont_rep" test_name = "Convert into Mont: " input_style = "arch_split" + arity = 1 test_data_moduli = ["b", "fd", @@ -111,12 +112,8 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, descr_tpl = '{} #{} N: \"{}\" A: \"{}\".' def result(self) -> List[str]: - return [self.hex_x] - - def arguments(self) -> List[str]: - return [bignum_common.quote_str(n) for n in [self.arg_n, - self.arg_a, - self.hex_x]] + result = (self.int_a * self.r) % self.int_n + return [self.format_result(result)] def description(self) -> str: return self.descr_tpl.format(self.test_name, @@ -134,13 +131,6 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, continue yield cls(n, i, bits_in_limb=bil).create_test_case() - @property - def x(self) -> int: # pylint: disable=invalid-name - return (self.int_a * self.r) % self.int_n - - @property - def hex_x(self) -> str: - return "{:x}".format(self.x).zfill(self.hex_digits) class BignumModRawConvertFromMont(BignumModRawConvertToMont): """ Test cases for mpi_mod_raw_from_mont_rep(). """ @@ -169,9 +159,11 @@ class BignumModRawConvertFromMont(BignumModRawConvertToMont): "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627" ] - @property - def x(self): # pylint: disable=invalid-name - return (self.int_a * self.r_inv) % self.int_n + def result(self) -> List[str]: + result = (self.int_a * self.r_inv) % self.int_n + return [self.format_result(result)] + + # END MERGE SLOT 7 # BEGIN MERGE SLOT 8 From 939621f8ed6803f2967568a3d70582ba27e85e07 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 18 Nov 2022 18:15:24 +0000 Subject: [PATCH 244/413] Bignum tests: add support for filtering Sometimes we don't want all possible combinations of the input data and sometimes not all combinations make sense. We are adding a convenient way to decide on a case by case basis. Now child classes only need to implement the is_valid method and the invalid cases will be filtered out automatically. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index ecff206a3d..b22846b710 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -172,6 +172,10 @@ class OperationCommon(test_data_generation.BaseTest): ) return super().description() + @property + def is_valid(self) -> bool: + return True + @abstractmethod def result(self) -> List[str]: """Get the result of the operation. @@ -204,13 +208,18 @@ class OperationCommon(test_data_generation.BaseTest): raise ValueError("Unknown input style!") if cls.arity not in cls.arities: raise ValueError("Unsupported number of operands!") - for a_value, b_value in cls.get_value_pairs(): - if cls.input_style == "arch_split": - for bil in cls.limb_sizes: - yield cls(a_value, b_value, - bits_in_limb=bil).create_test_case() - else: - yield cls(a_value, b_value).create_test_case() + if cls.input_style == "arch_split": + test_objects = (cls(a_value, b_value, bits_in_limb=bil) + for a_value, b_value in cls.get_value_pairs() + for bil in cls.limb_sizes) + else: + test_objects = (cls(a_value, b_value) for + a_value, b_value in cls.get_value_pairs()) + yield from (valid_test_object.create_test_case() + for valid_test_object in filter( + lambda test_object: test_object.is_valid, + test_objects + )) class ModOperationCommon(OperationCommon): From c4fca5de3ebe5a586a4be591f32b4b641d6e558c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 19 Nov 2022 10:42:20 +0000 Subject: [PATCH 245/413] Bignum tests: automate modulo test object generation Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 37 +++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index b22846b710..7d7170d170 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -209,12 +209,12 @@ class OperationCommon(test_data_generation.BaseTest): if cls.arity not in cls.arities: raise ValueError("Unsupported number of operands!") if cls.input_style == "arch_split": - test_objects = (cls(a_value, b_value, bits_in_limb=bil) - for a_value, b_value in cls.get_value_pairs() + test_objects = (cls(a, b, bits_in_limb=bil) + for a, b in cls.get_value_pairs() for bil in cls.limb_sizes) else: - test_objects = (cls(a_value, b_value) for - a_value, b_value in cls.get_value_pairs()) + test_objects = (cls(a, b) + for a, b in cls.get_value_pairs()) yield from (valid_test_object.create_test_case() for valid_test_object in filter( lambda test_object: test_object.is_valid, @@ -225,6 +225,7 @@ class OperationCommon(test_data_generation.BaseTest): class ModOperationCommon(OperationCommon): #pylint: disable=abstract-method """Target for bignum mod_raw test case generation.""" + moduli = [] # type: List[str] def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: @@ -258,6 +259,34 @@ class ModOperationCommon(OperationCommon): def r2(self) -> int: # pylint: disable=invalid-name return pow(self.r, 2) + @property + def is_valid(self) -> bool: + if self.int_a >= self.int_n: + return False + if self.arity == 2 and self.int_b >= self.int_n: + return False + return True + + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + if cls.input_style not in cls.input_styles: + raise ValueError("Unknown input style!") + if cls.arity not in cls.arities: + raise ValueError("Unsupported number of operands!") + if cls.input_style == "arch_split": + test_objects = (cls(n, a, b, bits_in_limb=bil) + for n in cls.moduli + for a, b in cls.get_value_pairs() + for bil in cls.limb_sizes) + else: + test_objects = (cls(n, a, b) + for n in cls.moduli + for a, b in cls.get_value_pairs()) + yield from (valid_test_object.create_test_case() + for valid_test_object in filter( + lambda test_object: test_object.is_valid, + test_objects + )) # BEGIN MERGE SLOT 1 From 98edf21bb4bb33b1dc2b6a62f0eca204b4160c48 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 19 Nov 2022 12:48:17 +0000 Subject: [PATCH 246/413] Bignum test: remove type restrictrion The special case list type depends on the arity and the subclass. Remove type restriction to make defining special case lists more flexible and natural. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 16 +++++++++++----- scripts/mbedtls_dev/bignum_core.py | 10 ++++++++++ 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 7d7170d170..ed321d7c3e 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -15,7 +15,8 @@ # limitations under the License. from abc import abstractmethod -from typing import Iterator, List, Tuple, TypeVar +from typing import Iterator, List, Tuple, TypeVar, Any +from itertools import chain from . import test_case from . import test_data_generation @@ -90,7 +91,7 @@ class OperationCommon(test_data_generation.BaseTest): """ symbol = "" input_values = [] # type: List[str] - input_cases = [] # type: List[Tuple[str, str]] + input_cases = [] # type: List[Any] unique_combinations_only = True input_styles = ["variable", "arch_split"] # type: List[str] input_style = "variable" # type: str @@ -200,7 +201,6 @@ class OperationCommon(test_data_generation.BaseTest): for a in cls.input_values for b in cls.input_values ) - yield from cls.input_cases @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: @@ -212,14 +212,20 @@ class OperationCommon(test_data_generation.BaseTest): test_objects = (cls(a, b, bits_in_limb=bil) for a, b in cls.get_value_pairs() for bil in cls.limb_sizes) + special_cases = (cls(*args, bits_in_limb=bil) # type: ignore + for args in cls.input_cases + for bil in cls.limb_sizes) else: test_objects = (cls(a, b) for a, b in cls.get_value_pairs()) + special_cases = (cls(*args) for args in cls.input_cases) yield from (valid_test_object.create_test_case() for valid_test_object in filter( lambda test_object: test_object.is_valid, - test_objects - )) + chain(test_objects, special_cases) + ) + ) + class ModOperationCommon(OperationCommon): diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 48390b98cb..1bfc652efb 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -243,6 +243,16 @@ class BignumCoreMLA(BignumCoreOperation): "\"{:x}\"".format(carry_8) ] + @classmethod + def get_value_pairs(cls) -> Iterator[Tuple[str, str]]: + """Generator to yield pairs of inputs. + + Combinations are first generated from all input values, and then + specific cases provided. + """ + yield from super().get_value_pairs() + yield from cls.input_cases + @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: """Override for additional scalar input.""" From 435b305a491853c7b477f5b012c226832574104e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 19 Nov 2022 14:18:02 +0000 Subject: [PATCH 247/413] Bignum tests: add special cases to mod Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index ed321d7c3e..6fd42d1e7f 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -273,6 +273,15 @@ class ModOperationCommon(OperationCommon): return False return True + @classmethod + def input_cases_args(cls) -> Iterator[Tuple[Any, Any, Any]]: + if cls.arity == 1: + yield from ((n, a, "0") for a, n in cls.input_cases) + elif cls.arity == 2: + yield from ((n, a, b) for a, b, n in cls.input_cases) + else: + raise ValueError("Unsupported number of operands!") + @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: if cls.input_style not in cls.input_styles: @@ -284,14 +293,18 @@ class ModOperationCommon(OperationCommon): for n in cls.moduli for a, b in cls.get_value_pairs() for bil in cls.limb_sizes) + special_cases = (cls(*args, bits_in_limb=bil) + for args in cls.input_cases_args() + for bil in cls.limb_sizes) else: test_objects = (cls(n, a, b) for n in cls.moduli for a, b in cls.get_value_pairs()) + special_cases = (cls(*args) for args in cls.input_cases_args()) yield from (valid_test_object.create_test_case() for valid_test_object in filter( lambda test_object: test_object.is_valid, - test_objects + chain(test_objects, special_cases) )) # BEGIN MERGE SLOT 1 From 284672ccfb23b7a62aa730cc86012722cd794f85 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 19 Nov 2022 14:55:43 +0000 Subject: [PATCH 248/413] Bignum tests: complete support for unary operators There are no intended changes to generated tests. (The ordering of tests in the mod_raw module has changed.) Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 19 ++-- scripts/mbedtls_dev/bignum_mod_raw.py | 149 ++++++++++++-------------- 2 files changed, 81 insertions(+), 87 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 6fd42d1e7f..318e25ca12 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -193,14 +193,19 @@ class OperationCommon(test_data_generation.BaseTest): Combinations are first generated from all input values, and then specific cases provided. """ - if cls.unique_combinations_only: - yield from combination_pairs(cls.input_values) + if cls.arity == 1: + yield from ((a, "0") for a in cls.input_values) + elif cls.arity == 2: + if cls.unique_combinations_only: + yield from combination_pairs(cls.input_values) + else: + yield from ( + (a, b) + for a in cls.input_values + for b in cls.input_values + ) else: - yield from ( - (a, b) - for a in cls.input_values - for b in cls.input_values - ) + raise ValueError("Unsupported number of operands!") @classmethod def generate_function_tests(cls) -> Iterator[test_case.TestCase]: diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 6c217c235d..087c8dc87d 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -14,9 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -from typing import Dict, Iterator, List +from typing import Dict, List -from . import test_case from . import test_data_generation from . import bignum_common @@ -59,55 +58,55 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, input_style = "arch_split" arity = 1 - test_data_moduli = ["b", - "fd", - "eeff99aa37", - "eeff99aa11", - "800000000005", - "7fffffffffffffff", - "80fe000a10000001", - "25a55a46e5da99c71c7", - "1058ad82120c3a10196bb36229c1", - "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f" - "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a" - "98df75154f8c914a282f8b", - "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63", - "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f" - "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6" - "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2" - "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d" - "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0" - "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389" - "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6" - "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a" - "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d" - "b8896f33bb12e6ef73f12ec5c5ea7a8a337" - ] + moduli = ["b", + "fd", + "eeff99aa37", + "eeff99aa11", + "800000000005", + "7fffffffffffffff", + "80fe000a10000001", + "25a55a46e5da99c71c7", + "1058ad82120c3a10196bb36229c1", + "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f" + "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a" + "98df75154f8c914a282f8b", + "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63", + "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f" + "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6" + "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2" + "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d" + "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0" + "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389" + "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6" + "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a" + "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d" + "b8896f33bb12e6ef73f12ec5c5ea7a8a337" + ] - test_input_numbers = ["0", - "1", - "97", - "f5", - "6f5c3", - "745bfe50f7", - "ffa1f9924123", - "334a8b983c79bd", - "5b84f632b58f3461", - "19acd15bc38008e1", - "ffffffffffffffff", - "54ce6a6bb8247fa0427cfc75a6b0599", - "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9", - "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72" - "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc" - "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6" - "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481" - "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b" - "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a" - "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6" - "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12" - "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617" - "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185" - ] + input_values = ["0", + "1", + "97", + "f5", + "6f5c3", + "745bfe50f7", + "ffa1f9924123", + "334a8b983c79bd", + "5b84f632b58f3461", + "19acd15bc38008e1", + "ffffffffffffffff", + "54ce6a6bb8247fa0427cfc75a6b0599", + "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9", + "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72" + "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc" + "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6" + "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481" + "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b" + "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a" + "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6" + "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12" + "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617" + "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185" + ] descr_tpl = '{} #{} N: \"{}\" A: \"{}\".' @@ -121,16 +120,6 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, self.int_n, self.int_a) - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for bil in [32, 64]: - for n in cls.test_data_moduli: - for i in cls.test_input_numbers: - # Skip invalid combinations where A.limbs > N.limbs - if bignum_common.hex_to_int(i) > bignum_common.hex_to_int(n): - continue - yield cls(n, i, bits_in_limb=bil).create_test_case() - class BignumModRawConvertFromMont(BignumModRawConvertToMont): """ Test cases for mpi_mod_raw_from_mont_rep(). """ @@ -138,26 +127,26 @@ class BignumModRawConvertFromMont(BignumModRawConvertToMont): test_function = "mpi_mod_raw_from_mont_rep" test_name = "Convert from Mont: " - test_input_numbers = ["0", - "1", - "3ca", - "539ed428", - "7dfe5c6beb35a2d6", - "dca8de1c2adfc6d7aafb9b48e", - "a7d17b6c4be72f3d5c16bf9c1af6fc933", - "2fec97beec546f9553142ed52f147845463f579", - "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f", - "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a" - "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675" - "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57" - "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea" - "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3" - "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c" - "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8" - "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74" - "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32" - "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627" - ] + input_values = ["0", + "1", + "3ca", + "539ed428", + "7dfe5c6beb35a2d6", + "dca8de1c2adfc6d7aafb9b48e", + "a7d17b6c4be72f3d5c16bf9c1af6fc933", + "2fec97beec546f9553142ed52f147845463f579", + "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f", + "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a" + "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675" + "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57" + "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea" + "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3" + "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c" + "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8" + "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74" + "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32" + "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627" + ] def result(self) -> List[str]: result = (self.int_a * self.r_inv) % self.int_n From 8ae7a657acb7e35b51de4c39c4e47aba4858a11e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 19 Nov 2022 15:05:19 +0000 Subject: [PATCH 249/413] Bignum tests: improve mod descriptions There are no semantic changes to the generated tests. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 23 +++++++++++++++++++---- scripts/mbedtls_dev/bignum_mod_raw.py | 12 +++--------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 318e25ca12..9e92b8e61a 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -168,9 +168,14 @@ class OperationCommon(test_data_generation.BaseTest): generated to provide some context to the test case. """ if not self.case_description: - self.case_description = "{:x} {} {:x}".format( - self.int_a, self.symbol, self.int_b - ) + if self.arity == 1: + self.case_description = "{} {:x}".format( + self.symbol, self.int_a + ) + elif self.arity == 2: + self.case_description = "{:x} {} {:x}".format( + self.int_a, self.symbol, self.int_b + ) return super().description() @property @@ -232,7 +237,6 @@ class OperationCommon(test_data_generation.BaseTest): ) - class ModOperationCommon(OperationCommon): #pylint: disable=abstract-method """Target for bignum mod_raw test case generation.""" @@ -278,6 +282,17 @@ class ModOperationCommon(OperationCommon): return False return True + def description(self) -> str: + """Generate a description for the test case. + + It uses the form A `symbol` B mod N, where symbol is used to represent + the operation. + """ + + if not self.case_description: + return super().description() + " mod {:x}".format(self.int_n) + return super().description() + @classmethod def input_cases_args(cls) -> Iterator[Tuple[Any, Any, Any]]: if cls.arity == 1: diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 087c8dc87d..b23fbb2dc8 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -55,6 +55,7 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, test_function = "mpi_mod_raw_to_mont_rep" test_name = "Convert into Mont: " + symbol = "R *" input_style = "arch_split" arity = 1 @@ -108,24 +109,17 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon, "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185" ] - descr_tpl = '{} #{} N: \"{}\" A: \"{}\".' - def result(self) -> List[str]: result = (self.int_a * self.r) % self.int_n return [self.format_result(result)] - def description(self) -> str: - return self.descr_tpl.format(self.test_name, - self.count, - self.int_n, - self.int_a) - class BignumModRawConvertFromMont(BignumModRawConvertToMont): """ Test cases for mpi_mod_raw_from_mont_rep(). """ - + count = 0 test_function = "mpi_mod_raw_from_mont_rep" test_name = "Convert from Mont: " + symbol = "1/R *" input_values = ["0", "1", From a36e430251d855143267c2ea1185d13c7d8e3042 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 19 Nov 2022 15:55:53 +0000 Subject: [PATCH 250/413] Bignum tests: add support for fixed width input Only fixed width input_style uses the default value of the bits_in_limb parameter, so set it to 32 in order to have less leading zeroes. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index 9e92b8e61a..b68653a037 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -93,13 +93,13 @@ class OperationCommon(test_data_generation.BaseTest): input_values = [] # type: List[str] input_cases = [] # type: List[Any] unique_combinations_only = True - input_styles = ["variable", "arch_split"] # type: List[str] + input_styles = ["variable", "fixed", "arch_split"] # type: List[str] input_style = "variable" # type: str limb_sizes = [32, 64] # type: List[int] arities = [1, 2] arity = 2 - def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: + def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 32) -> None: self.val_a = val_a self.val_b = val_b # Setting the int versions here as opposed to making them @properties From b2a850c746ea475aaa22c7c26756d1eefdfd6883 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 20 Nov 2022 10:56:05 +0000 Subject: [PATCH 251/413] Bignum Tests: add test data The goal of this commit is to add some constants that can be used to define datasets and add test data in a more readable and reusable manner. All platforms using ECC need to support calculations with at least 192 bits, therefore constants for this length are added. We are not using a curve prime as those will be tested elsewhere and it is better not to play favourites. All platforms using RSA or FFDH need to support calculations with at least 1024 bits, therefore numbers of this size are added too. A safe prime is added for both sizes as it makes all elements generators (except 0 and 1 of course), which in turn makes some tests more effective. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_data.py | 109 +++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 scripts/mbedtls_dev/bignum_data.py diff --git a/scripts/mbedtls_dev/bignum_data.py b/scripts/mbedtls_dev/bignum_data.py new file mode 100644 index 0000000000..78fbb8c049 --- /dev/null +++ b/scripts/mbedtls_dev/bignum_data.py @@ -0,0 +1,109 @@ +"""Base values and datasets for bignum generated tests and helper functions that +produced them.""" +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import random + +# Functions calling these were used to produce test data and are here only for +# reproducability, they are not used by the test generation framework/classes +try: + from Cryptodome.Util.number import isPrime, getPrime #type: ignore #pylint: disable=import-error +except ImportError: + pass + +# Generated by bignum_common.gen_safe_prime(192,1) +SAFE_PRIME_192_BIT_SEED_1 = "d1c127a667786703830500038ebaef20e5a3e2dc378fb75b" + +# First number generated by random.getrandbits(192) - seed(2,2), not a prime +RANDOM_192_BIT_SEED_2_NO1 = "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973" + +# Second number generated by random.getrandbits(192) - seed(2,2), not a prime +RANDOM_192_BIT_SEED_2_NO2 = "cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd" + +# Third number generated by random.getrandbits(192) - seed(2,2), not a prime +RANDOM_192_BIT_SEED_2_NO3 = "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f" + +# Fourth number generated by random.getrandbits(192) - seed(2,2), not a prime +RANDOM_192_BIT_SEED_2_NO4 = "ffed9235288bc781ae66267594c9c9500925e4749b575bd1" + +# Ninth number generated by random.getrandbits(192) - seed(2,2), not a prime +RANDOM_192_BIT_SEED_2_NO9 = "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f" + +# Generated by bignum_common.gen_safe_prime(1024,3) +SAFE_PRIME_1024_BIT_SEED_3 = ("c93ba7ec74d96f411ba008bdb78e63ff11bb5df46a51e16b" + "2c9d156f8e4e18abf5e052cb01f47d0d1925a77f60991577" + "e128fb6f52f34a27950a594baadd3d8057abeb222cf3cca9" + "62db16abf79f2ada5bd29ab2f51244bf295eff9f6aaba130" + "2efc449b128be75eeaca04bc3c1a155d11d14e8be32a2c82" + "87b3996cf6ad5223") + +# First number generated by random.getrandbits(1024) - seed(4,2), not a prime +RANDOM_1024_BIT_SEED_4_NO1 = ("6905269ed6f0b09f165c8ce36e2f24b43000de01b2ed40ed" + "3addccb2c33be0ac79d679346d4ac7a5c3902b38963dc6e8" + "534f45738d048ec0f1099c6c3e1b258fd724452ccea71ff4" + "a14876aeaff1a098ca5996666ceab360512bd13110722311" + "710cf5327ac435a7a97c643656412a9b8a1abcd1a6916c74" + "da4f9fc3c6da5d7") + +# Second number generated by random.getrandbits(1024) - seed(4,2), not a prime +RANDOM_1024_BIT_SEED_4_NO2 = ("f1cfd99216df648647adec26793d0e453f5082492d83a823" + "3fb62d2c81862fc9634f806fabf4a07c566002249b191bf4" + "d8441b5616332aca5f552773e14b0190d93936e1daca3c06" + "f5ff0c03bb5d7385de08caa1a08179104a25e4664f5253a0" + "2a3187853184ff27459142deccea264542a00403ce80c4b0" + "a4042bb3d4341aad") + +# Third number generated by random.getrandbits(1024) - seed(4,2), not a prime +RANDOM_1024_BIT_SEED_4_NO3 = ("14c15c910b11ad28cc21ce88d0060cc54278c2614e1bcb38" + "3bb4a570294c4ea3738d243a6e58d5ca49c7b59b995253fd" + "6c79a3de69f85e3131f3b9238224b122c3e4a892d9196ada" + "4fcfa583e1df8af9b474c7e89286a1754abcb06ae8abb93f" + "01d89a024cdce7a6d7288ff68c320f89f1347e0cdd905ecf" + "d160c5d0ef412ed6") + +# Fourth number generated by random.getrandbits(1024) - seed(4,2), not a prime +RANDOM_1024_BIT_SEED_4_NO4 = ("32decd6b8efbc170a26a25c852175b7a96b98b5fbf37a2be" + "6f98bca35b17b9662f0733c846bbe9e870ef55b1a1f65507" + "a2909cb633e238b4e9dd38b869ace91311021c9e32111ac1" + "ac7cc4a4ff4dab102522d53857c49391b36cc9aa78a330a1" + "a5e333cb88dcf94384d4cd1f47ca7883ff5a52f1a05885ac" + "7671863c0bdbc23a") + +# Fifth number generated by random.getrandbits(1024) - seed(4,2), not a prime +RANDOM_1024_BIT_SEED_4_NO5 = ("53be4721f5b9e1f5acdac615bc20f6264922b9ccf469aef8" + "f6e7d078e55b85dd1525f363b281b8885b69dc230af5ac87" + "0692b534758240df4a7a03052d733dcdef40af2e54c0ce68" + "1f44ebd13cc75f3edcb285f89d8cf4d4950b16ffc3e1ac3b" + "4708d9893a973000b54a23020fc5b043d6e4a51519d9c9cc" + "52d32377e78131c1") + +def __gen_safe_prime(bits, seed): + ''' + Generate a safe prime. + + This function is intended for generating constants offline and shouldn't be + used in test generation classes. + + Requires pycryptodomex for getPrime and isPrime and python 3.9 or later for + randbytes. + ''' + rng = random.Random() + # We want reproducability across python versions + rng.seed(seed, version=2) + while True: + prime = 2*getPrime(bits-1, rng.randbytes)+1 #pylint: disable=no-member + if isPrime(prime, 1e-30): + return prime From dac44e6021f0653352ef81611738f8cbf432543d Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 20 Nov 2022 11:58:12 +0000 Subject: [PATCH 252/413] Bignum tests: add default datasets Add data for small values, 192 bit and 1024 bit values, primes, non-primes odd, even, and some typical corner cases. All subclasses override this for the time being so there are no changes to the test cases. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 5 +++-- scripts/mbedtls_dev/bignum_data.py | 27 +++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index b68653a037..e03c1c3f8a 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -20,6 +20,7 @@ from itertools import chain from . import test_case from . import test_data_generation +from .bignum_data import INPUTS_DEFAULT, MODULI_DEFAULT T = TypeVar('T') #pylint: disable=invalid-name @@ -90,7 +91,7 @@ class OperationCommon(test_data_generation.BaseTest): values are 1 and 2. """ symbol = "" - input_values = [] # type: List[str] + input_values = INPUTS_DEFAULT # type: List[str] input_cases = [] # type: List[Any] unique_combinations_only = True input_styles = ["variable", "fixed", "arch_split"] # type: List[str] @@ -240,7 +241,7 @@ class OperationCommon(test_data_generation.BaseTest): class ModOperationCommon(OperationCommon): #pylint: disable=abstract-method """Target for bignum mod_raw test case generation.""" - moduli = [] # type: List[str] + moduli = MODULI_DEFAULT # type: List[str] def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None: diff --git a/scripts/mbedtls_dev/bignum_data.py b/scripts/mbedtls_dev/bignum_data.py index 78fbb8c049..74d21d0ca5 100644 --- a/scripts/mbedtls_dev/bignum_data.py +++ b/scripts/mbedtls_dev/bignum_data.py @@ -90,6 +90,33 @@ RANDOM_1024_BIT_SEED_4_NO5 = ("53be4721f5b9e1f5acdac615bc20f6264922b9ccf469aef8" "4708d9893a973000b54a23020fc5b043d6e4a51519d9c9cc" "52d32377e78131c1") +# Adding 192 bit and 1024 bit numbers because these are the shortest required +# for ECC and RSA respectively. +INPUTS_DEFAULT = [ + "0", "1", # corner cases + "2", "3", # small primes + "4", # non-prime even + "38", # small random + SAFE_PRIME_192_BIT_SEED_1, # prime + RANDOM_192_BIT_SEED_2_NO1, # not a prime + RANDOM_192_BIT_SEED_2_NO2, # not a prime + SAFE_PRIME_1024_BIT_SEED_3, # prime + RANDOM_1024_BIT_SEED_4_NO1, # not a prime + RANDOM_1024_BIT_SEED_4_NO3, # not a prime + RANDOM_1024_BIT_SEED_4_NO2, # largest (not a prime) + ] + +# Only odd moduli are present as in the new bignum code only odd moduli are +# supported for now. +MODULI_DEFAULT = [ + "53", # safe prime + "45", # non-prime + SAFE_PRIME_192_BIT_SEED_1, # safe prime + RANDOM_192_BIT_SEED_2_NO4, # not a prime + SAFE_PRIME_1024_BIT_SEED_3, # safe prime + RANDOM_1024_BIT_SEED_4_NO5, # not a prime + ] + def __gen_safe_prime(bits, seed): ''' Generate a safe prime. From be5e7aea7ceefc27dd69f405da1ed76170ba231c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 20 Nov 2022 12:45:58 +0000 Subject: [PATCH 253/413] Bignum tests: remove deprecated dataset Remove old dataset that was overriding the defaults in bignum_core. This will change the datasets for core_sub and core_add to the default inherited from bignum_common. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_core.py | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 1bfc652efb..deff6a8a6c 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -107,31 +107,9 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest): .create_test_case()) -INPUT_VALUES = [ - "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000", - "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f", - "8000000000000000", "fefefefefefefefe", "fffffffffffffffe", - "ffffffffffffffff", "10000000000000000", "1234567890abcdef0", - "fffffffffffffffffefefefefefefefe", "fffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffff", "100000000000000000000000000000000", - "1234567890abcdef01234567890abcdef0", - "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe", - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "10000000000000000000000000000000000000000000000000000000000000000", - "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0", - ( - "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f34029" - "643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf179298bd9947" - "c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38edf0c5889eca4a0" - "cfa99b45fbdeee4c696b328ddceae4723945901ec025076b12b" - ) -] - class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon): #pylint: disable=abstract-method """Common features for bignum core operations.""" - input_values = INPUT_VALUES class BignumCoreAddAndAddIf(BignumCoreOperation): From 76c21bd2421cd8ecb0bcd31c095399f31cb9da2e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 20 Nov 2022 12:52:53 +0000 Subject: [PATCH 254/413] Bignum tests: flatten class hierarchy in _core There is no semantic changes to the generated tests, the order of the test blocks has changed. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_core.py | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index deff6a8a6c..806e131935 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -107,12 +107,7 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest): .create_test_case()) -class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon): - #pylint: disable=abstract-method - """Common features for bignum core operations.""" - - -class BignumCoreAddAndAddIf(BignumCoreOperation): +class BignumCoreAddAndAddIf(BignumCoreTarget, bignum_common.OperationCommon): """Test cases for bignum core add and add-if.""" count = 0 symbol = "+" @@ -131,7 +126,7 @@ class BignumCoreAddAndAddIf(BignumCoreOperation): ] -class BignumCoreSub(BignumCoreOperation): +class BignumCoreSub(BignumCoreTarget, bignum_common.OperationCommon): """Test cases for bignum core sub.""" count = 0 symbol = "-" @@ -157,7 +152,7 @@ class BignumCoreSub(BignumCoreOperation): ] -class BignumCoreMLA(BignumCoreOperation): +class BignumCoreMLA(BignumCoreTarget, bignum_common.OperationCommon): """Test cases for fixed-size multiply accumulate.""" count = 0 test_function = "mpi_core_mla" From f45797652fef6a53a11bd760c76e3f987f03a901 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 20 Nov 2022 13:32:54 +0000 Subject: [PATCH 255/413] Bignum tests: set unique combinations off by default Normally we need all the combinations, unique combinations make sense only if the operation is commutative. No changes to generated tests. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_common.py | 2 +- scripts/mbedtls_dev/bignum_core.py | 3 +-- tests/scripts/generate_bignum_tests.py | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py index e03c1c3f8a..67ea78db46 100644 --- a/scripts/mbedtls_dev/bignum_common.py +++ b/scripts/mbedtls_dev/bignum_common.py @@ -93,7 +93,7 @@ class OperationCommon(test_data_generation.BaseTest): symbol = "" input_values = INPUTS_DEFAULT # type: List[str] input_cases = [] # type: List[Any] - unique_combinations_only = True + unique_combinations_only = False input_styles = ["variable", "fixed", "arch_split"] # type: List[str] input_style = "variable" # type: str limb_sizes = [32, 64] # type: List[int] diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 806e131935..4910daea87 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -114,6 +114,7 @@ class BignumCoreAddAndAddIf(BignumCoreTarget, bignum_common.OperationCommon): test_function = "mpi_core_add_and_add_if" test_name = "mpi_core_add_and_add_if" input_style = "arch_split" + unique_combinations_only = True def result(self) -> List[str]: result = self.int_a + self.int_b @@ -132,7 +133,6 @@ class BignumCoreSub(BignumCoreTarget, bignum_common.OperationCommon): symbol = "-" test_function = "mpi_core_sub" test_name = "mbedtls_mpi_core_sub" - unique_combinations_only = False def result(self) -> List[str]: if self.int_a >= self.int_b: @@ -157,7 +157,6 @@ class BignumCoreMLA(BignumCoreTarget, bignum_common.OperationCommon): count = 0 test_function = "mpi_core_mla" test_name = "mbedtls_mpi_core_mla" - unique_combinations_only = False input_values = [ "0", "1", "fffe", "ffffffff", "100000000", "20000000000000", diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index 89d0ac29e0..c3058e98a9 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -78,6 +78,7 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABCMeta): #pylint: disable=abstract-method """Common features for bignum operations in legacy tests.""" + unique_combinations_only = True input_values = [ "", "0", "-", "-0", "7b", "-7b", From f352c67bc30e48c4162126f340e247d5835b8627 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sun, 20 Nov 2022 13:40:25 +0000 Subject: [PATCH 256/413] Bignum tests: use default dataset in mod_raw While at it, flatten class hierarchy as well. Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_mod_raw.py | 79 ++------------------------- 1 file changed, 5 insertions(+), 74 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index b23fbb2dc8..60f2feded6 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -49,98 +49,29 @@ class BignumModRawTarget(test_data_generation.BaseTarget): # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 + class BignumModRawConvertToMont(bignum_common.ModOperationCommon, BignumModRawTarget): """ Test cases for mpi_mod_raw_to_mont_rep(). """ - test_function = "mpi_mod_raw_to_mont_rep" test_name = "Convert into Mont: " symbol = "R *" input_style = "arch_split" arity = 1 - moduli = ["b", - "fd", - "eeff99aa37", - "eeff99aa11", - "800000000005", - "7fffffffffffffff", - "80fe000a10000001", - "25a55a46e5da99c71c7", - "1058ad82120c3a10196bb36229c1", - "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f" - "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a" - "98df75154f8c914a282f8b", - "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63", - "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f" - "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6" - "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2" - "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d" - "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0" - "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389" - "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6" - "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a" - "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d" - "b8896f33bb12e6ef73f12ec5c5ea7a8a337" - ] - - input_values = ["0", - "1", - "97", - "f5", - "6f5c3", - "745bfe50f7", - "ffa1f9924123", - "334a8b983c79bd", - "5b84f632b58f3461", - "19acd15bc38008e1", - "ffffffffffffffff", - "54ce6a6bb8247fa0427cfc75a6b0599", - "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9", - "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72" - "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc" - "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6" - "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481" - "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b" - "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a" - "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6" - "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12" - "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617" - "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185" - ] - def result(self) -> List[str]: result = (self.int_a * self.r) % self.int_n return [self.format_result(result)] -class BignumModRawConvertFromMont(BignumModRawConvertToMont): +class BignumModRawConvertFromMont(bignum_common.ModOperationCommon, + BignumModRawTarget): """ Test cases for mpi_mod_raw_from_mont_rep(). """ - count = 0 test_function = "mpi_mod_raw_from_mont_rep" test_name = "Convert from Mont: " symbol = "1/R *" - - input_values = ["0", - "1", - "3ca", - "539ed428", - "7dfe5c6beb35a2d6", - "dca8de1c2adfc6d7aafb9b48e", - "a7d17b6c4be72f3d5c16bf9c1af6fc933", - "2fec97beec546f9553142ed52f147845463f579", - "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f", - "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a" - "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675" - "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57" - "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea" - "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3" - "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c" - "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8" - "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74" - "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32" - "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627" - ] + input_style = "arch_split" + arity = 1 def result(self) -> List[str]: result = (self.int_a * self.r_inv) % self.int_n From cd356c3cdb312e276473e038d1593f6f92bcd5b3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Sun, 20 Nov 2022 19:05:20 +0100 Subject: [PATCH 257/413] Add ec-jpake test to verify if key can be destroyed after set_password_key Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto.data | 9 +++++++-- tests/suites/test_suite_psa_crypto.function | 5 ++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index cce3fd0fe8..659205d529 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6549,11 +6549,16 @@ ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_ PSA PAKE: ecjpake rounds depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0 PSA PAKE: ecjpake rounds, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:0 + +# This test case relies on implementation (it may need to be adjusted in the future) +PSA PAKE: ecjpake rounds - key is destroyed after being passed to set_password_key +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1 PSA PAKE: ecjpake no input errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 60befa73f4..f84a0cc3f5 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -9002,7 +9002,7 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, int derive_alg_arg, data_t *pw_data, - int client_input_first ) + int client_input_first, int destroy_key ) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t server = psa_pake_operation_init(); @@ -9053,6 +9053,9 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); + if( destroy_key == 1 ) + psa_destroy_key( key ); + TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), PSA_ERROR_BAD_STATE ); TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), From 79f6b6bb1bcbef2fb783cb43724903dea30377f7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 14:17:03 +0100 Subject: [PATCH 258/413] tls: psa_pake: fixing mbedtls_psa_ecjpake_write_round() It might happen that the psa_pake_output() function returns elements which are not exactly 32 or 65 bytes as expected, but 1 bytes less. As a consequence, insted of hardcoding the expected value for the length in the output buffer, we write the correct one as obtained from psa_pake_output() Signed-off-by: Valerio Setti --- library/ssl_tls.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c1436c5321..7b51040c46 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8259,20 +8259,27 @@ int mbedtls_psa_ecjpake_write_round( step <= PSA_PAKE_STEP_ZK_PROOF; ++step ) { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - + /* + * For each step, prepend 1 byte with the length of the data. + * + * NOTE = psa_pake_output() sometimes output elements which are + * NOT 32 or 65 bytes as expected, but 1 byte less. So, instead + * of hardcoding the expected length, we + * - get the output first + * - then write the length of this output + */ status = psa_pake_output( pake_ctx, step, - buf + output_offset, - len - output_offset, + buf + output_offset + 1, + len - output_offset - 1, &output_len ); if( status != PSA_SUCCESS ) { return( psa_ssl_status_to_mbedtls( status ) ); } - output_offset += output_len; + *(buf + output_offset) = output_len; + + output_offset += output_len + 1; } } From 5151bdf46eb83823c4946c500c48bbad3b8f76e7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 14:30:02 +0100 Subject: [PATCH 259/413] tls: psa_pake: add missing braces Signed-off-by: Valerio Setti --- library/ssl_tls12_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 7c293ec9e4..5ff8ab4b84 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2354,7 +2354,9 @@ start_processing: if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || ( read_tls_id != curve_info->tls_id ) ) + { return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } p += 3; From e2d6b5f45b207efa6745cfdbf73332e7403bb5b8 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 21 Nov 2022 15:03:52 +0100 Subject: [PATCH 260/413] psa_key_slot_get_slot_number: Move documentation to header file Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 13 ------------- library/psa_crypto_core.h | 10 ++++++++++ 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 55319c4bdb..8c9deffadf 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -877,19 +877,6 @@ static psa_status_t psa_restrict_key_policy( return( PSA_SUCCESS ); } -/** Get the description of a key given its identifier and policy constraints - * and lock it. - * - * The key must have allow all the usage flags set in \p usage. If \p alg is - * nonzero, the key must allow operations with this algorithm. If \p alg is - * zero, the algorithm is not checked. - * - * In case of a persistent key, the function loads the description of the key - * into a key slot if not already done. - * - * On success, the returned key slot is locked. It is the responsibility of - * the caller to unlock the key slot when it does not access it anymore. - */ psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h index 37f8162de7..5cefa273aa 100644 --- a/library/psa_crypto_core.h +++ b/library/psa_crypto_core.h @@ -185,6 +185,16 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number( /** Get the description of a key given its identifier and policy constraints * and lock it. + * + * The key must have allow all the usage flags set in \p usage. If \p alg is + * nonzero, the key must allow operations with this algorithm. If \p alg is + * zero, the algorithm is not checked. + * + * In case of a persistent key, the function loads the description of the key + * into a key slot if not already done. + * + * On success, the returned key slot is locked. It is the responsibility of + * the caller to unlock the key slot when it does not access it anymore. */ psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot, From ad0f357178448f9483c572b26b32345d182a99b4 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 21 Nov 2022 15:04:37 +0100 Subject: [PATCH 261/413] Optimize pake code that sets/use password key Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index ef31af4204..9ac4c5f291 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -256,9 +256,6 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, return( PSA_ERROR_BAD_STATE ); } - if( psa_is_valid_key_id( password, 1 ) == 0 ) - return( PSA_ERROR_BAD_STATE ); - status = psa_get_key_attributes( password, &attributes ); if( status != PSA_SUCCESS ) return( status ); @@ -283,15 +280,8 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( status != PSA_SUCCESS ) return( status ); - if( slot->key.data == NULL || slot->key.bytes == 0 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - if( operation->password != NULL ) - { - mbedtls_platform_zeroize( operation->password, operation->password_len ); - mbedtls_free( operation->password ); - operation->password_len = 0; - } + return( PSA_ERROR_BAD_STATE ); operation->password = mbedtls_calloc( 1, slot->key.bytes ); if( operation->password == NULL ) @@ -388,11 +378,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) else return( PSA_ERROR_BAD_STATE ); - if (operation->password == NULL || - operation->password_len == 0 ) - { + if( operation->password_len == 0 ) return( PSA_ERROR_BAD_STATE ); - } ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake, role, @@ -404,6 +391,11 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) if( ret != 0 ) return( mbedtls_ecjpake_to_psa_error( ret ) ); + mbedtls_platform_zeroize( operation->password, operation->password_len ); + mbedtls_free( operation->password ); + operation->password = NULL; + operation->password_len = 0; + operation->state = PSA_PAKE_STATE_READY; return( PSA_SUCCESS ); @@ -453,7 +445,13 @@ static psa_status_t psa_pake_output_internal( if( operation->state == PSA_PAKE_STATE_SETUP ) { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) + { + mbedtls_platform_zeroize( operation->password, operation->password_len ); + mbedtls_free( operation->password ); + operation->password = NULL; + operation->password_len = 0; return( status ); + } } if( operation->state != PSA_PAKE_STATE_READY && @@ -661,7 +659,13 @@ static psa_status_t psa_pake_input_internal( { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) + { + mbedtls_platform_zeroize( operation->password, operation->password_len ); + mbedtls_free( operation->password ); + operation->password = NULL; + operation->password_len = 0; return( status ); + } } if( operation->state != PSA_PAKE_STATE_READY && @@ -865,7 +869,8 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation) { operation->input_step = PSA_PAKE_STEP_INVALID; operation->output_step = PSA_PAKE_STEP_INVALID; - mbedtls_platform_zeroize( operation->password, operation->password_len ); + if( operation->password_len > 0 ) + mbedtls_platform_zeroize( operation->password, operation->password_len ); mbedtls_free( operation->password ); operation->password = NULL; operation->password_len = 0; From f82effa9826a0e93aaa8c4c7928ad1016a16a8e8 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 21 Nov 2022 15:10:32 +0100 Subject: [PATCH 262/413] Optimize pake test code Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_psa_crypto.function | 40 ++++++++++----------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index f84a0cc3f5..ca1614befa 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -32,25 +32,23 @@ #define ASSERT_OPERATION_IS_INACTIVE( operation ) TEST_ASSERT( operation.id == 0 ) #if defined(PSA_WANT_ALG_JPAKE) -void ecjpake_operation_setup( psa_pake_operation_t *operation, +int ecjpake_operation_setup( psa_pake_operation_t *operation, psa_pake_cipher_suite_t *cipher_suite, psa_pake_role_t role, mbedtls_svc_key_id_t key, size_t key_available ) { - *operation = psa_pake_operation_init(); + PSA_ASSERT( psa_pake_abort( operation ) ); - TEST_EQUAL( psa_pake_setup( operation, cipher_suite ), - PSA_SUCCESS ); + PSA_ASSERT( psa_pake_setup( operation, cipher_suite ) ); - TEST_EQUAL( psa_pake_set_role( operation, role), - PSA_SUCCESS ); + PSA_ASSERT( psa_pake_set_role( operation, role) ); if( key_available ) - TEST_EQUAL( psa_pake_set_password_key( operation, key ), - PSA_SUCCESS ); + PSA_ASSERT( psa_pake_set_password_key( operation, key ) ); + return 0; exit: - return; + return 1; } #endif @@ -8865,21 +8863,21 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, NULL, 0 ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid parameters (step) */ - ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ); + TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ) , 0 ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, size_zk_proof ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ - ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ); + TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ), 0 ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, output_buffer, size_zk_proof ), PSA_ERROR_BAD_STATE ); /* Possibly valid */ - ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ); + TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ), 0 ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, size_key_share ), expected_status_input_output); @@ -8904,21 +8902,21 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, NULL, 0, NULL ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid parameters (step) */ - ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ); + TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ), 0 ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, buf_size, &output_len ), PSA_ERROR_INVALID_ARGUMENT ); /* Invalid first step */ - ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ); + TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ), 0 ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, output_buffer, buf_size, &output_len ), PSA_ERROR_BAD_STATE ); /* Possibly valid */ - ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ); + TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, + key, pw_data->len ), 0 ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, output_buffer, buf_size, &output_len ), expected_status_input_output ); From 39e08d4094218c84611f73d50b7507d8230467e0 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Wed, 16 Nov 2022 17:08:53 +0000 Subject: [PATCH 263/413] Add tests for the key agreement driver wrapper to test_suite_psa_crypto_driver_wrappers Signed-off-by: Aditya Deshpande --- tests/include/test/drivers/key_agreement.h | 3 + tests/scripts/all.sh | 8 -- tests/src/drivers/test_driver_key_agreement.c | 2 + ...test_suite_psa_crypto_driver_wrappers.data | 16 ++++ ..._suite_psa_crypto_driver_wrappers.function | 90 +++++++++++++++++++ 5 files changed, 111 insertions(+), 8 deletions(-) diff --git a/tests/include/test/drivers/key_agreement.h b/tests/include/test/drivers/key_agreement.h index 634cbac199..ec6515982e 100644 --- a/tests/include/test/drivers/key_agreement.h +++ b/tests/include/test/drivers/key_agreement.h @@ -45,6 +45,9 @@ static inline mbedtls_test_driver_key_agreement_hooks_t return( v ); } +extern mbedtls_test_driver_key_agreement_hooks_t + mbedtls_test_driver_key_agreement_hooks; + psa_status_t mbedtls_test_transparent_key_agreement( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 199efb6a87..203a5fefa3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1960,18 +1960,10 @@ component_test_psa_crypto_config_accel_ecdh () { scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING - # SHA384 needed for some ECDSA signature tests. - scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA384_C - scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA512_C - loc_accel_list="ALG_ECDH KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - # Restore test driver base configuration - scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA384_C - scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA512_C - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index 20d1d6b87f..51301f8f04 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -50,6 +50,8 @@ psa_status_t mbedtls_test_transparent_key_agreement( size_t shared_secret_size, size_t *shared_secret_length ) { + ++mbedtls_test_driver_key_agreement_hooks.hits; + if( mbedtls_test_driver_key_agreement_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_key_agreement_hooks.forced_status ); diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index 0a8d595218..74b74da92f 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -299,6 +299,22 @@ export_key private to public through driver: error depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:PSA_WANT_ECC_SECP_R1_256 export_key:PSA_ERROR_GENERIC_ERROR:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"":PSA_ERROR_GENERIC_ERROR +raw key agreement through driver: fake +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +key_agreement:PSA_ALG_ECDH:PSA_SUCCESS:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de":"0102030405":PSA_SUCCESS + +raw key agreement through driver: in-driver +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +key_agreement:PSA_ALG_ECDH:PSA_SUCCESS:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de":"":PSA_SUCCESS + +raw key agreement through driver: fallback +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDLTS_PSA_BUILTIN_ALG_ECDH +key_agreement:PSA_ALG_ECDH:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de":"":PSA_SUCCESS + +raw key agreement through driver: error +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +key_agreement:PSA_ALG_ECDH:PSA_ERROR_GENERIC_ERROR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de":"":PSA_ERROR_GENERIC_ERROR + PSA symmetric encrypt validation: AES-CTR, 16 bytes, good depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_encrypt_validation:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a" diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 128352bb81..7fa3c947ef 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -1,5 +1,6 @@ /* BEGIN_HEADER */ #include "test/drivers/test_driver.h" +#include #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) /* Sanity checks on the output of RSA encryption. @@ -541,6 +542,95 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void key_agreement( int alg_arg, + int force_status_arg, + int our_key_type_arg, + data_t *our_key_data, + data_t *peer_key_data, + data_t *expected_output, + data_t* fake_output, + int expected_status_arg ) +{ + psa_status_t force_status = force_status_arg; + psa_status_t expected_status = expected_status_arg; + psa_algorithm_t alg = alg_arg; + psa_key_type_t our_key_type = our_key_type_arg; + mbedtls_svc_key_id_t our_key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + const uint8_t *expected_output_ptr = NULL; + size_t expected_output_length = 0; + unsigned char *actual_output = NULL; + size_t actual_output_length = ~0; + size_t key_bits; + psa_status_t actual_status; + mbedtls_test_driver_key_agreement_hooks = + mbedtls_test_driver_key_agreement_hooks_init(); + + PSA_ASSERT( psa_crypto_init( ) ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, our_key_type ); + PSA_ASSERT( psa_import_key( &attributes, + our_key_data->x, our_key_data->len, + &our_key ) ); + + PSA_ASSERT( psa_get_key_attributes( our_key, &attributes ) ); + key_bits = psa_get_key_bits( &attributes ); + + TEST_LE_U( expected_output->len, + PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( our_key_type, key_bits ) ); + TEST_LE_U( PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE( our_key_type, key_bits ), + PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE ); + + if( fake_output->len > 0 ) + { + expected_output_ptr = + mbedtls_test_driver_key_agreement_hooks.forced_output = + fake_output->x; + + expected_output_length = + mbedtls_test_driver_key_agreement_hooks.forced_output_length = + fake_output->len; + } + else + { + expected_output_ptr = expected_output->x; + expected_output_length = expected_output->len; + } + + mbedtls_test_driver_key_agreement_hooks.hits = 0; + mbedtls_test_driver_key_agreement_hooks.forced_status = force_status; + + ASSERT_ALLOC( actual_output, expected_output->len ); + actual_status = psa_raw_key_agreement( alg, our_key, + peer_key_data->x, peer_key_data->len, + actual_output, expected_output->len, + &actual_output_length ) ; + TEST_EQUAL( actual_status, expected_status ); + TEST_EQUAL( mbedtls_test_driver_key_agreement_hooks.hits, 1 ); + + if( actual_status == PSA_SUCCESS ) + { + ASSERT_COMPARE( actual_output, actual_output_length, + expected_output_ptr, expected_output_length); + } + mbedtls_free( actual_output ); + actual_output = NULL; + actual_output_length = ~0; + +exit: + psa_reset_key_attributes( &attributes ); + psa_destroy_key( our_key ); + PSA_DONE( ); + mbedtls_test_driver_key_agreement_hooks = + mbedtls_test_driver_key_agreement_hooks_init(); + +} + +/* END_CASE */ + /* BEGIN_CASE */ void cipher_encrypt_validation( int alg_arg, int key_type_arg, From fdd24b8c496449abc1e024857d582ea8b6b4b4b4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 22 Nov 2022 13:12:56 +0800 Subject: [PATCH 264/413] Revert change in flight transmit Signed-off-by: Jerry Yu --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index cacedcaf99..80471d4c5d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2343,7 +2343,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) return( ret ); /* Update state and set timer */ - if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) + if( mbedtls_ssl_is_handshake_over( ssl ) == 1 ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; else { From c2e110f44577908617815915f52793c6c39483f0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 22 Nov 2022 09:01:46 +0100 Subject: [PATCH 265/413] tls13: Disable MBEDTLS_SSL_EARLY_DATA by default Eventually we want it to be enabled by default when TLS 1.3 is enabled but currently the feature is on development thus it should not be enabled by default. Signed-off-by: Ronald Cron --- include/mbedtls/mbedtls_config.h | 2 +- tests/scripts/all.sh | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 3f869b9ffc..12d503e389 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1648,7 +1648,7 @@ * production. * */ -#define MBEDTLS_SSL_EARLY_DATA +//#define MBEDTLS_SSL_EARLY_DATA /** * \def MBEDTLS_SSL_PROTO_DTLS diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8272dcc312..3a69fd7d72 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3250,6 +3250,7 @@ component_build_armcc () { component_test_tls13_only () { msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2" + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test: TLS 1.3 only, all key exchange modes enabled" @@ -3269,6 +3270,7 @@ component_test_tls13_only_psk () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" @@ -3301,6 +3303,7 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" @@ -3318,6 +3321,7 @@ component_test_tls13_only_psk_all () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" @@ -3330,6 +3334,7 @@ component_test_tls13_only_psk_all () { component_test_tls13_only_ephemeral_all () { msg "build: TLS 1.3 only from default, without PSK key exchange mode" scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py set MBEDTLS_SSL_EARLY_DATA make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" @@ -3344,6 +3349,7 @@ component_test_tls13 () { scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding" @@ -3357,6 +3363,7 @@ component_test_tls13_no_compatibility_mode () { scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding" From 0bdec19c93a2aacf023c46bb81e3ce0fb8cc6baa Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 22 Nov 2022 09:10:35 +0100 Subject: [PATCH 266/413] Further optimizations of pake set_password implementation Signed-off-by: Przemek Stekiel --- library/psa_crypto_pake.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 9ac4c5f291..659b712a5b 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -274,19 +274,19 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) return( PSA_ERROR_NOT_PERMITTED ); + if( operation->password != NULL ) + return( PSA_ERROR_BAD_STATE ); + status = psa_get_and_lock_key_slot_with_policy( password, &slot, PSA_KEY_USAGE_DERIVE, PSA_ALG_JPAKE ); if( status != PSA_SUCCESS ) return( status ); - if( operation->password != NULL ) - return( PSA_ERROR_BAD_STATE ); - operation->password = mbedtls_calloc( 1, slot->key.bytes ); if( operation->password == NULL ) { - status = psa_unlock_key_slot( slot ); + psa_unlock_key_slot( slot ); return( PSA_ERROR_INSUFFICIENT_MEMORY ); } memcpy( operation->password, slot->key.data, slot->key.bytes ); @@ -388,14 +388,14 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation ) operation->password, operation->password_len ); - if( ret != 0 ) - return( mbedtls_ecjpake_to_psa_error( ret ) ); - mbedtls_platform_zeroize( operation->password, operation->password_len ); mbedtls_free( operation->password ); operation->password = NULL; operation->password_len = 0; + if( ret != 0 ) + return( mbedtls_ecjpake_to_psa_error( ret ) ); + operation->state = PSA_PAKE_STATE_READY; return( PSA_SUCCESS ); @@ -445,13 +445,7 @@ static psa_status_t psa_pake_output_internal( if( operation->state == PSA_PAKE_STATE_SETUP ) { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) - { - mbedtls_platform_zeroize( operation->password, operation->password_len ); - mbedtls_free( operation->password ); - operation->password = NULL; - operation->password_len = 0; return( status ); - } } if( operation->state != PSA_PAKE_STATE_READY && @@ -659,13 +653,7 @@ static psa_status_t psa_pake_input_internal( { status = psa_pake_ecjpake_setup( operation ); if( status != PSA_SUCCESS ) - { - mbedtls_platform_zeroize( operation->password, operation->password_len ); - mbedtls_free( operation->password ); - operation->password = NULL; - operation->password_len = 0; return( status ); - } } if( operation->state != PSA_PAKE_STATE_READY && From 8bee89994dbcc119812ac81102eb22e959cf9093 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 27 Oct 2022 10:21:05 +0000 Subject: [PATCH 267/413] Add parse function for early data in encrypted extentions Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 63 +++++++++++++++++++++++++++++++ tests/opt-testcases/tls13-misc.sh | 4 +- 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0372f2d98d..839fe3679a 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1335,6 +1335,53 @@ static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl, return( 0 ); } +#if defined(MBEDTLS_SSL_EARLY_DATA) +/* + * ssl_tls13_parse_ee_early_data_ext() + * Parse early data indication extension in EncryptedExtensions. + * + * struct {} Empty; + * + * struct { + * select (Handshake.msg_type) { + * ... + * case client_hello: Empty; + * case encrypted_extensions: Empty; + * }; + * } EarlyDataIndication; + * + */ + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_parse_ee_early_data_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + if( ssl->early_data_status < MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT ) + { + /* The server must not send the EarlyDataIndication if the + * client hasn't indicated the use of early data. */ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + if( len != 0 ) + { + /* The message must be empty. */ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + /* Nothing to parse */ + ((void) buf); + + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + return( 0 ); +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /* Returns a negative value on failure, and otherwise * - SSL_SERVER_HELLO or * - SSL_SERVER_HELLO_HRR @@ -2060,6 +2107,22 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_SSL_ALPN */ + +#if defined(MBEDTLS_SSL_EARLY_DATA) + case MBEDTLS_TLS_EXT_EARLY_DATA: + ret = ssl_tls13_parse_ee_early_data_ext( + ssl, p, (size_t)extension_data_len ); + if( ret != 0 ) + { + ssl->early_data_status = + MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + MBEDTLS_SSL_DEBUG_RET( + 1, "ssl_tls13_parse_ee_early_data_ext", ret ); + return( ret ); + } + break; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + default: MBEDTLS_SSL_PRINT_EXT( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index edece456b3..ed428480c4 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -301,7 +301,7 @@ run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ -c "NewSessionTicket: early_data(42) extension received." \ -c "ClientHello: early_data(42) extension exists." \ -c "EncryptedExtensions: early_data(42) extension received." \ - -c "EncryptedExtensions: early_data(42) extension ( ignored )." \ + -c "EncryptedExtensions: early_data(42) extension exists." \ -s "Parsing extension 'Early Data/42' (0 bytes)" \ -s "Sending extension Early Data/42 (0 bytes)" \ -s "early data accepted" @@ -322,7 +322,7 @@ run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \ -C "NewSessionTicket: early_data(42) extension received." \ -c "ClientHello: early_data(42) extension does not exist." \ -C "EncryptedExtensions: early_data(42) extension received." \ - -C "EncryptedExtensions: early_data(42) extension ( ignored )." + -C "EncryptedExtensions: early_data(42) extension exists." #TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked. skip_next_test From d4a9b1ab8d124eaf7bff20d4bfe078f4ddc09483 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 11:11:10 +0100 Subject: [PATCH 268/413] tls: psa_pake: remove useless defines and fix a comment Signed-off-by: Valerio Setti --- library/ssl_misc.h | 11 ----------- library/ssl_tls.c | 9 ++------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 0f43a18f42..2ff7e0c22a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2367,17 +2367,6 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) -/* Currently JPAKE only supports elliptic curve secp256r1 */ -#define MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE \ - PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, \ - PSA_ECC_FAMILY_SECP_R1, 256 ) - -/* Expected output data size for each "step" of EC-JPAKE key echange */ -#define MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ) \ - PSA_PAKE_OUTPUT_SIZE( PSA_ALG_JPAKE, \ - MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE, \ - step ) - typedef enum { MBEDTLS_ECJPAKE_ROUND_ONE, MBEDTLS_ECJPAKE_ROUND_TWO diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7b51040c46..5bfdde7bc3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8260,13 +8260,8 @@ int mbedtls_psa_ecjpake_write_round( ++step ) { /* - * For each step, prepend 1 byte with the length of the data. - * - * NOTE = psa_pake_output() sometimes output elements which are - * NOT 32 or 65 bytes as expected, but 1 byte less. So, instead - * of hardcoding the expected length, we - * - get the output first - * - then write the length of this output + * For each step, prepend 1 byte with the length of the data as + * given by psa_pake_output(). */ status = psa_pake_output( pake_ctx, step, buf + output_offset + 1, From 18a3856a03bb246db82069ff330dbb2343239281 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 22 Nov 2022 11:49:55 +0100 Subject: [PATCH 269/413] Document another limitation of driver-only hashes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/driver-only-hashes.txt | 16 ++++++++++------ include/mbedtls/mbedtls_config.h | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt index 2062bcb57d..a160f924ba 100644 --- a/ChangeLog.d/driver-only-hashes.txt +++ b/ChangeLog.d/driver-only-hashes.txt @@ -8,12 +8,16 @@ Features are only provided by PSA drivers. In these configurations, you need to call `psa_crypto_init()` before you call any function from those modules; this is not required in configurations where the built-in - implementation is still available. Note that some crypto modules and - features still depend on the built-in implementation of hashes: - MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it), - MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC. - In particular, for now, compiling without built-in hashes requires use - of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. + implementation is still available. Note that for modules that use MD + (RSA, PKCS5, PKCS12, EC J-PAKE) in builds that have MBEDTLS_MD_C enabled, + all hashes used with those modules need to be built-in, as drivers are only + used when MBEDTLS_MD_C is disabled; configurations where some hashes are + available as built-ins, and some only from drivers, are currently not + supported. Also note that some crypto modules and features still depend on + the built-in implementation of hashes: MBEDTLS_HKDF_C (but the PSA HKDF + functions do not depend on it), MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and + MBEDTLS_ECDSA_DETERMINISTIC. In particular, for now, compiling without + built-in hashes requires use of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no longer depend on MD. This means it is now possible to use them in configurations where the built-in implementations of hashes are excluded diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 3f869b9ffc..b16a5b4d49 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1146,6 +1146,11 @@ * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * before doing any PKCS#1 v2.1 operation. * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. + * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ #define MBEDTLS_PKCS1_V21 @@ -2433,6 +2438,11 @@ * * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * before doing any EC J-PAKE operations. + * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. */ #define MBEDTLS_ECJPAKE_C @@ -2777,6 +2787,11 @@ * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * before doing any PKCS5 operation. * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. + * * This module adds support for the PKCS#5 functions. */ #define MBEDTLS_PKCS5_C @@ -2796,6 +2811,11 @@ * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * before doing any PKCS12 operation. * + * \warning When building with MBEDTLS_MD_C, all hashes used with this + * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by + * this module in builds where MBEDTLS_MD_C is disabled. + * * This module enables PKCS#12 functions. */ #define MBEDTLS_PKCS12_C From 2f7fd76d9167cabb8d3adf349cfce19025ed6ed6 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Tue, 22 Nov 2022 11:10:34 +0000 Subject: [PATCH 270/413] Replace PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE with PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE in psa_key_agreement_internal(). Signed-off-by: Aditya Deshpande --- library/psa_crypto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 07f3151214..f0c3d5adfc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5735,7 +5735,6 @@ psa_status_t psa_key_derivation_input_key( /****************************************************************/ /* Key agreement */ /****************************************************************/ -#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, @@ -5809,7 +5808,7 @@ static psa_status_t psa_key_agreement_internal( psa_key_derivation_operation_t * size_t peer_key_length ) { psa_status_t status; - uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE]; + uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE]; size_t shared_secret_length = 0; psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE( operation->alg ); From da13072c5bfc56a04ec5bb0bf0ab464889d3699b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 22 Nov 2022 09:08:57 +0100 Subject: [PATCH 271/413] tls13: Make ..._RECEIVED_NEW_SESSION_TICKET experimental We are considering using a callback instead. Signed-off-by: Ronald Cron --- include/mbedtls/ssl.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d0558511a8..94bbee59b5 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -96,7 +96,10 @@ /* Error space gap */ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 -/** Received NewSessionTicket Post Handshake Message */ +/** + * Received NewSessionTicket Post Handshake Message. + * This error code is experimental and may be changed or removed without notice. + */ #define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00 /* Error space gap */ /* Error space gap */ From d9b2348d8f66553a03b9f95c10d7e0768d2988b4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 25 Aug 2022 08:25:19 +0100 Subject: [PATCH 272/413] Extract MPI_CORE(sub_int) from the prototype Signed-off-by: Tom Cosgrove --- library/bignum_core.c | 15 +++++++++++++++ library/bignum_core.h | 18 ++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/library/bignum_core.c b/library/bignum_core.c index 34aecda501..0315c84f9a 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -590,6 +590,21 @@ cleanup: /* BEGIN MERGE SLOT 3 */ +mbedtls_mpi_uint MPI_CORE(sub_int)( mbedtls_mpi_uint *d, + const mbedtls_mpi_uint *l, + mbedtls_mpi_uint c, size_t n ) +{ + for( size_t i = 0; i < n; i++ ) + { + mbedtls_mpi_uint s, t; + s = l[i]; + t = s - c; c = ( t > s ); + d[i] = t; + } + + return( c ); +} + /* END MERGE SLOT 3 */ /* BEGIN MERGE SLOT 4 */ diff --git a/library/bignum_core.h b/library/bignum_core.h index ad04e08283..68b4bd144c 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -504,6 +504,24 @@ int mbedtls_mpi_core_fill_random( mbedtls_mpi_uint *X, size_t X_limbs, /* BEGIN MERGE SLOT 3 */ +#define MPI_CORE(func) mbedtls_mpi_core_ ## func ## _minimal + +/** + * \brief Subtract unsigned integer from known-size large unsigned integers. + * Return the borrow. + * + * \param[out] d The result of the subtraction. + * \param[in] l The left operand. + * \param[in] r The unsigned scalar to subtract. + * \param n Number of limbs of \p d and \p l. + * + * \return 1 if `l < r`. + * 0 if `l >= r`. + */ +mbedtls_mpi_uint MPI_CORE(sub_int)( mbedtls_mpi_uint *d, + const mbedtls_mpi_uint *l, + mbedtls_mpi_uint r, size_t n ); + /* END MERGE SLOT 3 */ /* BEGIN MERGE SLOT 4 */ From f7ff4c9a112bf0a56ee1c8ee7f1c02cb87a81857 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 25 Aug 2022 08:39:07 +0100 Subject: [PATCH 273/413] Tidy up, remove MPI_CORE(), and apply the naming convention Signed-off-by: Tom Cosgrove --- library/bignum_core.c | 17 +++++++++-------- library/bignum_core.h | 21 ++++++++++----------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 0315c84f9a..41d3239688 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -590,16 +590,17 @@ cleanup: /* BEGIN MERGE SLOT 3 */ -mbedtls_mpi_uint MPI_CORE(sub_int)( mbedtls_mpi_uint *d, - const mbedtls_mpi_uint *l, - mbedtls_mpi_uint c, size_t n ) +mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + mbedtls_mpi_uint c, /* doubles as carry */ + size_t limbs ) { - for( size_t i = 0; i < n; i++ ) + for( size_t i = 0; i < limbs; i++ ) { - mbedtls_mpi_uint s, t; - s = l[i]; - t = s - c; c = ( t > s ); - d[i] = t; + mbedtls_mpi_uint s = A[i]; + mbedtls_mpi_uint t = s - c; + c = ( t > s ); + X[i] = t; } return( c ); diff --git a/library/bignum_core.h b/library/bignum_core.h index 68b4bd144c..d48e7053bb 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -504,23 +504,22 @@ int mbedtls_mpi_core_fill_random( mbedtls_mpi_uint *X, size_t X_limbs, /* BEGIN MERGE SLOT 3 */ -#define MPI_CORE(func) mbedtls_mpi_core_ ## func ## _minimal - /** * \brief Subtract unsigned integer from known-size large unsigned integers. * Return the borrow. * - * \param[out] d The result of the subtraction. - * \param[in] l The left operand. - * \param[in] r The unsigned scalar to subtract. - * \param n Number of limbs of \p d and \p l. + * \param[out] X The result of the subtraction. + * \param[in] A The left operand. + * \param b The unsigned scalar to subtract. + * \param limbs Number of limbs of \p X and \p A. * - * \return 1 if `l < r`. - * 0 if `l >= r`. + * \return 1 if `A < b`. + * 0 if `A >= b`. */ -mbedtls_mpi_uint MPI_CORE(sub_int)( mbedtls_mpi_uint *d, - const mbedtls_mpi_uint *l, - mbedtls_mpi_uint r, size_t n ); +mbedtls_mpi_uint mbedtls_mpi_core_sub_int( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + mbedtls_mpi_uint b, + size_t limbs ); /* END MERGE SLOT 3 */ From 452c99c17331b1d5a718d2b70080c1608f0c50f3 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 25 Aug 2022 10:07:07 +0100 Subject: [PATCH 274/413] Use mbedtls_mpi_core_sub_int() in mbedtls_mpi_sub_abs() Signed-off-by: Tom Cosgrove --- library/bignum.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index ba03988254..a68957a534 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -968,17 +968,15 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi carry = mbedtls_mpi_core_sub( X->p, A->p, B->p, n ); if( carry != 0 ) { - /* Propagate the carry to the first nonzero limb of X. */ - for( ; n < X->n && X->p[n] == 0; n++ ) - --X->p[n]; - /* If we ran out of space for the carry, it means that the result - * is negative. */ - if( n == X->n ) + /* Propagate the carry through the rest of X. */ + carry = mbedtls_mpi_core_sub_int( X->p + n, X->p + n, carry, X->n - n ); + + /* If we have further carry/borrow, the result is negative. */ + if( carry != 0 ) { ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE; goto cleanup; } - --X->p[n]; } /* X should always be positive as a result of unsigned subtractions. */ From 99d88c1ab488c806b4919d50301c38488f1fb478 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 16:03:43 +0100 Subject: [PATCH 275/413] tls: psa_pake: fix missing casting in mbedtls_psa_ecjpake_write_round Signed-off-by: Valerio Setti --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5bfdde7bc3..4efcee0674 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8272,7 +8272,7 @@ int mbedtls_psa_ecjpake_write_round( return( psa_ssl_status_to_mbedtls( status ) ); } - *(buf + output_offset) = output_len; + *(buf + output_offset) = (uint8_t) output_len; output_offset += output_len + 1; } From d66d5b2fef284e46953bac5a0f7ebb8f35d0e15b Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Tue, 22 Nov 2022 15:07:31 +0000 Subject: [PATCH 276/413] Add unit tests for mbedtls_mpi_core_sub_int(), MPI A - scalar b Signed-off-by: Tom Cosgrove --- scripts/mbedtls_dev/bignum_core.py | 31 +++++++++++++ tests/suites/test_suite_bignum_core.function | 46 ++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 4910daea87..b8e2a31239 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -763,6 +763,37 @@ def mpi_modmul_case_generate() -> None: # BEGIN MERGE SLOT 3 +class BignumCoreSubInt(BignumCoreTarget, bignum_common.OperationCommon): + """Test cases for bignum core sub int.""" + count = 0 + symbol = "-" + test_function = "mpi_core_sub_int" + test_name = "mpi_core_sub_int" + input_style = "arch_split" + + @property + def is_valid(self) -> bool: + # This is "sub int", so b is only one limb + if bignum_common.limbs_mpi(self.int_b, self.bits_in_limb) > 1: + return False + return True + + # Overriding because we don't want leading zeros on b + @property + def arg_b(self) -> str: + return self.val_b + + def result(self) -> List[str]: + result = self.int_a - self.int_b + + borrow, result = divmod(result, self.limb_boundary) + + # Borrow will be -1 if non-zero, but we want it to be 1 in the test data + return [ + self.format_result(result), + str(-borrow) + ] + # END MERGE SLOT 3 # BEGIN MERGE SLOT 4 diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index 612a7c6bd4..d5bb420023 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -1049,6 +1049,52 @@ exit: /* BEGIN MERGE SLOT 3 */ +/* BEGIN_CASE */ +void mpi_core_sub_int( char * input_A, char * input_B, + char * input_X, int borrow ) +{ + /* We are testing A - b, where A is an MPI and b is a scalar, expecting + * result X with borrow borrow. However, for ease of handling we encode b + * as a 1-limb MPI (B) in the .data file. */ + + mbedtls_mpi_uint *A = NULL; + mbedtls_mpi_uint *B = NULL; + mbedtls_mpi_uint *X = NULL; + mbedtls_mpi_uint *R = NULL; + size_t A_limbs, B_limbs, X_limbs; + + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &B, &B_limbs, input_B ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &X_limbs, input_X ) ); + + /* The MPI encoding of scalar b must be only 1 limb */ + TEST_EQUAL( B_limbs, 1 ); + + /* The subtraction is fixed-width, so A and X must have the same number of limbs */ + TEST_EQUAL( A_limbs, X_limbs ); + size_t limbs = A_limbs; + + ASSERT_ALLOC( R, limbs ); + +#define TEST_COMPARE_CORE_MPIS( A, B, limbs ) \ + ASSERT_COMPARE( A, (limbs) * sizeof(mbedtls_mpi_uint), B, (limbs) * sizeof(mbedtls_mpi_uint) ) + + /* 1. R = A - b. Result and borrow should be correct */ + TEST_EQUAL( mbedtls_mpi_core_sub_int( R, A, B[0], limbs ), borrow ); + TEST_COMPARE_CORE_MPIS( R, X, limbs ); + + /* 2. A = A - b. Result and borrow should be correct */ + TEST_EQUAL( mbedtls_mpi_core_sub_int( A, A, B[0], limbs ), borrow ); + TEST_COMPARE_CORE_MPIS( A, X, limbs ); + +exit: + mbedtls_free( A ); + mbedtls_free( B ); + mbedtls_free( X ); + mbedtls_free( R ); +} +/* END_CASE */ + /* END MERGE SLOT 3 */ /* BEGIN MERGE SLOT 4 */ From fdb77cdae3565b9228a887b45f4de541832b5399 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 11 Nov 2022 12:02:24 +0100 Subject: [PATCH 277/413] psa_crypto_pake: internally call to psa_pake_abort() in case of errors In this way, in case of error, it is not possible to continue using the same psa_pake_operation_t without reinitializing it. This should make the PSA pake's behavior closer to what expected by the specification Signed-off-by: Valerio Setti --- library/psa_crypto_pake.c | 96 +++++++++++++++++++++++++++++++-------- 1 file changed, 76 insertions(+), 20 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 659b712a5b..431057ca42 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -197,9 +197,14 @@ static psa_status_t mbedtls_ecjpake_to_psa_error( int ret ) psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { + psa_status_t status; + /* A context must be freshly initialized before it can be set up. */ if( operation->alg != PSA_ALG_NONE ) - return( PSA_ERROR_BAD_STATE ); + { + status = PSA_ERROR_BAD_STATE; + goto error; + } if( cipher_suite == NULL || PSA_ALG_IS_PAKE(cipher_suite->algorithm ) == 0 || @@ -207,7 +212,8 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, cipher_suite->type != PSA_PAKE_PRIMITIVE_TYPE_DH ) || PSA_ALG_IS_HASH( cipher_suite->hash ) == 0 ) { - return( PSA_ERROR_INVALID_ARGUMENT ); + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) @@ -218,7 +224,8 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, cipher_suite->bits != 256 || cipher_suite->hash != PSA_ALG_SHA_256 ) { - return( PSA_ERROR_NOT_SUPPORTED ); + status = PSA_ERROR_NOT_SUPPORTED; + goto error; } operation->alg = cipher_suite->algorithm; @@ -238,7 +245,11 @@ psa_status_t psa_pake_setup( psa_pake_operation_t *operation, } else #endif - return( PSA_ERROR_NOT_SUPPORTED ); + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort( operation ); + return status; } psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, @@ -253,12 +264,13 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { - return( PSA_ERROR_BAD_STATE ); + status = PSA_ERROR_BAD_STATE; + goto error; } status = psa_get_key_attributes( password, &attributes ); if( status != PSA_SUCCESS ) - return( status ); + goto error; type = psa_get_key_type( &attributes ); usage = psa_get_key_usage_flags( &attributes ); @@ -268,11 +280,14 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, if( type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH ) { - return( PSA_ERROR_INVALID_ARGUMENT ); + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; } - if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) - return( PSA_ERROR_NOT_PERMITTED ); + if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 ) { + status = PSA_ERROR_NOT_PERMITTED; + goto error; + } if( operation->password != NULL ) return( PSA_ERROR_BAD_STATE ); @@ -297,47 +312,74 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation, return( status ); return( PSA_SUCCESS ); + +error: + psa_pake_abort(operation); + return( status ); } psa_status_t psa_pake_set_user( psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len ) { + psa_status_t status; + if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { - return( PSA_ERROR_BAD_STATE ); + status = PSA_ERROR_BAD_STATE; + goto error; } if( user_id_len == 0 || user_id == NULL ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } - return( PSA_ERROR_NOT_SUPPORTED ); + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort(operation); + return( status ); } psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len ) { + psa_status_t status; + if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { - return( PSA_ERROR_BAD_STATE ); + status = PSA_ERROR_BAD_STATE; + goto error; } if( peer_id_len == 0 || peer_id == NULL ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; + } - return( PSA_ERROR_NOT_SUPPORTED ); + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort(operation); + return( status ); } psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role ) { + psa_status_t status; + if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) { - return( PSA_ERROR_BAD_STATE ); + status = PSA_ERROR_BAD_STATE; + goto error; } if( role != PSA_PAKE_ROLE_NONE && @@ -346,7 +388,8 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, role != PSA_PAKE_ROLE_CLIENT && role != PSA_PAKE_ROLE_SERVER ) { - return( PSA_ERROR_INVALID_ARGUMENT ); + status = PSA_ERROR_INVALID_ARGUMENT; + goto error; } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) @@ -362,7 +405,11 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, } else #endif - return( PSA_ERROR_NOT_SUPPORTED ); + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_pake_abort(operation); + return( status ); } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) @@ -812,7 +859,10 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, operation->state != PSA_PAKE_STATE_READY || operation->input_step != PSA_PAKE_STEP_DERIVE || operation->output_step != PSA_PAKE_STEP_DERIVE ) - return( PSA_ERROR_BAD_STATE ); + { + status = PSA_ERROR_BAD_STATE; + goto error; + } #if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE) if( operation->alg == PSA_ALG_JPAKE ) @@ -842,7 +892,13 @@ psa_status_t psa_pake_get_implicit_key(psa_pake_operation_t *operation, } else #endif - return( PSA_ERROR_NOT_SUPPORTED ); + status = PSA_ERROR_NOT_SUPPORTED; + +error: + psa_key_derivation_abort( output ); + psa_pake_abort( operation ); + + return( status ); } psa_status_t psa_pake_abort(psa_pake_operation_t * operation) From 1070aed778b12931bde949ec3f6938d6e0cac9be Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 11 Nov 2022 19:37:31 +0100 Subject: [PATCH 278/413] test_suite_psa_crypto: do not re-use PAKE's contexts in case of errors As for ecjpake_setup(), now the test function can handle: - "external" errors, through parameters set by the data file - "internal" ones, through enums which inject ad-hoc failures Similarly also ecjpake_rounds() can handle both type of errors, but right now there's no erroneous case in the associated ".data" file. In both cases, after an error the current test is terminated. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto.data | 141 ++++++--- tests/suites/test_suite_psa_crypto.function | 327 ++++++++++++-------- 2 files changed, 305 insertions(+), 163 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 659205d529..247c57e334 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6491,74 +6491,133 @@ persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY PSA derive persistent key: HKDF SHA-256, exportable persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY +PSA PAKE: uninitialized access to psa_pake_operation_t +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE + PSA PAKE: invalid alg depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_INVALID_ARGUMENT:0:0:0 +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: invalid primitive type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive family depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive bits depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid hash depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":PSA_ERROR_NOT_SUPPORTED:0:0:0 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED -PSA PAKE: ecjpake setup server output step first +PSA PAKE: duplicate a valid setup depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":0:0:0:0 - -PSA PAKE: ecjpake setup server input step first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":0:0:0:0 - -PSA PAKE: ecjpake setup server empty password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":0:0:0:PSA_ERROR_BAD_STATE - -PSA PAKE: ecjpake setup client output step first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:0:0 - -PSA PAKE: ecjpake setup client input step first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:1:"abcd":0:0:0:0 - -PSA PAKE: ecjpake setup client empty password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":0:0:0:PSA_ERROR_BAD_STATE - -PSA PAKE: ecjpake setup client bad password key type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:PSA_ERROR_INVALID_ARGUMENT:0 - -PSA PAKE: ecjpake setup client bad password key usage -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":0:0:PSA_ERROR_NOT_PERMITTED:0 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE PSA PAKE: ecjpake setup invalid role NONE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":0:PSA_ERROR_NOT_SUPPORTED:0:0 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: wrong key type password +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: wrong key usage type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:0:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED + +PSA PAKE: set invalid user +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set invalid peer +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set user +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_USER:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: set peer +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_PEER:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: empty server password +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE + +PSA PAKE: empty client password +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE + +PSA PAKE: invalid input +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_EMPTY_IO_BUFFER:0 + +PSA PAKE: unkown input step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_UNKNOWN_STEP:0 + +PSA PAKE: invalid first input step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_INVALID_FIRST_STEP:0 + +PSA PAKE: input buffer too large +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_WRONG_BUFFER_SIZE:0 + +PSA PAKE: valid input operation after a failure +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 + +PSA PAKE: invalid output +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_EMPTY_IO_BUFFER:0 + +PSA PAKE: unkown output step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_UNKNOWN_STEP:0 + +PSA PAKE: invalid first output step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_INVALID_FIRST_STEP:0 + +PSA PAKE: output buffer too small +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_WRONG_BUFFER_SIZE:0 + +PSA PAKE: valid output operation after a failure +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 + +PSA PAKE: ecjpake setup client bad password key type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: ecjpake setup client bad password key usage +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED PSA PAKE: ecjpake rounds depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ERR_NONE PSA PAKE: ecjpake rounds, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:0 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:INJECT_ERR_NONE -# This test case relies on implementation (it may need to be adjusted in the future) -PSA PAKE: ecjpake rounds - key is destroyed after being passed to set_password_key +PSA PAKE: ecjpake rounds, early key derivation 1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_1 + +PSA PAKE: ecjpake rounds, early key derivation 2 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_2 PSA PAKE: ecjpake no input errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ca1614befa..8d42bf9b34 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1318,6 +1318,24 @@ exit: } #endif /* PSA_WANT_ALG_JPAKE */ +typedef enum +{ + INJECT_ERR_NONE = 0, + INJECT_ERR_UNINITIALIZED_ACCESS, + INJECT_ERR_DUPLICATE_SETUP, + INJECT_ERR_INVALID_USER, + INJECT_ERR_INVALID_PEER, + INJECT_ERR_SET_USER, + INJECT_ERR_SET_PEER, + INJECT_EMPTY_IO_BUFFER, + INJECT_UNKNOWN_STEP, + INJECT_INVALID_FIRST_STEP, + INJECT_WRONG_BUFFER_SIZE, + INJECT_VALID_OPERATION_AFTER_FAILURE, + INJECT_ANTICIPATE_KEY_DERIVATION_1, + INJECT_ANTICIPATE_KEY_DERIVATION_2, +} ecjpake_injected_failure_t; + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -8753,11 +8771,9 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, int primitive_arg, int hash_arg, int role_arg, - int input_first, data_t *pw_data, - int expected_status_setup_arg, - int expected_status_set_role_arg, - int expected_status_set_password_key_arg, - int expected_status_input_output_arg) + int test_input, data_t *pw_data, + int inj_err_type_arg, + int expected_error_arg) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t operation = psa_pake_operation_init(); @@ -8769,12 +8785,9 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, psa_pake_role_t role = role_arg; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t expected_status_setup = expected_status_setup_arg; - psa_status_t expected_status_set_role = expected_status_set_role_arg; - psa_status_t expected_status_set_password_key = - expected_status_set_password_key_arg; - psa_status_t expected_status_input_output = - expected_status_input_output_arg; + ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; + psa_status_t expected_error = expected_error_arg; + psa_status_t status; unsigned char *output_buffer = NULL; size_t output_len = 0; @@ -8799,54 +8812,90 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, PSA_ASSERT( psa_pake_abort( &operation ) ); - TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), - PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), - PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_set_password_key( &operation, key ), - PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_set_role( &operation, role ), - PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, - NULL, 0, NULL ), - PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), - PSA_ERROR_BAD_STATE ); - - PSA_ASSERT( psa_pake_abort( &operation ) ); - - TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ), - expected_status_setup ); - if( expected_status_setup != PSA_SUCCESS ) + if ( inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS ) + { + TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_set_password_key( &operation, key ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_set_role( &operation, role ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, + NULL, 0, NULL ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); goto exit; + } - TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ), - PSA_ERROR_BAD_STATE ); - - TEST_EQUAL( psa_pake_set_role( &operation, role), - expected_status_set_role ); - if( expected_status_set_role != PSA_SUCCESS ) + status = psa_pake_setup( &operation, &cipher_suite ); + if (status != PSA_SUCCESS) + { + TEST_EQUAL( status, expected_error ); goto exit; + } + + if( inj_err_type == INJECT_ERR_DUPLICATE_SETUP ) + { + TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ), + expected_error ); + goto exit; + } + + status = psa_pake_set_role( &operation, role); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error ); + goto exit; + } if( pw_data->len > 0 ) { - TEST_EQUAL( psa_pake_set_password_key( &operation, key ), - expected_status_set_password_key ); - if( expected_status_set_password_key != PSA_SUCCESS ) + status = psa_pake_set_password_key( &operation, key ); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error ); goto exit; + } } - TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), - PSA_ERROR_INVALID_ARGUMENT ); - TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), - PSA_ERROR_INVALID_ARGUMENT ); + if ( inj_err_type == INJECT_ERR_INVALID_USER ) + { + TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } - const uint8_t unsupported_id[] = "abcd"; + if ( inj_err_type == INJECT_ERR_INVALID_PEER ) + { + TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } - TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ), - PSA_ERROR_NOT_SUPPORTED ); - TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ), - PSA_ERROR_NOT_SUPPORTED ); + if ( inj_err_type == INJECT_ERR_SET_USER ) + { + const uint8_t unsupported_id[] = "abcd"; + TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ), + PSA_ERROR_NOT_SUPPORTED ); + goto exit; + } + + if ( inj_err_type == INJECT_ERR_SET_PEER ) + { + const uint8_t unsupported_id[] = "abcd"; + TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ), + PSA_ERROR_NOT_SUPPORTED ); + goto exit; + } const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive, PSA_PAKE_STEP_KEY_SHARE ); @@ -8855,85 +8904,109 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE( alg, primitive, PSA_PAKE_STEP_ZK_PROOF ); - /* First round */ - if( input_first ) + if ( test_input ) { - /* Invalid parameters (input) */ - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, - NULL, 0 ), - PSA_ERROR_INVALID_ARGUMENT ); - /* Invalid parameters (step) */ - TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ) , 0 ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, - output_buffer, size_zk_proof ), - PSA_ERROR_INVALID_ARGUMENT ); - /* Invalid first step */ - TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ), 0 ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, - output_buffer, size_zk_proof ), - PSA_ERROR_BAD_STATE ); - - /* Possibly valid */ - TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ), 0 ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, size_key_share ), - expected_status_input_output); - - if( expected_status_input_output == PSA_SUCCESS ) + if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) { - /* Buffer too large */ - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, size_zk_public + 1 ), - PSA_ERROR_INVALID_ARGUMENT ); + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } - /* The operation's state should be invalidated at this point */ + if ( inj_err_type == INJECT_UNKNOWN_STEP ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + output_buffer, size_zk_proof ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, + output_buffer, size_zk_proof ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + + status = psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, size_key_share ); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error); + goto exit; + } + + if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public + 1 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) + { + // Just trigger any kind of error. We don't care about the result here + psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public + 1 ); TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, output_buffer, size_zk_public ), - PSA_ERROR_BAD_STATE ); + PSA_ERROR_BAD_STATE ); + goto exit; } - } - else - { - /* Invalid parameters (output) */ - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, - NULL, 0, NULL ), - PSA_ERROR_INVALID_ARGUMENT ); - /* Invalid parameters (step) */ - TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ), 0 ); - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, - output_buffer, buf_size, &output_len ), - PSA_ERROR_INVALID_ARGUMENT ); - /* Invalid first step */ - TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ), 0 ); - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, - output_buffer, buf_size, &output_len ), - PSA_ERROR_BAD_STATE ); - - /* Possibly valid */ - TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role, - key, pw_data->len ), 0 ); - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, buf_size, &output_len ), - expected_status_input_output ); - - if( expected_status_input_output == PSA_SUCCESS ) + } else { + if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) { - TEST_ASSERT( output_len > 0 ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + NULL, 0, NULL ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } - /* Buffer too small */ - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, size_zk_public - 1, &output_len ), - PSA_ERROR_BUFFER_TOO_SMALL ); + if ( inj_err_type == INJECT_UNKNOWN_STEP ) + { + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + output_buffer, buf_size, &output_len ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } - /* The operation's state should be invalidated at this point */ + if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) + { + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + output_buffer, buf_size, &output_len ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + + status = psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, buf_size, &output_len ); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error); + goto exit; + } + + TEST_ASSERT( output_len > 0 ); + + if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) + { TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, buf_size, &output_len ), - PSA_ERROR_BAD_STATE ); + output_buffer, size_zk_public - 1, &output_len ), + PSA_ERROR_BUFFER_TOO_SMALL ); + goto exit; + } + + if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) + { + // Just trigger any kind of error. We don't care about the result here + psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public - 1, &output_len ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, buf_size, &output_len ), + PSA_ERROR_BAD_STATE ); + goto exit; } } @@ -9000,7 +9073,8 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, int derive_alg_arg, data_t *pw_data, - int client_input_first, int destroy_key ) + int client_input_first, int destroy_key, + int client_input_first, int inj_err_type_arg ) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t server = psa_pake_operation_init(); @@ -9014,6 +9088,7 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, PSA_KEY_DERIVATION_OPERATION_INIT; psa_key_derivation_operation_t client_derive = PSA_KEY_DERIVATION_OPERATION_INIT; + ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; PSA_INIT( ); @@ -9054,19 +9129,27 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, if( destroy_key == 1 ) psa_destroy_key( key ); - TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), + if( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1 ) + { + TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), + TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), PSA_ERROR_BAD_STATE ); + goto exit; + } /* First round */ ecjpake_do_round( alg, primitive_arg, &server, &client, client_input_first, 1, 0 ); - TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), + if ( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2 ) + { + TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), PSA_ERROR_BAD_STATE ); - TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), + TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), PSA_ERROR_BAD_STATE ); + goto exit; + } /* Second round */ ecjpake_do_round( alg, primitive_arg, &server, &client, From 024b028ce16f0cf1dbaa172e8e40f1519e326b8d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 16 Nov 2022 12:32:29 +0100 Subject: [PATCH 279/413] test: split psa_pake function/data from the generic test_suite_psa_crypto Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto.data | 172 --- tests/suites/test_suite_psa_crypto.function | 4 - tests/suites/test_suite_psa_crypto_pake.data | 171 +++ .../test_suite_psa_crypto_pake.function | 1060 +++++++++++++++++ 4 files changed, 1231 insertions(+), 176 deletions(-) create mode 100644 tests/suites/test_suite_psa_crypto_pake.data create mode 100644 tests/suites/test_suite_psa_crypto_pake.function diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 247c57e334..946234c41a 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -6490,175 +6490,3 @@ persistent_key_load_key_from_storage:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY PSA derive persistent key: HKDF SHA-256, exportable persistent_key_load_key_from_storage:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_TYPE_RAW_DATA:1024:PSA_KEY_USAGE_EXPORT:0:DERIVE_KEY - -PSA PAKE: uninitialized access to psa_pake_operation_t -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE - -PSA PAKE: invalid alg -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: invalid primitive type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: invalid primitive family -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: invalid primitive bits -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: invalid hash -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: duplicate a valid setup -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE - -PSA PAKE: ecjpake setup invalid role NONE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: wrong key type password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: wrong key usage type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:0:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED - -PSA PAKE: set invalid user -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: set invalid peer -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: set user -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_USER:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: set peer -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_PEER:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: empty server password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE - -PSA PAKE: empty client password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE - -PSA PAKE: invalid input -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_EMPTY_IO_BUFFER:0 - -PSA PAKE: unkown input step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_UNKNOWN_STEP:0 - -PSA PAKE: invalid first input step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_INVALID_FIRST_STEP:0 - -PSA PAKE: input buffer too large -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_WRONG_BUFFER_SIZE:0 - -PSA PAKE: valid input operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 - -PSA PAKE: invalid output -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_EMPTY_IO_BUFFER:0 - -PSA PAKE: unkown output step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_UNKNOWN_STEP:0 - -PSA PAKE: invalid first output step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_INVALID_FIRST_STEP:0 - -PSA PAKE: output buffer too small -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_WRONG_BUFFER_SIZE:0 - -PSA PAKE: valid output operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 - -PSA PAKE: ecjpake setup client bad password key type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: ecjpake setup client bad password key usage -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED - -PSA PAKE: ecjpake rounds -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ERR_NONE - -PSA PAKE: ecjpake rounds, client input first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:INJECT_ERR_NONE - -PSA PAKE: ecjpake rounds, early key derivation 1 -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_1 - -PSA PAKE: ecjpake rounds, early key derivation 2 -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_2 - -PSA PAKE: ecjpake no input errors -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef" - -PSA PAKE: ecjpake no input errors, client input first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef" - -PSA PAKE: ecjpake inject input errors, first round client -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:1:"abcdef" - -PSA PAKE: ecjpake inject input errors, first round client, client input first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:1:"abcdef" - -PSA PAKE: ecjpake inject input errors, first round server -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:2:"abcdef" - -PSA PAKE: ecjpake inject input errors, first round server, client input first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:2:"abcdef" - -PSA PAKE: ecjpake inject input errors, second round client -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:3:"abcdef" - -PSA PAKE: ecjpake inject input errors, second round client, client input first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:3:"abcdef" - -PSA PAKE: ecjpake inject input errors, second round server -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:4:"abcdef" - -PSA PAKE: ecjpake inject input errors, second round server, client input first -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:4:"abcdef" - -PSA PAKE: ecjpake size macros -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 -ecjpake_size_macros: diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 8d42bf9b34..a2297639ee 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -9073,7 +9073,6 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, int derive_alg_arg, data_t *pw_data, - int client_input_first, int destroy_key, int client_input_first, int inj_err_type_arg ) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); @@ -9126,9 +9125,6 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); - if( destroy_key == 1 ) - psa_destroy_key( key ); - if( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1 ) { TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data new file mode 100644 index 0000000000..fba9e8ee30 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -0,0 +1,171 @@ +PSA PAKE: uninitialized access to psa_pake_operation_t +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE + +PSA PAKE: invalid alg +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: invalid primitive type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: invalid primitive family +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: invalid primitive bits +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: invalid hash +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: duplicate a valid setup +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE + +PSA PAKE: ecjpake setup invalid role NONE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: wrong key type password +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: wrong key usage type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:0:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED + +PSA PAKE: set invalid user +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set invalid peer +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set user +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_USER:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: set peer +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_PEER:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: empty server password +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE + +PSA PAKE: empty client password +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE + +PSA PAKE: invalid input +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_EMPTY_IO_BUFFER:0 + +PSA PAKE: unkown input step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_UNKNOWN_STEP:0 + +PSA PAKE: invalid first input step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_INVALID_FIRST_STEP:0 + +PSA PAKE: input buffer too large +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_WRONG_BUFFER_SIZE:0 + +PSA PAKE: valid input operation after a failure +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 + +PSA PAKE: invalid output +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_EMPTY_IO_BUFFER:0 + +PSA PAKE: unkown output step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_UNKNOWN_STEP:0 + +PSA PAKE: invalid first output step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_INVALID_FIRST_STEP:0 + +PSA PAKE: output buffer too small +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_WRONG_BUFFER_SIZE:0 + +PSA PAKE: valid output operation after a failure +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 + +PSA PAKE: ecjpake setup client bad password key type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: ecjpake setup client bad password key usage +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED + +PSA PAKE: ecjpake rounds +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ERR_NONE + +PSA PAKE: ecjpake rounds, client input first +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:INJECT_ERR_NONE + +PSA PAKE: ecjpake rounds, early key derivation 1 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_1 + +PSA PAKE: ecjpake rounds, early key derivation 2 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_2 + +PSA PAKE: ecjpake no input errors +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef" + +PSA PAKE: ecjpake no input errors, client input first +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef" + +PSA PAKE: ecjpake inject input errors, first round client +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:1:"abcdef" + +PSA PAKE: ecjpake inject input errors, first round client, client input first +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:1:"abcdef" + +PSA PAKE: ecjpake inject input errors, first round server +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:2:"abcdef" + +PSA PAKE: ecjpake inject input errors, first round server, client input first +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:2:"abcdef" + +PSA PAKE: ecjpake inject input errors, second round client +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:3:"abcdef" + +PSA PAKE: ecjpake inject input errors, second round client, client input first +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:3:"abcdef" + +PSA PAKE: ecjpake inject input errors, second round server +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:4:"abcdef" + +PSA PAKE: ecjpake inject input errors, second round server, client input first +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:4:"abcdef" + +PSA PAKE: ecjpake size macros +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 +ecjpake_size_macros: diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function new file mode 100644 index 0000000000..c378b4932b --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -0,0 +1,1060 @@ +/* BEGIN_HEADER */ +#include + +#include "psa/crypto.h" + +#if defined(PSA_WANT_ALG_JPAKE) +static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, + psa_pake_operation_t *server, + psa_pake_operation_t *client, + int client_input_first, + int round, int inject_error ) +{ + unsigned char *buffer0 = NULL, *buffer1 = NULL; + size_t buffer_length = ( + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE) + + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC) + + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF)) * 2; + /* The output should be exactly this size according to the spec */ + const size_t expected_size_key_share = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_KEY_SHARE); + /* The output should be exactly this size according to the spec */ + const size_t expected_size_zk_public = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PUBLIC); + /* The output can be smaller: the spec allows stripping leading zeroes */ + const size_t max_expected_size_zk_proof = + PSA_PAKE_OUTPUT_SIZE(alg, primitive, PSA_PAKE_STEP_ZK_PROOF); + size_t buffer0_off = 0; + size_t buffer1_off = 0; + size_t s_g1_len, s_g2_len, s_a_len; + size_t s_g1_off, s_g2_off, s_a_off; + size_t s_x1_pk_len, s_x2_pk_len, s_x2s_pk_len; + size_t s_x1_pk_off, s_x2_pk_off, s_x2s_pk_off; + size_t s_x1_pr_len, s_x2_pr_len, s_x2s_pr_len; + size_t s_x1_pr_off, s_x2_pr_off, s_x2s_pr_off; + size_t c_g1_len, c_g2_len, c_a_len; + size_t c_g1_off, c_g2_off, c_a_off; + size_t c_x1_pk_len, c_x2_pk_len, c_x2s_pk_len; + size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; + size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; + size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; + psa_status_t expected_status = PSA_SUCCESS; + psa_status_t status; + + ASSERT_ALLOC( buffer0, buffer_length ); + ASSERT_ALLOC( buffer1, buffer_length ); + + switch( round ) + { + case 1: + /* Server first round Output */ + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_g1_len ) ); + TEST_EQUAL( s_g1_len, expected_size_key_share ); + s_g1_off = buffer0_off; + buffer0_off += s_g1_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x1_pk_len ) ); + TEST_EQUAL( s_x1_pk_len, expected_size_zk_public ); + s_x1_pk_off = buffer0_off; + buffer0_off += s_x1_pk_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x1_pr_len ) ); + TEST_LE_U( s_x1_pr_len, max_expected_size_zk_proof ); + s_x1_pr_off = buffer0_off; + buffer0_off += s_x1_pr_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_g2_len ) ); + TEST_EQUAL( s_g2_len, expected_size_key_share ); + s_g2_off = buffer0_off; + buffer0_off += s_g2_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2_pk_len ) ); + TEST_EQUAL( s_x2_pk_len, expected_size_zk_public ); + s_x2_pk_off = buffer0_off; + buffer0_off += s_x2_pk_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2_pr_len ) ); + TEST_LE_U( s_x2_pr_len, max_expected_size_zk_proof ); + s_x2_pr_off = buffer0_off; + buffer0_off += s_x2_pr_len; + + if( inject_error == 1 ) + { + buffer0[s_x1_pr_off + 8] ^= 1; + buffer0[s_x2_pr_off + 7] ^= 1; + expected_status = PSA_ERROR_DATA_INVALID; + } + + /* + * When injecting errors in inputs, the implementation is + * free to detect it right away of with a delay. + * This permits delaying the error until the end of the input + * sequence, if no error appears then, this will be treated + * as an error. + */ + + if( client_input_first == 1 ) + { + /* Client first round Input */ + status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g1_off, s_g1_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x1_pk_off, + s_x1_pk_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x1_pr_off, + s_x1_pr_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g2_off, + s_g2_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2_pk_off, + s_x2_pk_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2_pr_off, + s_x2_pr_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + /* Error didn't trigger, make test fail */ + if( inject_error == 1 ) + TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } + + /* Client first round Output */ + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_g1_len ) ); + TEST_EQUAL( c_g1_len, expected_size_key_share ); + c_g1_off = buffer1_off; + buffer1_off += c_g1_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x1_pk_len ) ); + TEST_EQUAL( c_x1_pk_len, expected_size_zk_public ); + c_x1_pk_off = buffer1_off; + buffer1_off += c_x1_pk_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x1_pr_len ) ); + TEST_LE_U( c_x1_pr_len, max_expected_size_zk_proof ); + c_x1_pr_off = buffer1_off; + buffer1_off += c_x1_pr_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_g2_len ) ); + TEST_EQUAL( c_g2_len, expected_size_key_share ); + c_g2_off = buffer1_off; + buffer1_off += c_g2_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2_pk_len ) ); + TEST_EQUAL( c_x2_pk_len, expected_size_zk_public ); + c_x2_pk_off = buffer1_off; + buffer1_off += c_x2_pk_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2_pr_len ) ); + TEST_LE_U( c_x2_pr_len, max_expected_size_zk_proof ); + c_x2_pr_off = buffer1_off; + buffer1_off += c_x2_pr_len; + + if( client_input_first == 0 ) + { + /* Client first round Input */ + status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g1_off, s_g1_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x1_pk_off, + s_x1_pk_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x1_pr_off, + s_x1_pr_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_g2_off, + s_g2_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2_pk_off, + s_x2_pk_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2_pr_off, + s_x2_pr_len ); + if( inject_error == 1 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + /* Error didn't trigger, make test fail */ + if( inject_error == 1 ) + TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } + + if( inject_error == 2 ) + { + buffer1[c_x1_pr_off + 12] ^= 1; + buffer1[c_x2_pr_off + 7] ^= 1; + expected_status = PSA_ERROR_DATA_INVALID; + } + + /* Server first round Input */ + status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + c_g1_off, c_g1_len ); + if( inject_error == 2 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + c_x1_pk_off, c_x1_pk_len ); + if( inject_error == 2 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + c_x1_pr_off, c_x1_pr_len ); + if( inject_error == 2 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + c_g2_off, c_g2_len ); + if( inject_error == 2 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + c_x2_pk_off, c_x2_pk_len ); + if( inject_error == 2 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + c_x2_pr_off, c_x2_pr_len ); + if( inject_error == 2 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + /* Error didn't trigger, make test fail */ + if( inject_error == 2 ) + TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + + break; + + case 2: + /* Server second round Output */ + buffer0_off = 0; + + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_a_len ) ); + TEST_EQUAL( s_a_len, expected_size_key_share ); + s_a_off = buffer0_off; + buffer0_off += s_a_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2s_pk_len ) ); + TEST_EQUAL( s_x2s_pk_len, expected_size_zk_public ); + s_x2s_pk_off = buffer0_off; + buffer0_off += s_x2s_pk_len; + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + buffer0_off, + 512 - buffer0_off, &s_x2s_pr_len ) ); + TEST_LE_U( s_x2s_pr_len, max_expected_size_zk_proof ); + s_x2s_pr_off = buffer0_off; + buffer0_off += s_x2s_pr_len; + + if( inject_error == 3 ) + { + buffer0[s_x2s_pk_off + 12] += 0x33; + expected_status = PSA_ERROR_DATA_INVALID; + } + + if( client_input_first == 1 ) + { + /* Client second round Input */ + status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_a_off, s_a_len ); + if( inject_error == 3 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2s_pk_off, + s_x2s_pk_len ); + if( inject_error == 3 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2s_pr_off, + s_x2s_pr_len ); + if( inject_error == 3 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + /* Error didn't trigger, make test fail */ + if( inject_error == 3 ) + TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } + + /* Client second round Output */ + buffer1_off = 0; + + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_a_len ) ); + TEST_EQUAL( c_a_len, expected_size_key_share ); + c_a_off = buffer1_off; + buffer1_off += c_a_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2s_pk_len ) ); + TEST_EQUAL( c_x2s_pk_len, expected_size_zk_public ); + c_x2s_pk_off = buffer1_off; + buffer1_off += c_x2s_pk_len; + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + buffer1_off, + 512 - buffer1_off, &c_x2s_pr_len ) ); + TEST_LE_U( c_x2s_pr_len, max_expected_size_zk_proof ); + c_x2s_pr_off = buffer1_off; + buffer1_off += c_x2s_pr_len; + + if( client_input_first == 0 ) + { + /* Client second round Input */ + status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, + buffer0 + s_a_off, s_a_len ); + if( inject_error == 3 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, + buffer0 + s_x2s_pk_off, + s_x2s_pk_len ); + if( inject_error == 3 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, + buffer0 + s_x2s_pr_off, + s_x2s_pr_len ); + if( inject_error == 3 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + /* Error didn't trigger, make test fail */ + if( inject_error == 3 ) + TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } + + if( inject_error == 4 ) + { + buffer1[c_x2s_pk_off + 7] += 0x28; + expected_status = PSA_ERROR_DATA_INVALID; + } + + /* Server second round Input */ + status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, + buffer1 + c_a_off, c_a_len ); + if( inject_error == 4 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, + buffer1 + c_x2s_pk_off, c_x2s_pk_len ); + if( inject_error == 4 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, + buffer1 + c_x2s_pr_off, c_x2s_pr_len ); + if( inject_error == 4 && status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_status ); + break; + } + else + { + TEST_EQUAL( status, PSA_SUCCESS ); + } + + /* Error didn't trigger, make test fail */ + if( inject_error == 4 ) + TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + + break; + + } + +exit: + mbedtls_free( buffer0 ); + mbedtls_free( buffer1 ); +} +#endif /* PSA_WANT_ALG_JPAKE */ + +typedef enum +{ + INJECT_ERR_NONE = 0, + INJECT_ERR_UNINITIALIZED_ACCESS, + INJECT_ERR_DUPLICATE_SETUP, + INJECT_ERR_INVALID_USER, + INJECT_ERR_INVALID_PEER, + INJECT_ERR_SET_USER, + INJECT_ERR_SET_PEER, + INJECT_EMPTY_IO_BUFFER, + INJECT_UNKNOWN_STEP, + INJECT_INVALID_FIRST_STEP, + INJECT_WRONG_BUFFER_SIZE, + INJECT_VALID_OPERATION_AFTER_FAILURE, + INJECT_ANTICIPATE_KEY_DERIVATION_1, + INJECT_ANTICIPATE_KEY_DERIVATION_2, +} ecjpake_injected_failure_t; + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, + int primitive_arg, int hash_arg, int role_arg, + int test_input, data_t *pw_data, + int inj_err_type_arg, + int expected_error_arg) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t operation = psa_pake_operation_init(); + psa_algorithm_t alg = alg_arg; + psa_pake_primitive_t primitive = primitive_arg; + psa_key_type_t key_type_pw = key_type_pw_arg; + psa_key_usage_t key_usage_pw = key_usage_pw_arg; + psa_algorithm_t hash_alg = hash_arg; + psa_pake_role_t role = role_arg; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; + psa_status_t expected_error = expected_error_arg; + psa_status_t status; + unsigned char *output_buffer = NULL; + size_t output_len = 0; + + PSA_INIT( ); + + size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, + PSA_PAKE_STEP_KEY_SHARE); + ASSERT_ALLOC( output_buffer, buf_size ); + + if( pw_data->len > 0 ) + { + psa_set_key_usage_flags( &attributes, key_usage_pw ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, key_type_pw ); + PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, + &key ) ); + } + + psa_pake_cs_set_algorithm( &cipher_suite, alg ); + psa_pake_cs_set_primitive( &cipher_suite, primitive ); + psa_pake_cs_set_hash( &cipher_suite, hash_alg ); + + PSA_ASSERT( psa_pake_abort( &operation ) ); + + if ( inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS ) + { + TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_set_password_key( &operation, key ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_set_role( &operation, role ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, + NULL, 0, NULL ), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), + expected_error ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + goto exit; + } + + status = psa_pake_setup( &operation, &cipher_suite ); + if (status != PSA_SUCCESS) + { + TEST_EQUAL( status, expected_error ); + goto exit; + } + + if( inj_err_type == INJECT_ERR_DUPLICATE_SETUP ) + { + TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ), + expected_error ); + goto exit; + } + + status = psa_pake_set_role( &operation, role); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error ); + goto exit; + } + + if( pw_data->len > 0 ) + { + status = psa_pake_set_password_key( &operation, key ); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error ); + goto exit; + } + } + + if ( inj_err_type == INJECT_ERR_INVALID_USER ) + { + TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_ERR_INVALID_PEER ) + { + TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_ERR_SET_USER ) + { + const uint8_t unsupported_id[] = "abcd"; + TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ), + PSA_ERROR_NOT_SUPPORTED ); + goto exit; + } + + if ( inj_err_type == INJECT_ERR_SET_PEER ) + { + const uint8_t unsupported_id[] = "abcd"; + TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ), + PSA_ERROR_NOT_SUPPORTED ); + goto exit; + } + + const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive, + PSA_PAKE_STEP_KEY_SHARE ); + const size_t size_zk_public = PSA_PAKE_INPUT_SIZE( alg, primitive, + PSA_PAKE_STEP_ZK_PUBLIC ); + const size_t size_zk_proof = PSA_PAKE_INPUT_SIZE( alg, primitive, + PSA_PAKE_STEP_ZK_PROOF ); + + if ( test_input ) + { + if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_UNKNOWN_STEP ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + output_buffer, size_zk_proof ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, + output_buffer, size_zk_proof ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + + status = psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, size_key_share ); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error); + goto exit; + } + + if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) + { + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public + 1 ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) + { + // Just trigger any kind of error. We don't care about the result here + psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public + 1 ); + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + } else { + if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) + { + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + NULL, 0, NULL ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_UNKNOWN_STEP ) + { + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + output_buffer, buf_size, &output_len ), + PSA_ERROR_INVALID_ARGUMENT ); + goto exit; + } + + if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) + { + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + output_buffer, buf_size, &output_len ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + + status = psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, + output_buffer, buf_size, &output_len ); + if ( status != PSA_SUCCESS ) + { + TEST_EQUAL( status, expected_error); + goto exit; + } + + TEST_ASSERT( output_len > 0 ); + + if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) + { + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public - 1, &output_len ), + PSA_ERROR_BUFFER_TOO_SMALL ); + goto exit; + } + + if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) + { + // Just trigger any kind of error. We don't care about the result here + psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public - 1, &output_len ); + TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, buf_size, &output_len ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + } + +exit: + PSA_ASSERT( psa_destroy_key( key ) ); + PSA_ASSERT( psa_pake_abort( &operation ) ); + mbedtls_free( output_buffer ); + PSA_DONE( ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg, + int client_input_first, int inject_error, + data_t *pw_data ) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t server = psa_pake_operation_init(); + psa_pake_operation_t client = psa_pake_operation_init(); + psa_algorithm_t alg = alg_arg; + psa_algorithm_t hash_alg = hash_arg; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_INIT( ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, + &key ) ); + + psa_pake_cs_set_algorithm( &cipher_suite, alg ); + psa_pake_cs_set_primitive( &cipher_suite, primitive_arg ); + psa_pake_cs_set_hash( &cipher_suite, hash_alg ); + + + PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) ); + PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) ); + + PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) ); + PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) ); + + PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); + PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); + + ecjpake_do_round( alg, primitive_arg, &server, &client, + client_input_first, 1, inject_error ); + + if( inject_error == 1 || inject_error == 2 ) + goto exit; + + ecjpake_do_round( alg, primitive_arg, &server, &client, + client_input_first, 2, inject_error ); + +exit: + psa_destroy_key( key ); + psa_pake_abort( &server ); + psa_pake_abort( &client ); + PSA_DONE( ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ +void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, + int derive_alg_arg, data_t *pw_data, + int client_input_first, int inj_err_type_arg ) +{ + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_pake_operation_t server = psa_pake_operation_init(); + psa_pake_operation_t client = psa_pake_operation_init(); + psa_algorithm_t alg = alg_arg; + psa_algorithm_t hash_alg = hash_arg; + psa_algorithm_t derive_alg = derive_alg_arg; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_derivation_operation_t server_derive = + PSA_KEY_DERIVATION_OPERATION_INIT; + psa_key_derivation_operation_t client_derive = + PSA_KEY_DERIVATION_OPERATION_INIT; + ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; + + PSA_INIT( ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, + &key ) ); + + psa_pake_cs_set_algorithm( &cipher_suite, alg ); + psa_pake_cs_set_primitive( &cipher_suite, primitive_arg ); + psa_pake_cs_set_hash( &cipher_suite, hash_alg ); + + /* Get shared key */ + PSA_ASSERT( psa_key_derivation_setup( &server_derive, derive_alg ) ); + PSA_ASSERT( psa_key_derivation_setup( &client_derive, derive_alg ) ); + + if( PSA_ALG_IS_TLS12_PRF( derive_alg ) || + PSA_ALG_IS_TLS12_PSK_TO_MS( derive_alg ) ) + { + PSA_ASSERT( psa_key_derivation_input_bytes( &server_derive, + PSA_KEY_DERIVATION_INPUT_SEED, + (const uint8_t*) "", 0) ); + PSA_ASSERT( psa_key_derivation_input_bytes( &client_derive, + PSA_KEY_DERIVATION_INPUT_SEED, + (const uint8_t*) "", 0) ); + } + + PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) ); + PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) ); + + PSA_ASSERT( psa_pake_set_role( &server, PSA_PAKE_ROLE_SERVER ) ); + PSA_ASSERT( psa_pake_set_role( &client, PSA_PAKE_ROLE_CLIENT ) ); + + PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); + PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); + + if( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1 ) + { + TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), + PSA_ERROR_BAD_STATE ); + TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + + /* First round */ + ecjpake_do_round( alg, primitive_arg, &server, &client, + client_input_first, 1, 0 ); + + if ( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2 ) + { + TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), + PSA_ERROR_BAD_STATE ); + TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ), + PSA_ERROR_BAD_STATE ); + goto exit; + } + + /* Second round */ + ecjpake_do_round( alg, primitive_arg, &server, &client, + client_input_first, 2, 0 ); + + PSA_ASSERT( psa_pake_get_implicit_key( &server, &server_derive ) ); + PSA_ASSERT( psa_pake_get_implicit_key( &client, &client_derive ) ); + +exit: + psa_key_derivation_abort( &server_derive ); + psa_key_derivation_abort( &client_derive ); + psa_destroy_key( key ); + psa_pake_abort( &server ); + psa_pake_abort( &client ); + PSA_DONE( ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void ecjpake_size_macros( ) +{ + const psa_algorithm_t alg = PSA_ALG_JPAKE; + const size_t bits = 256; + const psa_pake_primitive_t prim = PSA_PAKE_PRIMITIVE( + PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, bits ); + const psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR( + PSA_ECC_FAMILY_SECP_R1 ); + + // https://armmbed.github.io/mbed-crypto/1.1_PAKE_Extension.0-bet.0/html/pake.html#pake-step-types + /* The output for KEY_SHARE and ZK_PUBLIC is the same as a public key */ + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) ); + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( key_type, bits ) ); + /* The output for ZK_PROOF is the same bitsize as the curve */ + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_BITS_TO_BYTES( bits ) ); + + /* Input sizes are the same as output sizes */ + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE) ); + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC) ); + TEST_EQUAL( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF) ); + + /* These inequalities will always hold even when other PAKEs are added */ + TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_PAKE_OUTPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_PAKE_OUTPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_OUTPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_PAKE_OUTPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_KEY_SHARE), + PSA_PAKE_INPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PUBLIC), + PSA_PAKE_INPUT_MAX_SIZE ); + TEST_LE_U( PSA_PAKE_INPUT_SIZE(alg, prim, PSA_PAKE_STEP_ZK_PROOF), + PSA_PAKE_INPUT_MAX_SIZE ); +} +/* END_CASE */ From 7bb65ad22f221a3a24f82674fe3f698ccfc35ba0 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 18 Nov 2022 18:27:48 +0100 Subject: [PATCH 280/413] test: psa_crypto_pake: enhanced ecjpake_setup() - external errors are now checked in the specified point. If the same error happens in another line, then this is not valid and the test fails - fixed some inconsistency in which injected error codes were not taken from the data file. Now all the expected error code are read from the data file - added a couple of defines to shrink the code Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 178 +++++------ .../test_suite_psa_crypto_pake.function | 282 ++++++++---------- 2 files changed, 214 insertions(+), 246 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index fba9e8ee30..9d15ed3313 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -1,130 +1,136 @@ PSA PAKE: uninitialized access to psa_pake_operation_t depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE PSA PAKE: invalid alg depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: invalid primitive type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive family depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive bits depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid hash depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: duplicate a valid setup depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE PSA PAKE: ecjpake setup invalid role NONE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":ERR_IN_SET_ROLE:PSA_ERROR_NOT_SUPPORTED PSA PAKE: wrong key type password depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: wrong key usage type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:0:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED - -PSA PAKE: set invalid user -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: set invalid peer -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT - -PSA PAKE: set user -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_USER:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: set peer -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_ERR_SET_PEER:PSA_ERROR_NOT_SUPPORTED - -PSA PAKE: empty server password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE - -PSA PAKE: empty client password -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":INJECT_ERR_NONE:PSA_ERROR_BAD_STATE - -PSA PAKE: invalid input -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_EMPTY_IO_BUFFER:0 - -PSA PAKE: unkown input step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_UNKNOWN_STEP:0 - -PSA PAKE: invalid first input step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_INVALID_FIRST_STEP:0 - -PSA PAKE: input buffer too large -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_WRONG_BUFFER_SIZE:0 - -PSA PAKE: valid input operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 - -PSA PAKE: invalid output -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_EMPTY_IO_BUFFER:0 - -PSA PAKE: unkown output step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_UNKNOWN_STEP:0 - -PSA PAKE: invalid first output step -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_INVALID_FIRST_STEP:0 - -PSA PAKE: output buffer too small -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_WRONG_BUFFER_SIZE:0 - -PSA PAKE: valid output operation after a failure -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":INJECT_VALID_OPERATION_AFTER_FAILURE:0 - -PSA PAKE: ecjpake setup client bad password key type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: ecjpake setup client bad password key usage depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":INJECT_ERR_NONE:PSA_ERROR_NOT_PERMITTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED + +PSA PAKE: wrong key usage type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:0:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED + +PSA PAKE: ecjpake setup client bad password key type +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set invalid user +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set invalid peer +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: set user +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_SET_USER:PSA_ERROR_NOT_SUPPORTED + +PSA PAKE: set peer +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_SET_PEER:PSA_ERROR_NOT_SUPPORTED + +# NOTE: this test should be enabled once the psa_pake_set_password_key() function +# will reject empty passwords. The expected error code must be adjusted +# accordingly to the code +#PSA PAKE: empty server password +#depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +#ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_BAD_STATE + +# NOTE: this test should be enabled once the psa_pake_set_password_key() function +# will reject empty passwords The expected error code must be adjusted +# accordingly to the code +#PSA PAKE: empty client password +#depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +#ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_BAD_STATE + +PSA PAKE: invalid input +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: unkown input step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: invalid first input step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE + +PSA PAKE: input buffer too large +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: valid input operation after a failure +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE + +PSA PAKE: invalid output +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: unkown output step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT + +PSA PAKE: invalid first output step +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE + +PSA PAKE: output buffer too small +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL + +PSA PAKE: valid output operation after a failure +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE PSA PAKE: ecjpake rounds depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ERR_NONE +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_NONE PSA PAKE: ecjpake rounds, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:INJECT_ERR_NONE +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:ERR_NONE PSA PAKE: ecjpake rounds, early key derivation 1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_1 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 PSA PAKE: ecjpake rounds, early key derivation 2 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:INJECT_ANTICIPATE_KEY_DERIVATION_2 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 PSA PAKE: ecjpake no input errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index c378b4932b..f8022e4da0 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -596,22 +596,57 @@ exit: typedef enum { - INJECT_ERR_NONE = 0, - INJECT_ERR_UNINITIALIZED_ACCESS, - INJECT_ERR_DUPLICATE_SETUP, - INJECT_ERR_INVALID_USER, - INJECT_ERR_INVALID_PEER, - INJECT_ERR_SET_USER, - INJECT_ERR_SET_PEER, - INJECT_EMPTY_IO_BUFFER, - INJECT_UNKNOWN_STEP, - INJECT_INVALID_FIRST_STEP, - INJECT_WRONG_BUFFER_SIZE, - INJECT_VALID_OPERATION_AFTER_FAILURE, - INJECT_ANTICIPATE_KEY_DERIVATION_1, - INJECT_ANTICIPATE_KEY_DERIVATION_2, -} ecjpake_injected_failure_t; + ERR_NONE = 0, + /* errors forced internally in the code */ + ERR_INJECT_UNINITIALIZED_ACCESS, + ERR_INJECT_DUPLICATE_SETUP, + ERR_INJECT_INVALID_USER, + ERR_INJECT_INVALID_PEER, + ERR_INJECT_SET_USER, + ERR_INJECT_SET_PEER, + ERR_INJECT_EMPTY_IO_BUFFER, + ERR_INJECT_UNKNOWN_STEP, + ERR_INJECT_INVALID_FIRST_STEP, + ERR_INJECT_WRONG_BUFFER_SIZE, + ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, + ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, + ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, + /* erros issued from the .data file */ + ERR_IN_SETUP, + ERR_IN_SET_ROLE, + ERR_IN_SET_PASSWORD_KEY, + ERR_IN_INPUT, + ERR_IN_OUTPUT, +} ecjpake_error_stage_t; +/* + * This check is used for errors issued through wrong input parameters. The + * check is always performed because, in case of all valid parameters, the + * setup function can go on + */ +#define SETUP_ALWAYS_CHECK_STEP( test_function, this_check_err_stage ) \ + status = test_function; \ + if( err_stage != this_check_err_stage ) \ + { \ + PSA_ASSERT( status ); \ + } \ + else \ + { \ + TEST_EQUAL( status, expected_error ); \ + goto exit; \ + } + +/* + * This check is used for errors injected explicitly. The check is conditional + * because once the error is triggered, the setup function cannot proceed so + * it would not be possible to check following steps + */ +#define SETUP_CONDITIONAL_CHECK_STEP( test_function, this_check_err_stage ) \ + if( err_stage == this_check_err_stage ) \ + { \ + TEST_EQUAL( test_function, expected_error ); \ + goto exit; \ + } /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -623,7 +658,7 @@ typedef enum void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, int primitive_arg, int hash_arg, int role_arg, int test_input, data_t *pw_data, - int inj_err_type_arg, + int err_stage_arg, int expected_error_arg) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); @@ -636,16 +671,17 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, psa_pake_role_t role = role_arg; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; + ecjpake_error_stage_t err_stage = err_stage_arg; psa_status_t expected_error = expected_error_arg; psa_status_t status; unsigned char *output_buffer = NULL; size_t output_len = 0; + const uint8_t unsupp_id[] = "abcd"; PSA_INIT( ); - size_t buf_size = PSA_PAKE_OUTPUT_SIZE(alg, primitive_arg, - PSA_PAKE_STEP_KEY_SHARE); + size_t buf_size = PSA_PAKE_OUTPUT_SIZE( alg, primitive_arg, + PSA_PAKE_STEP_KEY_SHARE ); ASSERT_ALLOC( output_buffer, buf_size ); if( pw_data->len > 0 ) @@ -663,7 +699,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, PSA_ASSERT( psa_pake_abort( &operation ) ); - if ( inj_err_type == INJECT_ERR_UNINITIALIZED_ACCESS ) + if ( err_stage == ERR_INJECT_UNINITIALIZED_ACCESS ) { TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), expected_error ); @@ -687,66 +723,29 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, goto exit; } - status = psa_pake_setup( &operation, &cipher_suite ); - if (status != PSA_SUCCESS) - { - TEST_EQUAL( status, expected_error ); - goto exit; - } + SETUP_ALWAYS_CHECK_STEP( psa_pake_setup( &operation, &cipher_suite ), + ERR_IN_SETUP ); - if( inj_err_type == INJECT_ERR_DUPLICATE_SETUP ) - { - TEST_EQUAL( psa_pake_setup( &operation, &cipher_suite ), - expected_error ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_setup( &operation, &cipher_suite ), + ERR_INJECT_DUPLICATE_SETUP); - status = psa_pake_set_role( &operation, role); - if ( status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_error ); - goto exit; - } + SETUP_ALWAYS_CHECK_STEP( psa_pake_set_role( &operation, role), + ERR_IN_SET_ROLE ); - if( pw_data->len > 0 ) - { - status = psa_pake_set_password_key( &operation, key ); - if ( status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_error ); - goto exit; - } - } + SETUP_ALWAYS_CHECK_STEP( psa_pake_set_password_key( &operation, key ), + ERR_IN_SET_PASSWORD_KEY ); - if ( inj_err_type == INJECT_ERR_INVALID_USER ) - { - TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_user( &operation, NULL, 0 ), + ERR_INJECT_INVALID_USER ); - if ( inj_err_type == INJECT_ERR_INVALID_PEER ) - { - TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_peer( &operation, NULL, 0 ), + ERR_INJECT_INVALID_PEER ); - if ( inj_err_type == INJECT_ERR_SET_USER ) - { - const uint8_t unsupported_id[] = "abcd"; - TEST_EQUAL( psa_pake_set_user( &operation, unsupported_id, 4 ), - PSA_ERROR_NOT_SUPPORTED ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_user( &operation, unsupp_id, 4 ), + ERR_INJECT_SET_USER ); - if ( inj_err_type == INJECT_ERR_SET_PEER ) - { - const uint8_t unsupported_id[] = "abcd"; - TEST_EQUAL( psa_pake_set_peer( &operation, unsupported_id, 4 ), - PSA_ERROR_NOT_SUPPORTED ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_set_peer( &operation, unsupp_id, 4 ), + ERR_INJECT_SET_PEER ); const size_t size_key_share = PSA_PAKE_INPUT_SIZE( alg, primitive, PSA_PAKE_STEP_KEY_SHARE ); @@ -757,108 +756,71 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, if ( test_input ) { - if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) - { - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation, + PSA_PAKE_STEP_ZK_PROOF, NULL, 0 ), + ERR_INJECT_EMPTY_IO_BUFFER ); - if ( inj_err_type == INJECT_UNKNOWN_STEP ) - { - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation, + PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, size_zk_proof ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + ERR_INJECT_UNKNOWN_STEP ); - if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) - { - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF, + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation, + PSA_PAKE_STEP_ZK_PROOF, output_buffer, size_zk_proof ), - PSA_ERROR_BAD_STATE ); - goto exit; - } + ERR_INJECT_INVALID_FIRST_STEP ) - status = psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, size_key_share ); - if ( status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_error); - goto exit; - } + SETUP_ALWAYS_CHECK_STEP( psa_pake_input( &operation, + PSA_PAKE_STEP_KEY_SHARE, + output_buffer, size_key_share ), + ERR_IN_INPUT ); - if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) - { - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_input( &operation, + PSA_PAKE_STEP_ZK_PUBLIC, output_buffer, size_zk_public + 1 ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + ERR_INJECT_WRONG_BUFFER_SIZE ); - if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) - { - // Just trigger any kind of error. We don't care about the result here - psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, size_zk_public + 1 ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, size_zk_public ), - PSA_ERROR_BAD_STATE ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( + ( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public + 1 ), + psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public ) ), + ERR_INJECT_VALID_OPERATION_AFTER_FAILURE ); } else { - if ( inj_err_type == INJECT_EMPTY_IO_BUFFER ) - { - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation, + PSA_PAKE_STEP_ZK_PROOF, NULL, 0, NULL ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + ERR_INJECT_EMPTY_IO_BUFFER ); - if ( inj_err_type == INJECT_UNKNOWN_STEP ) - { - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10, + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation, + PSA_PAKE_STEP_ZK_PROOF + 10, output_buffer, buf_size, &output_len ), - PSA_ERROR_INVALID_ARGUMENT ); - goto exit; - } + ERR_INJECT_UNKNOWN_STEP ); - if ( inj_err_type == INJECT_INVALID_FIRST_STEP ) - { - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF, + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation, + PSA_PAKE_STEP_ZK_PROOF, output_buffer, buf_size, &output_len ), - PSA_ERROR_BAD_STATE ); - goto exit; - } + ERR_INJECT_INVALID_FIRST_STEP ); - status = psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, - output_buffer, buf_size, &output_len ); - if ( status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_error); - goto exit; - } + SETUP_ALWAYS_CHECK_STEP( psa_pake_output( &operation, + PSA_PAKE_STEP_KEY_SHARE, + output_buffer, buf_size, &output_len ), + ERR_IN_OUTPUT ); TEST_ASSERT( output_len > 0 ); - if ( inj_err_type == INJECT_WRONG_BUFFER_SIZE ) - { - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, size_zk_public - 1, &output_len ), - PSA_ERROR_BUFFER_TOO_SMALL ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( psa_pake_output( &operation, + PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public - 1, + &output_len ), + ERR_INJECT_WRONG_BUFFER_SIZE ); - if ( inj_err_type == INJECT_VALID_OPERATION_AFTER_FAILURE ) - { - // Just trigger any kind of error. We don't care about the result here - psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, size_zk_public - 1, &output_len ); - TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, - output_buffer, buf_size, &output_len ), - PSA_ERROR_BAD_STATE ); - goto exit; - } + SETUP_CONDITIONAL_CHECK_STEP( + ( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, size_zk_public - 1, &output_len ), + psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PUBLIC, + output_buffer, buf_size, &output_len ) ), + ERR_INJECT_VALID_OPERATION_AFTER_FAILURE ); } exit: @@ -924,7 +886,7 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, int derive_alg_arg, data_t *pw_data, - int client_input_first, int inj_err_type_arg ) + int client_input_first, int err_stage_arg ) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t server = psa_pake_operation_init(); @@ -938,7 +900,7 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, PSA_KEY_DERIVATION_OPERATION_INIT; psa_key_derivation_operation_t client_derive = PSA_KEY_DERIVATION_OPERATION_INIT; - ecjpake_injected_failure_t inj_err_type = inj_err_type_arg; + ecjpake_error_stage_t err_stage = err_stage_arg; PSA_INIT( ); @@ -976,7 +938,7 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); - if( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_1 ) + if( err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 ) { TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), PSA_ERROR_BAD_STATE ); @@ -989,7 +951,7 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, ecjpake_do_round( alg, primitive_arg, &server, &client, client_input_first, 1, 0 ); - if ( inj_err_type == INJECT_ANTICIPATE_KEY_DERIVATION_2 ) + if ( err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 ) { TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), PSA_ERROR_BAD_STATE ); From 6d4e75f0c68fa9b86a08cc0d7ad98c20d5dd2ac5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 14:56:56 +0100 Subject: [PATCH 281/413] psa_crypto_pake: initialize psa_status_t stack variables Signed-off-by: Valerio Setti --- library/psa_crypto_pake.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index 431057ca42..da66dae7da 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -197,7 +197,7 @@ static psa_status_t mbedtls_ecjpake_to_psa_error( int ret ) psa_status_t psa_pake_setup( psa_pake_operation_t *operation, const psa_pake_cipher_suite_t *cipher_suite) { - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; /* A context must be freshly initialized before it can be set up. */ if( operation->alg != PSA_ALG_NONE ) @@ -322,7 +322,7 @@ psa_status_t psa_pake_set_user( psa_pake_operation_t *operation, const uint8_t *user_id, size_t user_id_len ) { - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) @@ -348,7 +348,7 @@ psa_status_t psa_pake_set_peer( psa_pake_operation_t *operation, const uint8_t *peer_id, size_t peer_id_len ) { - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) @@ -373,7 +373,7 @@ error: psa_status_t psa_pake_set_role( psa_pake_operation_t *operation, psa_pake_role_t role ) { - psa_status_t status; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == PSA_ALG_NONE || operation->state != PSA_PAKE_STATE_SETUP ) From e5d7864aa0e67c7448439a1b120143bc72d80e14 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 15:17:54 +0100 Subject: [PATCH 282/413] test: psa_pake: improved description of macros used in ecjpake_setup() Signed-off-by: Valerio Setti --- .../test_suite_psa_crypto_pake.function | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index f8022e4da0..52c7a7ab07 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -620,9 +620,14 @@ typedef enum } ecjpake_error_stage_t; /* - * This check is used for errors issued through wrong input parameters. The - * check is always performed because, in case of all valid parameters, the - * setup function can go on + * This check is used for functions that might either succeed or fail depending + * on the parameters that are passed in from the *.data file: + * - in case of success following functions depend on the current one + * - in case of failure the test is always terminated. There are two options + * here + * - terminated successfully if this exact error was expected at this stage + * - terminated with failure otherwise (either no error was expected at this + * stage or a different error code was expected) */ #define SETUP_ALWAYS_CHECK_STEP( test_function, this_check_err_stage ) \ status = test_function; \ @@ -637,9 +642,14 @@ typedef enum } /* - * This check is used for errors injected explicitly. The check is conditional - * because once the error is triggered, the setup function cannot proceed so - * it would not be possible to check following steps + * This check is used for failures that are injected at code level. There's only + * 1 input parameter that is relevant in this case and it's the stage at which + * the error should be injected. + * The check is conditional in this case because, once the error is triggered, + * the pake's context structure is compromised and the setup function cannot + * proceed further. As a consequence the test is terminated. + * The test succeeds if the returned error is exactly the expected one, + * otherwise it fails. */ #define SETUP_CONDITIONAL_CHECK_STEP( test_function, this_check_err_stage ) \ if( err_stage == this_check_err_stage ) \ From e65a41f2784b7fa0e85480d2a58961c1166abd2f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 15:38:29 +0100 Subject: [PATCH 283/413] test: psa_pake: fixes in ecjpake_setup() Both changes concern the ERR_INJECT_UNINITIALIZED_ACCESS case: - removed unnecessary psa_pake_abort() - added psa_pake_get_implicit_key() Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.function | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 52c7a7ab07..845b38f703 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -687,6 +687,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, unsigned char *output_buffer = NULL; size_t output_len = 0; const uint8_t unsupp_id[] = "abcd"; + psa_key_derivation_operation_t key_derivation; PSA_INIT( ); @@ -713,23 +714,20 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, { TEST_EQUAL( psa_pake_set_user( &operation, NULL, 0 ), expected_error ); - PSA_ASSERT( psa_pake_abort( &operation ) ); TEST_EQUAL( psa_pake_set_peer( &operation, NULL, 0 ), expected_error ); - PSA_ASSERT( psa_pake_abort( &operation ) ); TEST_EQUAL( psa_pake_set_password_key( &operation, key ), expected_error ); - PSA_ASSERT( psa_pake_abort( &operation ) ); TEST_EQUAL( psa_pake_set_role( &operation, role ), expected_error ); - PSA_ASSERT( psa_pake_abort( &operation ) ); TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0, NULL ), expected_error ); - PSA_ASSERT( psa_pake_abort( &operation ) ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0), + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, + NULL, 0 ), + expected_error ); + TEST_EQUAL( psa_pake_get_implicit_key( &operation, &key_derivation ), expected_error ); - PSA_ASSERT( psa_pake_abort( &operation ) ); goto exit; } From ac3ba95ee43ed95b2e73328cf7939d1bf9b9e827 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 16:22:29 +0100 Subject: [PATCH 284/413] test: psa_pake: fix data file for ecjpake_setup() Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 25 ++++---------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 9d15ed3313..3a477cd39b 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -1,6 +1,6 @@ PSA PAKE: uninitialized access to psa_pake_operation_t depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE PSA PAKE: invalid alg depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 @@ -30,21 +30,13 @@ PSA PAKE: ecjpake setup invalid role NONE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":ERR_IN_SET_ROLE:PSA_ERROR_NOT_SUPPORTED -PSA PAKE: wrong key type password +PSA PAKE: wrong password key type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT -PSA PAKE: ecjpake setup client bad password key usage +PSA PAKE: wrong password key usage depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED - -PSA PAKE: wrong key usage type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:0:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED - -PSA PAKE: ecjpake setup client bad password key type -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_DERIVE:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED PSA PAKE: set invalid user depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 @@ -65,17 +57,10 @@ ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_ # NOTE: this test should be enabled once the psa_pake_set_password_key() function # will reject empty passwords. The expected error code must be adjusted # accordingly to the code -#PSA PAKE: empty server password +#PSA PAKE: empty password #depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 #ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_BAD_STATE -# NOTE: this test should be enabled once the psa_pake_set_password_key() function -# will reject empty passwords The expected error code must be adjusted -# accordingly to the code -#PSA PAKE: empty client password -#depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -#ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_CLIENT:0:"":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_BAD_STATE - PSA PAKE: invalid input depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT From 40323c5d51337c5b4f61d9dd99fa86e64d608e0b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 10:38:49 +0100 Subject: [PATCH 285/413] test: psa_pake: improved ecjpake_do_round() test function Now it's possible to inject an error in every single step of the key exchange process. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 92 ++- .../test_suite_psa_crypto_pake.function | 581 +++++++----------- 2 files changed, 299 insertions(+), 374 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 3a477cd39b..88a634ff26 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -101,61 +101,105 @@ PSA PAKE: valid output operation after a failure depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE -PSA PAKE: ecjpake rounds +PSA PAKE: check rounds w/o forced errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_NONE -PSA PAKE: ecjpake rounds, client input first +PSA PAKE: check rounds w/o forced errors, TLS12_PRF +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"abcdef":0:ERR_NONE + +PSA PAKE: check rounds w/o forced errors, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:ERR_NONE -PSA PAKE: ecjpake rounds, early key derivation 1 +PSA PAKE: force early key derivation 1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 -PSA PAKE: ecjpake rounds, early key derivation 2 +PSA PAKE: force early key derivation 2 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 -PSA PAKE: ecjpake no input errors +PSA PAKE: no injected errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_NONE:PSA_SUCCESS -PSA PAKE: ecjpake no input errors, client input first +PSA PAKE: no injected errors, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:0:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_NONE:PSA_SUCCESS -PSA PAKE: ecjpake inject input errors, first round client +PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:1:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, first round client, client input first +PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:1:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, first round server +PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:2:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, first round server, client input first +PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:2:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, second round client +PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:3:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, second round client, client input first +PSA PAKE: inject ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:3:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, second round server +PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:4:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1:PSA_ERROR_DATA_INVALID -PSA PAKE: ecjpake inject input errors, second round server, client input first +PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:4:"abcdef" +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_KEY_SHARE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_KEY_SHARE:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PROOF +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_KEY_SHARE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_KEY_SHARE:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC:PSA_ERROR_DATA_INVALID + +PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PROOF +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID PSA PAKE: ecjpake size macros depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 845b38f703..8d83019b5e 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -3,12 +3,88 @@ #include "psa/crypto.h" +typedef enum +{ + ERR_NONE = 0, + /* errors forced internally in the code */ + ERR_INJECT_UNINITIALIZED_ACCESS, + ERR_INJECT_DUPLICATE_SETUP, + ERR_INJECT_INVALID_USER, + ERR_INJECT_INVALID_PEER, + ERR_INJECT_SET_USER, + ERR_INJECT_SET_PEER, + ERR_INJECT_EMPTY_IO_BUFFER, + ERR_INJECT_UNKNOWN_STEP, + ERR_INJECT_INVALID_FIRST_STEP, + ERR_INJECT_WRONG_BUFFER_SIZE, + ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, + ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, + ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, + ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, + ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, + ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, + ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, + ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, + ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, + ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, + ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, + ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, + ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, + ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, + ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, + ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, + ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, + ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, + ERR_INJECT_ROUND2_SERVER_KEY_SHARE, + ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, + ERR_INJECT_ROUND2_SERVER_ZK_PROOF, + /* erros issued from the .data file */ + ERR_IN_SETUP, + ERR_IN_SET_ROLE, + ERR_IN_SET_PASSWORD_KEY, + ERR_IN_INPUT, + ERR_IN_OUTPUT, +} ecjpake_error_stage_t; + +typedef enum +{ + PAKE_ROUND_ONE, + PAKE_ROUND_TWO +} pake_round_t; + +/* Inject an error on the specified buffer ONLY it this is the correct stage */ +#define DO_ROUND_CONDITIONAL_INJECT( this_stage, buf ) \ + if ( this_stage == err_stage ) \ + { \ + *( buf + 7) ^= 1; \ + *( buf + 8 ) ^= 1; \ + } + +#define DO_ROUND_UPDATE_OFFSETS( main_buf_offset, step_offset, step_size ) \ + { \ + step_offset = main_buf_offset; \ + main_buf_offset += step_size; \ + } + +#define DO_ROUND_CHECK_FAILURE( ) \ + if( err_stage != ERR_NONE && status != PSA_SUCCESS ) \ + { \ + TEST_EQUAL( status, expected_error_arg ); \ + break; \ + } \ + else \ + { \ + TEST_EQUAL( status, PSA_SUCCESS ); \ + } + #if defined(PSA_WANT_ALG_JPAKE) static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, psa_pake_operation_t *server, psa_pake_operation_t *client, int client_input_first, - int round, int inject_error ) + pake_round_t round, + ecjpake_error_stage_t err_stage, + int expected_error_arg ) { unsigned char *buffer0 = NULL, *buffer1 = NULL; size_t buffer_length = ( @@ -38,7 +114,6 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, size_t c_x1_pk_off, c_x2_pk_off, c_x2s_pk_off; size_t c_x1_pr_len, c_x2_pr_len, c_x2s_pr_len; size_t c_x1_pr_off, c_x2_pr_off, c_x2s_pr_off; - psa_status_t expected_status = PSA_SUCCESS; psa_status_t status; ASSERT_ALLOC( buffer0, buffer_length ); @@ -46,51 +121,61 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, switch( round ) { - case 1: + case PAKE_ROUND_ONE: /* Server first round Output */ PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_g1_len ) ); TEST_EQUAL( s_g1_len, expected_size_key_share ); - s_g1_off = buffer0_off; - buffer0_off += s_g1_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_g1_off, s_g1_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x1_pk_len ) ); TEST_EQUAL( s_x1_pk_len, expected_size_zk_public ); - s_x1_pk_off = buffer0_off; - buffer0_off += s_x1_pk_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART1, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x1_pk_off, s_x1_pk_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x1_pr_len ) ); TEST_LE_U( s_x1_pr_len, max_expected_size_zk_proof ); - s_x1_pr_off = buffer0_off; - buffer0_off += s_x1_pr_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART1, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x1_pr_off, s_x1_pr_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_KEY_SHARE, buffer0 + buffer0_off, 512 - buffer0_off, &s_g2_len ) ); TEST_EQUAL( s_g2_len, expected_size_key_share ); - s_g2_off = buffer0_off; - buffer0_off += s_g2_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART2, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_g2_off, s_g2_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2_pk_len ) ); TEST_EQUAL( s_x2_pk_len, expected_size_zk_public ); - s_x2_pk_off = buffer0_off; - buffer0_off += s_x2_pk_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_SERVER_ZK_PUBLIC_PART2, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2_pk_off, s_x2_pk_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2_pr_len ) ); TEST_LE_U( s_x2_pr_len, max_expected_size_zk_proof ); - s_x2_pr_off = buffer0_off; - buffer0_off += s_x2_pr_len; - - if( inject_error == 1 ) - { - buffer0[s_x1_pr_off + 8] ^= 1; - buffer0[s_x2_pr_off + 7] ^= 1; - expected_status = PSA_ERROR_DATA_INVALID; - } + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2_pr_off, s_x2_pr_len ); /* * When injecting errors in inputs, the implementation is @@ -99,90 +184,44 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, * sequence, if no error appears then, this will be treated * as an error. */ - if( client_input_first == 1 ) { /* Client first round Input */ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g1_off, s_g1_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x1_pk_off, s_x1_pk_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x1_pr_off, s_x1_pr_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g2_off, s_g2_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2_pk_off, s_x2_pk_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2_pr_off, s_x2_pr_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); /* Error didn't trigger, make test fail */ - if( inject_error == 1 ) + if( ( err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1 ) && + ( err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2 ) ) + { TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } } /* Client first round Output */ @@ -190,211 +229,131 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, buffer1 + buffer1_off, 512 - buffer1_off, &c_g1_len ) ); TEST_EQUAL( c_g1_len, expected_size_key_share ); - c_g1_off = buffer1_off; - buffer1_off += c_g1_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_g1_off, c_g1_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x1_pk_len ) ); TEST_EQUAL( c_x1_pk_len, expected_size_zk_public ); - c_x1_pk_off = buffer1_off; - buffer1_off += c_x1_pk_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART1, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x1_pk_off, c_x1_pk_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x1_pr_len ) ); TEST_LE_U( c_x1_pr_len, max_expected_size_zk_proof ); - c_x1_pr_off = buffer1_off; - buffer1_off += c_x1_pr_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART1, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x1_pr_off, c_x1_pr_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_KEY_SHARE, buffer1 + buffer1_off, 512 - buffer1_off, &c_g2_len ) ); TEST_EQUAL( c_g2_len, expected_size_key_share ); - c_g2_off = buffer1_off; - buffer1_off += c_g2_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART2, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_g2_off, c_g2_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2_pk_len ) ); TEST_EQUAL( c_x2_pk_len, expected_size_zk_public ); - c_x2_pk_off = buffer1_off; - buffer1_off += c_x2_pk_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_CLIENT_ZK_PUBLIC_PART2, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2_pk_off, c_x2_pk_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2_pr_len ) ); TEST_LE_U( c_x2_pr_len, max_expected_size_zk_proof ); - c_x2_pr_off = buffer1_off; - buffer1_off += c_x2_pr_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2_pr_off, buffer1_off ); if( client_input_first == 0 ) { /* Client first round Input */ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g1_off, s_g1_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x1_pk_off, s_x1_pk_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x1_pr_off, s_x1_pr_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_g2_off, s_g2_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2_pk_off, s_x2_pk_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2_pr_off, s_x2_pr_len ); - if( inject_error == 1 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); /* Error didn't trigger, make test fail */ - if( inject_error == 1 ) + if( ( err_stage >= ERR_INJECT_ROUND1_SERVER_KEY_SHARE_PART1 ) && + ( err_stage <= ERR_INJECT_ROUND1_SERVER_ZK_PROOF_PART2 ) ) + { TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); - } - - if( inject_error == 2 ) - { - buffer1[c_x1_pr_off + 12] ^= 1; - buffer1[c_x2_pr_off + 7] ^= 1; - expected_status = PSA_ERROR_DATA_INVALID; + } } /* Server first round Input */ status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, buffer1 + c_g1_off, c_g1_len ); - if( inject_error == 2 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + c_x1_pk_off, c_x1_pk_len ); - if( inject_error == 2 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, buffer1 + c_x1_pr_off, c_x1_pr_len ); - if( inject_error == 2 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, buffer1 + c_g2_off, c_g2_len ); - if( inject_error == 2 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + c_x2_pk_off, c_x2_pk_len ); - if( inject_error == 2 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, buffer1 + c_x2_pr_off, c_x2_pr_len ); - if( inject_error == 2 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); /* Error didn't trigger, make test fail */ - if( inject_error == 2 ) + if( ( err_stage >= ERR_INJECT_ROUND1_CLIENT_KEY_SHARE_PART1 ) && + ( err_stage <= ERR_INJECT_ROUND1_CLIENT_ZK_PROOF_PART2 ) ) + { TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } break; - case 2: + case PAKE_ROUND_TWO: /* Server second round Output */ buffer0_off = 0; @@ -402,71 +361,52 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, buffer0 + buffer0_off, 512 - buffer0_off, &s_a_len ) ); TEST_EQUAL( s_a_len, expected_size_key_share ); - s_a_off = buffer0_off; - buffer0_off += s_a_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND2_SERVER_KEY_SHARE, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_a_off, s_a_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2s_pk_len ) ); TEST_EQUAL( s_x2s_pk_len, expected_size_zk_public ); - s_x2s_pk_off = buffer0_off; - buffer0_off += s_x2s_pk_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2s_pk_off, s_x2s_pk_len ); + PSA_ASSERT( psa_pake_output( server, PSA_PAKE_STEP_ZK_PROOF, buffer0 + buffer0_off, 512 - buffer0_off, &s_x2s_pr_len ) ); TEST_LE_U( s_x2s_pr_len, max_expected_size_zk_proof ); - s_x2s_pr_off = buffer0_off; - buffer0_off += s_x2s_pr_len; - - if( inject_error == 3 ) - { - buffer0[s_x2s_pk_off + 12] += 0x33; - expected_status = PSA_ERROR_DATA_INVALID; - } + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND2_SERVER_ZK_PROOF, + buffer0 + buffer0_off ); + DO_ROUND_UPDATE_OFFSETS( buffer0_off, s_x2s_pr_off, s_x2s_pr_len ); if( client_input_first == 1 ) { /* Client second round Input */ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_a_off, s_a_len ); - if( inject_error == 3 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2s_pk_off, s_x2s_pk_len ); - if( inject_error == 3 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2s_pr_off, s_x2s_pr_len ); - if( inject_error == 3 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); /* Error didn't trigger, make test fail */ - if( inject_error == 3 ) + if( ( err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE ) && + ( err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF ) ) + { TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } } /* Client second round Output */ @@ -476,113 +416,73 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, buffer1 + buffer1_off, 512 - buffer1_off, &c_a_len ) ); TEST_EQUAL( c_a_len, expected_size_key_share ); - c_a_off = buffer1_off; - buffer1_off += c_a_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND2_CLIENT_KEY_SHARE, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_a_off, c_a_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2s_pk_len ) ); TEST_EQUAL( c_x2s_pk_len, expected_size_zk_public ); - c_x2s_pk_off = buffer1_off; - buffer1_off += c_x2s_pk_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2s_pk_off, c_x2s_pk_len ); + PSA_ASSERT( psa_pake_output( client, PSA_PAKE_STEP_ZK_PROOF, buffer1 + buffer1_off, 512 - buffer1_off, &c_x2s_pr_len ) ); TEST_LE_U( c_x2s_pr_len, max_expected_size_zk_proof ); - c_x2s_pr_off = buffer1_off; - buffer1_off += c_x2s_pr_len; + DO_ROUND_CONDITIONAL_INJECT( + ERR_INJECT_ROUND2_CLIENT_ZK_PROOF, + buffer1 + buffer1_off ); + DO_ROUND_UPDATE_OFFSETS( buffer1_off, c_x2s_pr_off, c_x2s_pr_len ); if( client_input_first == 0 ) { /* Client second round Input */ status = psa_pake_input( client, PSA_PAKE_STEP_KEY_SHARE, buffer0 + s_a_off, s_a_len ); - if( inject_error == 3 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PUBLIC, buffer0 + s_x2s_pk_off, s_x2s_pk_len ); - if( inject_error == 3 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( client, PSA_PAKE_STEP_ZK_PROOF, buffer0 + s_x2s_pr_off, s_x2s_pr_len ); - if( inject_error == 3 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); /* Error didn't trigger, make test fail */ - if( inject_error == 3 ) + if( ( err_stage >= ERR_INJECT_ROUND2_SERVER_KEY_SHARE ) && + ( err_stage <= ERR_INJECT_ROUND2_SERVER_ZK_PROOF ) ) + { TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); - } - - if( inject_error == 4 ) - { - buffer1[c_x2s_pk_off + 7] += 0x28; - expected_status = PSA_ERROR_DATA_INVALID; + } } /* Server second round Input */ status = psa_pake_input( server, PSA_PAKE_STEP_KEY_SHARE, buffer1 + c_a_off, c_a_len ); - if( inject_error == 4 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PUBLIC, buffer1 + c_x2s_pk_off, c_x2s_pk_len ); - if( inject_error == 4 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); status = psa_pake_input( server, PSA_PAKE_STEP_ZK_PROOF, buffer1 + c_x2s_pr_off, c_x2s_pr_len ); - if( inject_error == 4 && status != PSA_SUCCESS ) - { - TEST_EQUAL( status, expected_status ); - break; - } - else - { - TEST_EQUAL( status, PSA_SUCCESS ); - } + DO_ROUND_CHECK_FAILURE( ); /* Error didn't trigger, make test fail */ - if( inject_error == 4 ) + if( ( err_stage >= ERR_INJECT_ROUND2_CLIENT_KEY_SHARE ) && + ( err_stage <= ERR_INJECT_ROUND2_CLIENT_ZK_PROOF ) ) + { TEST_ASSERT( ! "One of the last psa_pake_input() calls should have returned the expected error." ); + } break; @@ -594,31 +494,6 @@ exit: } #endif /* PSA_WANT_ALG_JPAKE */ -typedef enum -{ - ERR_NONE = 0, - /* errors forced internally in the code */ - ERR_INJECT_UNINITIALIZED_ACCESS, - ERR_INJECT_DUPLICATE_SETUP, - ERR_INJECT_INVALID_USER, - ERR_INJECT_INVALID_PEER, - ERR_INJECT_SET_USER, - ERR_INJECT_SET_PEER, - ERR_INJECT_EMPTY_IO_BUFFER, - ERR_INJECT_UNKNOWN_STEP, - ERR_INJECT_INVALID_FIRST_STEP, - ERR_INJECT_WRONG_BUFFER_SIZE, - ERR_INJECT_VALID_OPERATION_AFTER_FAILURE, - ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1, - ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2, - /* erros issued from the .data file */ - ERR_IN_SETUP, - ERR_IN_SET_ROLE, - ERR_IN_SET_PASSWORD_KEY, - ERR_IN_INPUT, - ERR_IN_OUTPUT, -} ecjpake_error_stage_t; - /* * This check is used for functions that might either succeed or fail depending * on the parameters that are passed in from the *.data file: @@ -723,7 +598,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0, NULL ), expected_error ); - TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, + TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE, NULL, 0 ), expected_error ); TEST_EQUAL( psa_pake_get_implicit_key( &operation, &key_derivation ), @@ -841,8 +716,10 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg, - int client_input_first, int inject_error, - data_t *pw_data ) + int client_input_first, + data_t *pw_data, + int err_stage_arg, + int expected_error_arg ) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t server = psa_pake_operation_init(); @@ -851,6 +728,7 @@ void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg, psa_algorithm_t hash_alg = hash_arg; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + ecjpake_error_stage_t err_stage = err_stage_arg; PSA_INIT( ); @@ -864,7 +742,6 @@ void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg, psa_pake_cs_set_primitive( &cipher_suite, primitive_arg ); psa_pake_cs_set_hash( &cipher_suite, hash_alg ); - PSA_ASSERT( psa_pake_setup( &server, &cipher_suite ) ); PSA_ASSERT( psa_pake_setup( &client, &cipher_suite ) ); @@ -875,13 +752,15 @@ void ecjpake_rounds_inject( int alg_arg, int primitive_arg, int hash_arg, PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); ecjpake_do_round( alg, primitive_arg, &server, &client, - client_input_first, 1, inject_error ); + client_input_first, PAKE_ROUND_ONE, + err_stage, expected_error_arg ); - if( inject_error == 1 || inject_error == 2 ) + if( err_stage != ERR_NONE ) goto exit; ecjpake_do_round( alg, primitive_arg, &server, &client, - client_input_first, 2, inject_error ); + client_input_first, PAKE_ROUND_TWO, + err_stage, expected_error_arg ); exit: psa_destroy_key( key ); @@ -957,7 +836,8 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, /* First round */ ecjpake_do_round( alg, primitive_arg, &server, &client, - client_input_first, 1, 0 ); + client_input_first, PAKE_ROUND_ONE, + ERR_NONE, PSA_SUCCESS ); if ( err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 ) { @@ -970,7 +850,8 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, /* Second round */ ecjpake_do_round( alg, primitive_arg, &server, &client, - client_input_first, 2, 0 ); + client_input_first, PAKE_ROUND_TWO, + ERR_NONE, PSA_SUCCESS ); PSA_ASSERT( psa_pake_get_implicit_key( &server, &server_derive ) ); PSA_ASSERT( psa_pake_get_implicit_key( &client, &client_derive ) ); From b697745d14e5563cee27f31d8d6d82e3d00c1475 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 11:29:02 +0100 Subject: [PATCH 286/413] test: psa_pake: fix erroneously duplicated tests Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 88a634ff26..c8e8146021 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -189,17 +189,17 @@ PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PROOF depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID -PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_KEY_SHARE +PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_KEY_SHARE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_KEY_SHARE:PSA_ERROR_DATA_INVALID +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_KEY_SHARE:PSA_ERROR_DATA_INVALID -PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC +PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PUBLIC:PSA_ERROR_DATA_INVALID +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PUBLIC:PSA_ERROR_DATA_INVALID -PSA PAKE: inject ERR_INJECT_ROUND2_CLIENT_ZK_PROOF +PSA PAKE: inject ERR_INJECT_ROUND2_SERVER_ZK_PROOF depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_CLIENT_ZK_PROOF:PSA_ERROR_DATA_INVALID +ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PROOF:PSA_ERROR_DATA_INVALID PSA PAKE: ecjpake size macros depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 From b9ef1c2f03381892fecda63e1007621bacea8b0b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 11:31:18 +0100 Subject: [PATCH 287/413] test: psa_pake: fix error inject macro in ecjpake_do_round() Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.function | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 8d83019b5e..f1cbce55fe 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -52,12 +52,15 @@ typedef enum PAKE_ROUND_TWO } pake_round_t; -/* Inject an error on the specified buffer ONLY it this is the correct stage */ +/* + * Inject an error on the specified buffer ONLY it this is the correct stage. + * Offset 7 is arbitrary, but chosen because it's "in the middle" of the part + * we're corrupting. + */ #define DO_ROUND_CONDITIONAL_INJECT( this_stage, buf ) \ if ( this_stage == err_stage ) \ { \ *( buf + 7) ^= 1; \ - *( buf + 8 ) ^= 1; \ } #define DO_ROUND_UPDATE_OFFSETS( main_buf_offset, step_offset, step_size ) \ From db4736a4cac07c7b1b21a5fccf9c6d2fe0aab313 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 12:24:21 +0100 Subject: [PATCH 288/413] test: psa_pake: remove empty password test Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 55 ++++++++----------- .../test_suite_psa_crypto_pake.function | 16 +++--- 2 files changed, 31 insertions(+), 40 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index c8e8146021..80b22f92e8 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -1,105 +1,98 @@ PSA PAKE: uninitialized access to psa_pake_operation_t depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_UNINITIALIZED_ACCESS:PSA_ERROR_BAD_STATE PSA PAKE: invalid alg depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_SHA_256:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: invalid primitive type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_DH, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive family depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_K1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid primitive bits depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 128):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid hash depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_1:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SETUP:PSA_ERROR_NOT_SUPPORTED PSA PAKE: duplicate a valid setup depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_DUPLICATE_SETUP:PSA_ERROR_BAD_STATE PSA PAKE: ecjpake setup invalid role NONE depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:"abcd":ERR_IN_SET_ROLE:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_NONE:0:ERR_IN_SET_ROLE:PSA_ERROR_NOT_SUPPORTED PSA PAKE: wrong password key type depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_HMAC:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: wrong password key usage depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_ENCRYPT:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_NOT_PERMITTED PSA PAKE: set invalid user depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_INVALID_USER:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: set invalid peer depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_INVALID_PEER:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: set user depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_SET_USER:PSA_ERROR_NOT_SUPPORTED +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_SET_USER:PSA_ERROR_NOT_SUPPORTED PSA PAKE: set peer depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_SET_PEER:PSA_ERROR_NOT_SUPPORTED - -# NOTE: this test should be enabled once the psa_pake_set_password_key() function -# will reject empty passwords. The expected error code must be adjusted -# accordingly to the code -#PSA PAKE: empty password -#depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -#ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"":ERR_IN_SET_PASSWORD_KEY:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_SET_PEER:PSA_ERROR_NOT_SUPPORTED PSA PAKE: invalid input depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: unkown input step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: invalid first input step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE PSA PAKE: input buffer too large depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: valid input operation after a failure depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:"abcd":ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:1:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE PSA PAKE: invalid output depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: unkown output step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT PSA PAKE: invalid first output step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_INVALID_FIRST_STEP:PSA_ERROR_BAD_STATE PSA PAKE: output buffer too small depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_WRONG_BUFFER_SIZE:PSA_ERROR_BUFFER_TOO_SMALL PSA PAKE: valid output operation after a failure depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 -ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:"abcd":ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE +ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_PAKE_ROLE_SERVER:0:ERR_INJECT_VALID_OPERATION_AFTER_FAILURE:PSA_ERROR_BAD_STATE PSA PAKE: check rounds w/o forced errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index f1cbce55fe..77e8ed6942 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -545,7 +545,7 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, int primitive_arg, int hash_arg, int role_arg, - int test_input, data_t *pw_data, + int test_input, int err_stage_arg, int expected_error_arg) { @@ -565,6 +565,7 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, unsigned char *output_buffer = NULL; size_t output_len = 0; const uint8_t unsupp_id[] = "abcd"; + const uint8_t password[] = "abcd"; psa_key_derivation_operation_t key_derivation; PSA_INIT( ); @@ -573,14 +574,11 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, PSA_PAKE_STEP_KEY_SHARE ); ASSERT_ALLOC( output_buffer, buf_size ); - if( pw_data->len > 0 ) - { - psa_set_key_usage_flags( &attributes, key_usage_pw ); - psa_set_key_algorithm( &attributes, alg ); - psa_set_key_type( &attributes, key_type_pw ); - PSA_ASSERT( psa_import_key( &attributes, pw_data->x, pw_data->len, - &key ) ); - } + psa_set_key_usage_flags( &attributes, key_usage_pw ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, key_type_pw ); + PSA_ASSERT( psa_import_key( &attributes, password, sizeof( password ), + &key ) ); psa_pake_cs_set_algorithm( &cipher_suite, alg ); psa_pake_cs_set_primitive( &cipher_suite, primitive ); From e0d41de82231ae7a613c640b20c20ec88902ce0a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 15:47:27 +0100 Subject: [PATCH 289/413] test: psa_pake: add missing initialization in ecjpake_setup() Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.function | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 77e8ed6942..13c9bcb078 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -566,7 +566,8 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, size_t output_len = 0; const uint8_t unsupp_id[] = "abcd"; const uint8_t password[] = "abcd"; - psa_key_derivation_operation_t key_derivation; + psa_key_derivation_operation_t key_derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; PSA_INIT( ); From 728b142f40098fac1f4e2d54ff16023ff3171a7d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 19:47:24 +0100 Subject: [PATCH 290/413] test: psa_pake: port changes from cd356c3 Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 14 +++++++++----- tests/suites/test_suite_psa_crypto_pake.function | 6 +++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 80b22f92e8..4dd1598c2d 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -96,23 +96,27 @@ ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_ PSA PAKE: check rounds w/o forced errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_NONE +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE PSA PAKE: check rounds w/o forced errors, TLS12_PRF depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"abcdef":0:ERR_NONE +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE + +PSA PAKE: check rounds, key is destroyed after being passed to set_password_key +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1:ERR_NONE PSA PAKE: check rounds w/o forced errors, client input first depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:ERR_NONE +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:0:ERR_NONE PSA PAKE: force early key derivation 1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 PSA PAKE: force early key derivation 2 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS -ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 +ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_INJECT_ANTICIPATE_KEY_DERIVATION_2 PSA PAKE: no injected errors depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 13c9bcb078..4f000c13ab 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -775,7 +775,8 @@ exit: /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, int derive_alg_arg, data_t *pw_data, - int client_input_first, int err_stage_arg ) + int client_input_first, int destroy_key, + int err_stage_arg ) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_pake_operation_t server = psa_pake_operation_init(); @@ -827,6 +828,9 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg, PSA_ASSERT( psa_pake_set_password_key( &server, key ) ); PSA_ASSERT( psa_pake_set_password_key( &client, key ) ); + if( destroy_key == 1 ) + psa_destroy_key( key ); + if( err_stage == ERR_INJECT_ANTICIPATE_KEY_DERIVATION_1 ) { TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ), From b6673f0f193dac31232a7ddc23e9b9c4f66bacf5 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 30 Sep 2022 14:13:14 +0100 Subject: [PATCH 291/413] Add modular exponentiation to bignum core Signed-off-by: Janos Follath --- library/bignum_core.c | 135 ++++++++++++++++++++++++++++++++++++++++++ library/bignum_core.h | 23 +++++++ 2 files changed, 158 insertions(+) diff --git a/library/bignum_core.c b/library/bignum_core.c index 34aecda501..227351b70b 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -582,6 +582,141 @@ cleanup: /* BEGIN MERGE SLOT 1 */ +static size_t mpi_exp_mod_get_window_size( size_t Ebits ) +{ + size_t wsize = ( Ebits > 671 ) ? 6 : ( Ebits > 239 ) ? 5 : + ( Ebits > 79 ) ? 4 : ( Ebits > 23 ) ? 3 : 1; + +#if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) + if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) + wsize = MBEDTLS_MPI_WINDOW_SIZE; +#endif + + return( wsize ); +} + +int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, + mbedtls_mpi_uint const *A, + const mbedtls_mpi_uint *N, + size_t n, + const mbedtls_mpi_uint *E, + size_t E_len, + const mbedtls_mpi_uint *RR ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* heap allocated memory pool */ + mbedtls_mpi_uint *mempool = NULL; + /* pointers to temporaries within memory pool */ + mbedtls_mpi_uint *Wtbl, *Wselect, *temp; + /* pointers to table entries */ + mbedtls_mpi_uint *Wcur, *Wlast, *W1; + + size_t wsize, welem; + mbedtls_mpi_uint one = 1, mm; + + mm = mbedtls_mpi_core_montmul_init( N ); /* Compute Montgomery constant */ + E += E_len; /* Skip to end of exponent buffer */ + + wsize = mpi_exp_mod_get_window_size( E_len * biL ); + welem = 1 << wsize; + + /* Allocate memory pool and set pointers to parts of it */ + const size_t table_limbs = welem * n; + const size_t temp_limbs = 2 * n + 1; + const size_t wselect_limbs = n; + const size_t total_limbs = table_limbs + temp_limbs + wselect_limbs; + + mempool = mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) ); + if( mempool == NULL ) + { + ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; + goto cleanup; + } + + Wtbl = mempool; + Wselect = Wtbl + table_limbs; + temp = Wselect + wselect_limbs; + + /* + * Window precomputation + */ + + /* W[0] = 1 (in Montgomery presentation) */ + memset( Wtbl, 0, n * ciL ); Wtbl[0] = 1; + mbedtls_mpi_core_montmul( Wtbl, Wtbl, RR, n, N, n, mm, temp ); + Wcur = Wtbl + n; + /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */ + memcpy( Wcur, A, n * ciL ); + mbedtls_mpi_core_montmul( Wcur, Wcur, RR, n, N, n, mm, temp ); + W1 = Wcur; + Wcur += n; + /* W[i+1] = W[i] * W[1], i >= 2 */ + Wlast = W1; + for( size_t i=2; i < welem; i++, Wlast += n, Wcur += n ) + mbedtls_mpi_core_montmul( Wcur, Wlast, W1, n, N, n, mm, temp ); + + /* + * Sliding window exponentiation + */ + + /* X = 1 (in Montgomery presentation) initially */ + memcpy( X, Wtbl, n * ciL ); + + size_t limb_bits_remaining = 0; + mbedtls_mpi_uint window = 0; + size_t window_bits = 0, cur_limb; + while( 1 ) + { + size_t window_bits_missing = wsize - window_bits; + + const int no_more_bits = + ( limb_bits_remaining == 0 ) && ( E_len == 0 ); + const int window_full = + ( window_bits_missing == 0 ); + + /* Clear window if it's full or if we don't have further bits. */ + if( window_full || no_more_bits ) + { + if( window_bits == 0 ) + break; + /* Select table entry, square and multiply */ + mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtbl, + n, welem, window ); + mbedtls_mpi_core_montmul( X, X, Wselect, n, N, n, mm, temp ); + window = window_bits = 0; + continue; + } + + /* Load next exponent limb if necessary */ + if( limb_bits_remaining == 0 ) + { + cur_limb = *--E; + E_len--; + limb_bits_remaining = biL; + } + + /* Square */ + mbedtls_mpi_core_montmul( X, X, X, n, N, n, mm, temp ); + + /* Insert next exponent bit into window */ + window <<= 1; + window |= ( cur_limb >> ( biL - 1 ) ); + cur_limb <<= 1; + window_bits++; + limb_bits_remaining--; + } + + /* Convert X back to normal presentation */ + mbedtls_mpi_core_montmul( X, X, &one, 1, N, n, mm, temp ); + + ret = 0; + +cleanup: + + mbedtls_free( mempool ); + return( ret ); +} + /* END MERGE SLOT 1 */ /* BEGIN MERGE SLOT 2 */ diff --git a/library/bignum_core.h b/library/bignum_core.h index ad04e08283..82da142163 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -496,6 +496,29 @@ int mbedtls_mpi_core_fill_random( mbedtls_mpi_uint *X, size_t X_limbs, /* BEGIN MERGE SLOT 1 */ +/** + * \brief Perform a modular exponentiation with secret exponent: + * X = A^E mod N + * + * \param[out] X The destination MPI, as a little endian array of length + * \p limbs. + * \param[in] A The base MPI, as a little endian array of length \p limbs. + * \param[in] N The modulus, as a little endian array of length \p limbs. + * \param limbs The number of limbs in \p X, \p A, \p N, \p RR. + * \param[in] E The exponent, as a little endian array of length \p E_limbs. + * \param E_limbs The number of limbs in \p E. + * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little + * endian array of length \p limbs. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. + */ +int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, size_t limbs, + const mbedtls_mpi_uint *E, size_t E_limbs, + const mbedtls_mpi_uint *RR ); + /* END MERGE SLOT 1 */ /* BEGIN MERGE SLOT 2 */ From bad42c4d0dbda9787ca476ad3df40de7f0d69264 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Nov 2022 14:30:44 +0000 Subject: [PATCH 292/413] mpi_core_exp_mod: fix local variable type On platforms with size_t different from int, mismatch between size_t and mpi_uint can cause incorrect results or complaints from the compiler. Signed-off-by: Janos Follath mpi_core_exp_mod: Cast local variable explicitly Signed-off-by: Janos Follath --- library/bignum_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 227351b70b..3b660d0056 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -618,7 +618,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, E += E_len; /* Skip to end of exponent buffer */ wsize = mpi_exp_mod_get_window_size( E_len * biL ); - welem = 1 << wsize; + welem = ( (size_t) 1 ) << wsize; /* Allocate memory pool and set pointers to parts of it */ const size_t table_limbs = welem * n; @@ -663,8 +663,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, memcpy( X, Wtbl, n * ciL ); size_t limb_bits_remaining = 0; - mbedtls_mpi_uint window = 0; - size_t window_bits = 0, cur_limb; + mbedtls_mpi_uint cur_limb, window = 0; + size_t window_bits = 0; while( 1 ) { size_t window_bits_missing = wsize - window_bits; From 59cbd1be27f7aef2bad1f6b16333a67df7461e16 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 28 Oct 2022 18:13:43 +0100 Subject: [PATCH 293/413] Make mbedtls_mpi_core_ct_uint_table_lookup static Now that we have a function that calls mbedtls_mpi_core_ct_uint_table_lookup(), the compiler won't complain if we make it static. Signed-off-by: Janos Follath --- library/bignum_core.c | 1 + library/bignum_core.h | 2 ++ tests/suites/test_suite_bignum_core.function | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 3b660d0056..2337ae5214 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -540,6 +540,7 @@ cleanup: return( ret ); } +MBEDTLS_STATIC_TESTABLE void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest, const mbedtls_mpi_uint *table, size_t limbs, diff --git a/library/bignum_core.h b/library/bignum_core.h index 82da142163..ede8161256 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -452,6 +452,7 @@ void mbedtls_mpi_core_montmul( mbedtls_mpi_uint *X, int mbedtls_mpi_core_get_mont_r2_unsafe( mbedtls_mpi *X, const mbedtls_mpi *N ); +#if defined(MBEDTLS_TEST_HOOKS) /** * Copy an MPI from a table without leaking the index. * @@ -469,6 +470,7 @@ void mbedtls_mpi_core_ct_uint_table_lookup( mbedtls_mpi_uint *dest, size_t limbs, size_t count, size_t index ); +#endif /* MBEDTLS_TEST_HOOKS */ /** * \brief Fill an integer with a number of random bytes. diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index 612a7c6bd4..46689468ba 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -935,7 +935,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */ void mpi_core_ct_uint_table_lookup( int bitlen, int window_size ) { size_t limbs = BITS_TO_LIMBS( bitlen ); From 0f0d1e88a2afa2349d3f14182f6ef6bffd1b8d40 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 6 Oct 2022 13:36:21 +0100 Subject: [PATCH 294/413] mpi_core_exp_mod: add unit tests The test cases aim to mirror the legacy function, but needed the some cases to be removed because: - Null representation is not valid in core - There are no negative numbers in core - Bignum core doesn't do parameter checking and there are no promises for even N The _size variant of the test has been removed as bignum core doesn't do parameter checking and there is no promises for inputs that are larger than MBEDTLS_MPI_MAX_SIZE. Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_core.function | 53 +++++++++++++++++++ tests/suites/test_suite_bignum_core.misc.data | 25 +++++++++ 2 files changed, 78 insertions(+) diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index 46689468ba..e262ec1039 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -1041,6 +1041,59 @@ exit: /* BEGIN MERGE SLOT 1 */ +/* BEGIN_CASE */ +void mpi_core_exp_mod( char * input_A, char * input_E, + char * input_N, char * input_X ) +{ + mbedtls_mpi_uint *A = NULL; + size_t A_limbs; + mbedtls_mpi_uint *E = NULL; + size_t E_limbs; + mbedtls_mpi_uint *N = NULL; + size_t N_limbs; + mbedtls_mpi_uint *X = NULL; + size_t X_limbs; + const mbedtls_mpi_uint *R2 = NULL; + mbedtls_mpi_uint *Y = NULL; + /* Legacy MPIs for computing R2 */ + mbedtls_mpi N_mpi; + mbedtls_mpi_init( &N_mpi ); + mbedtls_mpi R2_mpi; + mbedtls_mpi_init( &R2_mpi ); + + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &E, &E_limbs, input_E ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &N_limbs, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &X_limbs, input_X ) ); + ASSERT_ALLOC( Y, N_limbs ); + + TEST_EQUAL( A_limbs, N_limbs ); + TEST_EQUAL( X_limbs, N_limbs ); + + TEST_EQUAL( 0, mbedtls_mpi_grow( &N_mpi, N_limbs ) ); + memcpy( N_mpi.p, N, N_limbs * sizeof( *N ) ); + N_mpi.n = N_limbs; + TEST_EQUAL( 0, + mbedtls_mpi_core_get_mont_r2_unsafe( &R2_mpi, &N_mpi ) ); + TEST_EQUAL( 0, mbedtls_mpi_grow( &R2_mpi, N_limbs ) ); + R2 = R2_mpi.p; + + TEST_EQUAL( 0, + mbedtls_mpi_core_exp_mod( Y, A, N, N_limbs, E, E_limbs, R2 ) ); + TEST_EQUAL( 0, memcmp( X, Y, N_limbs * sizeof( mbedtls_mpi_uint ) ) ); + +exit: + mbedtls_free( A ); + mbedtls_free( E ); + mbedtls_free( N ); + mbedtls_free( X ); + mbedtls_free( Y ); + mbedtls_mpi_free( &N_mpi ); + mbedtls_mpi_free( &R2_mpi ); + // R2 doesn't need to be freed as it is only aliasing R2_mpi +} +/* END_CASE */ + /* END MERGE SLOT 1 */ /* BEGIN MERGE SLOT 2 */ diff --git a/tests/suites/test_suite_bignum_core.misc.data b/tests/suites/test_suite_bignum_core.misc.data index 62480e47f7..58e45a3f67 100644 --- a/tests/suites/test_suite_bignum_core.misc.data +++ b/tests/suites/test_suite_bignum_core.misc.data @@ -430,6 +430,31 @@ mpi_core_fill_random:42:0:-5:0:MBEDTLS_ERR_MPI_BAD_INPUT_DATA # BEGIN MERGE SLOT 1 +Base test mbedtls_mpi_core_exp_mod #1 +mpi_core_exp_mod:"17":"0d":"1d":"18" + +Test mbedtls_mpi_core_exp_mod: 0 (1 limb) ^ 0 (1 limb) mod 9 +mpi_core_exp_mod:"00":"00":"09":"01" + +Test mbedtls_mpi_core_exp_mod: 0 (1 limb) ^ 1 mod 9 +mpi_core_exp_mod:"00":"01":"09":"00" + +Test mbedtls_mpi_core_exp_mod: 0 (1 limb) ^ 2 mod 9 +mpi_core_exp_mod:"00":"02":"09":"00" + +Test mbedtls_mpi_core_exp_mod: 1 ^ 0 (1 limb) mod 9 +mpi_core_exp_mod:"01":"00":"09":"01" + +Test mbedtls_mpi_core_exp_mod: 4 ^ 0 (1 limb) mod 9 +mpi_core_exp_mod:"04":"00":"09":"01" + +Test mbedtls_mpi_core_exp_mod: 10 ^ 0 (1 limb) mod 9 +mpi_core_exp_mod:"0a":"00":"09":"01" + +Test mbedtls_mpi_core_exp_mod #1 +depends_on:MPI_MAX_BITS_LARGER_THAN_792 +mpi_core_exp_mod:"00000000000000000000000000109fe45714866e56fdd4ad9b6b686df27224afb7868cf4f0cbb794526932853cbf0beea61594166654d13cd9fe0d9da594a97ee20230f12fb5434de73fb4f8102725a01622b31b1ea42e3a265019039ac1df31869bd97930d792fb72cdaa971d8a8015af":"33ae3764fd06a00cdc3cba5c45dc79a9edb4e67e4d057cc74139d531c25190d111775fc4a0f4439b8b1930bbd766e7b46f170601f316c8a18ff8d5cb5ca5581f168345d101edb462b7d93b7c520ccb8fb276b447a63d869203cc11f67a1122dc4da034218de85e39":"011a9351d2d32ccd568e75bf8b4ebbb2a36be691b55832edac662ff79803df8af525fba453068be16ac3920bcc1b468f8f7fe786e0fa4ecbabcad31e5e3b05def802eb8600deaf11ef452487db878df20a80606e4bb6a163b83895d034cc8b53dbcd005be42ffdd2ce99bed06089a0b79d":"0037880b547b41bda303bddda307eefe24b4aedf076c9b814b903aaf328a10825c7e259a20afc6b70b487bb21a6d32d0ee98a0b9f42ff812c901e2f79237fe3e00856992dd69d93ebc0664c75863829621751b0ac35a8ae8a0965841607d3099b8e0ed24442749ba09acbcb165598dcd40" + # END MERGE SLOT 1 # BEGIN MERGE SLOT 2 From a77911e5c1e791854af8fb9e0b26319ac2b9e3be Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 8 Oct 2022 09:48:20 +0100 Subject: [PATCH 295/413] core_exp_mod: improve window selection We are looking at the exponent at limb granularity and therefore exponent bits can't go below 32. The `mpi_` prefix is also removed as it is better not to have prefix at all than to have just a partial. (Full prefix would be overly long and would hurt readability.) Signed-off-by: Janos Follath --- library/bignum_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 2337ae5214..79d5a720e3 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -583,10 +583,10 @@ cleanup: /* BEGIN MERGE SLOT 1 */ -static size_t mpi_exp_mod_get_window_size( size_t Ebits ) +static size_t exp_mod_get_window_size( size_t Ebits ) { size_t wsize = ( Ebits > 671 ) ? 6 : ( Ebits > 239 ) ? 5 : - ( Ebits > 79 ) ? 4 : ( Ebits > 23 ) ? 3 : 1; + ( Ebits > 79 ) ? 4 : 1; #if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) @@ -618,7 +618,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, mm = mbedtls_mpi_core_montmul_init( N ); /* Compute Montgomery constant */ E += E_len; /* Skip to end of exponent buffer */ - wsize = mpi_exp_mod_get_window_size( E_len * biL ); + wsize = exp_mod_get_window_size( E_len * biL ); welem = ( (size_t) 1 ) << wsize; /* Allocate memory pool and set pointers to parts of it */ From 0ec6e3f3949713328e22f5cdfe300e5a7649c799 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 14 Nov 2022 12:52:08 +0000 Subject: [PATCH 296/413] mpi_core_mod_exp: improve style and documentation No intended change in behaviour. Signed-off-by: Janos Follath --- library/bignum_core.c | 49 ++++++++++++++++++++++--------------------- library/bignum_core.h | 12 +++++------ 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 79d5a720e3..944b4be6a6 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -597,11 +597,11 @@ static size_t exp_mod_get_window_size( size_t Ebits ) } int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, - mbedtls_mpi_uint const *A, + const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, - size_t n, + size_t AN_limbs, const mbedtls_mpi_uint *E, - size_t E_len, + size_t E_limbs, const mbedtls_mpi_uint *RR ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -616,15 +616,15 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, mbedtls_mpi_uint one = 1, mm; mm = mbedtls_mpi_core_montmul_init( N ); /* Compute Montgomery constant */ - E += E_len; /* Skip to end of exponent buffer */ + E += E_limbs; /* Skip to end of exponent buffer */ - wsize = exp_mod_get_window_size( E_len * biL ); + wsize = exp_mod_get_window_size( E_limbs * biL ); welem = ( (size_t) 1 ) << wsize; /* Allocate memory pool and set pointers to parts of it */ - const size_t table_limbs = welem * n; - const size_t temp_limbs = 2 * n + 1; - const size_t wselect_limbs = n; + const size_t table_limbs = welem * AN_limbs; + const size_t temp_limbs = 2 * AN_limbs + 1; + const size_t wselect_limbs = AN_limbs; const size_t total_limbs = table_limbs + temp_limbs + wselect_limbs; mempool = mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) ); @@ -643,25 +643,26 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, */ /* W[0] = 1 (in Montgomery presentation) */ - memset( Wtbl, 0, n * ciL ); Wtbl[0] = 1; - mbedtls_mpi_core_montmul( Wtbl, Wtbl, RR, n, N, n, mm, temp ); - Wcur = Wtbl + n; + memset( Wtbl, 0, AN_limbs * ciL ); + Wtbl[0] = 1; + mbedtls_mpi_core_montmul( Wtbl, Wtbl, RR, AN_limbs, N, AN_limbs, mm, temp ); + Wcur = Wtbl + AN_limbs; /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */ - memcpy( Wcur, A, n * ciL ); - mbedtls_mpi_core_montmul( Wcur, Wcur, RR, n, N, n, mm, temp ); + memcpy( Wcur, A, AN_limbs * ciL ); + mbedtls_mpi_core_montmul( Wcur, Wcur, RR, AN_limbs, N, AN_limbs, mm, temp ); W1 = Wcur; - Wcur += n; + Wcur += AN_limbs; /* W[i+1] = W[i] * W[1], i >= 2 */ Wlast = W1; - for( size_t i=2; i < welem; i++, Wlast += n, Wcur += n ) - mbedtls_mpi_core_montmul( Wcur, Wlast, W1, n, N, n, mm, temp ); + for( size_t i = 2; i < welem; i++, Wlast += AN_limbs, Wcur += AN_limbs ) + mbedtls_mpi_core_montmul( Wcur, Wlast, W1, AN_limbs, N, AN_limbs, mm, temp ); /* - * Sliding window exponentiation + * Fixed window exponentiation */ /* X = 1 (in Montgomery presentation) initially */ - memcpy( X, Wtbl, n * ciL ); + memcpy( X, Wtbl, AN_limbs * ciL ); size_t limb_bits_remaining = 0; mbedtls_mpi_uint cur_limb, window = 0; @@ -671,7 +672,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, size_t window_bits_missing = wsize - window_bits; const int no_more_bits = - ( limb_bits_remaining == 0 ) && ( E_len == 0 ); + ( limb_bits_remaining == 0 ) && ( E_limbs == 0 ); const int window_full = ( window_bits_missing == 0 ); @@ -682,8 +683,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, break; /* Select table entry, square and multiply */ mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtbl, - n, welem, window ); - mbedtls_mpi_core_montmul( X, X, Wselect, n, N, n, mm, temp ); + AN_limbs, welem, window ); + mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); window = window_bits = 0; continue; } @@ -692,12 +693,12 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, if( limb_bits_remaining == 0 ) { cur_limb = *--E; - E_len--; + E_limbs--; limb_bits_remaining = biL; } /* Square */ - mbedtls_mpi_core_montmul( X, X, X, n, N, n, mm, temp ); + mbedtls_mpi_core_montmul( X, X, X, AN_limbs, N, AN_limbs, mm, temp ); /* Insert next exponent bit into window */ window <<= 1; @@ -708,7 +709,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, } /* Convert X back to normal presentation */ - mbedtls_mpi_core_montmul( X, X, &one, 1, N, n, mm, temp ); + mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp ); ret = 0; diff --git a/library/bignum_core.h b/library/bignum_core.h index ede8161256..58a9f5a670 100644 --- a/library/bignum_core.h +++ b/library/bignum_core.h @@ -503,21 +503,21 @@ int mbedtls_mpi_core_fill_random( mbedtls_mpi_uint *X, size_t X_limbs, * X = A^E mod N * * \param[out] X The destination MPI, as a little endian array of length - * \p limbs. - * \param[in] A The base MPI, as a little endian array of length \p limbs. - * \param[in] N The modulus, as a little endian array of length \p limbs. - * \param limbs The number of limbs in \p X, \p A, \p N, \p RR. + * \p AN_limbs. + * \param[in] A The base MPI, as a little endian array of length \p AN_limbs. + * \param[in] N The modulus, as a little endian array of length \p AN_limbs. + * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR. * \param[in] E The exponent, as a little endian array of length \p E_limbs. * \param E_limbs The number of limbs in \p E. * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little - * endian array of length \p limbs. + * endian array of length \p AN_limbs. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. */ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, - const mbedtls_mpi_uint *N, size_t limbs, + const mbedtls_mpi_uint *N, size_t AN_limbs, const mbedtls_mpi_uint *E, size_t E_limbs, const mbedtls_mpi_uint *RR ); From 07f2c69511303ddc667756c0bb56c90d737573b4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 19:48:23 +0100 Subject: [PATCH 297/413] More consistent variable names Signed-off-by: Gilles Peskine --- library/bignum_core.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 944b4be6a6..957f190986 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -608,7 +608,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, /* heap allocated memory pool */ mbedtls_mpi_uint *mempool = NULL; /* pointers to temporaries within memory pool */ - mbedtls_mpi_uint *Wtbl, *Wselect, *temp; + mbedtls_mpi_uint *Wtable, *Wselect, *temp; /* pointers to table entries */ mbedtls_mpi_uint *Wcur, *Wlast, *W1; @@ -624,8 +624,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, /* Allocate memory pool and set pointers to parts of it */ const size_t table_limbs = welem * AN_limbs; const size_t temp_limbs = 2 * AN_limbs + 1; - const size_t wselect_limbs = AN_limbs; - const size_t total_limbs = table_limbs + temp_limbs + wselect_limbs; + const size_t select_limbs = AN_limbs; + const size_t total_limbs = table_limbs + temp_limbs + select_limbs; mempool = mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) ); if( mempool == NULL ) @@ -634,19 +634,19 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, goto cleanup; } - Wtbl = mempool; - Wselect = Wtbl + table_limbs; - temp = Wselect + wselect_limbs; + Wtable = mempool; + Wselect = Wtable + table_limbs; + temp = Wselect + select_limbs; /* * Window precomputation */ /* W[0] = 1 (in Montgomery presentation) */ - memset( Wtbl, 0, AN_limbs * ciL ); - Wtbl[0] = 1; - mbedtls_mpi_core_montmul( Wtbl, Wtbl, RR, AN_limbs, N, AN_limbs, mm, temp ); - Wcur = Wtbl + AN_limbs; + memset( Wtable, 0, AN_limbs * ciL ); + Wtable[0] = 1; + mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp ); + Wcur = Wtable + AN_limbs; /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */ memcpy( Wcur, A, AN_limbs * ciL ); mbedtls_mpi_core_montmul( Wcur, Wcur, RR, AN_limbs, N, AN_limbs, mm, temp ); @@ -662,7 +662,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, */ /* X = 1 (in Montgomery presentation) initially */ - memcpy( X, Wtbl, AN_limbs * ciL ); + memcpy( X, Wtable, AN_limbs * ciL ); size_t limb_bits_remaining = 0; mbedtls_mpi_uint cur_limb, window = 0; @@ -682,7 +682,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, if( window_bits == 0 ) break; /* Select table entry, square and multiply */ - mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtbl, + mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, AN_limbs, welem, window ); mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); window = window_bits = 0; From 7af166b827226e059118d8cb5c6e1ecb8e2ed3cf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 19:52:30 +0100 Subject: [PATCH 298/413] Change E closer to where it's used Signed-off-by: Gilles Peskine --- library/bignum_core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 957f190986..a6aa5a83b9 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -616,7 +616,6 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, mbedtls_mpi_uint one = 1, mm; mm = mbedtls_mpi_core_montmul_init( N ); /* Compute Montgomery constant */ - E += E_limbs; /* Skip to end of exponent buffer */ wsize = exp_mod_get_window_size( E_limbs * biL ); welem = ( (size_t) 1 ) << wsize; @@ -664,6 +663,9 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, /* X = 1 (in Montgomery presentation) initially */ memcpy( X, Wtable, AN_limbs * ciL ); + /* Start from the end of exponent buffer */ + E += E_limbs; + size_t limb_bits_remaining = 0; mbedtls_mpi_uint cur_limb, window = 0; size_t window_bits = 0; From cf979b0fc1ff4033c907ad5adf980ad4530e2f41 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 20:04:00 +0100 Subject: [PATCH 299/413] Define variables closer to their use Make variables const where possible. Signed-off-by: Gilles Peskine --- library/bignum_core.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index a6aa5a83b9..c38daa48c2 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -607,18 +607,9 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* heap allocated memory pool */ mbedtls_mpi_uint *mempool = NULL; - /* pointers to temporaries within memory pool */ - mbedtls_mpi_uint *Wtable, *Wselect, *temp; - /* pointers to table entries */ - mbedtls_mpi_uint *Wcur, *Wlast, *W1; - size_t wsize, welem; - mbedtls_mpi_uint one = 1, mm; - - mm = mbedtls_mpi_core_montmul_init( N ); /* Compute Montgomery constant */ - - wsize = exp_mod_get_window_size( E_limbs * biL ); - welem = ( (size_t) 1 ) << wsize; + const size_t wsize = exp_mod_get_window_size( E_limbs * biL ); + const size_t welem = ( (size_t) 1 ) << wsize; /* Allocate memory pool and set pointers to parts of it */ const size_t table_limbs = welem * AN_limbs; @@ -633,14 +624,20 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, goto cleanup; } - Wtable = mempool; - Wselect = Wtable + table_limbs; - temp = Wselect + select_limbs; + /* pointers to temporaries within memory pool */ + mbedtls_mpi_uint *const Wtable = mempool; + mbedtls_mpi_uint *const Wselect = Wtable + table_limbs; + mbedtls_mpi_uint *const temp = Wselect + select_limbs; /* * Window precomputation */ + const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init( N ); + + /* pointers to table entries */ + mbedtls_mpi_uint *Wcur, *Wlast, *W1; + /* W[0] = 1 (in Montgomery presentation) */ memset( Wtable, 0, AN_limbs * ciL ); Wtable[0] = 1; @@ -667,8 +664,11 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, E += E_limbs; size_t limb_bits_remaining = 0; - mbedtls_mpi_uint cur_limb, window = 0; + mbedtls_mpi_uint window = 0; size_t window_bits = 0; + /* Will be initialized properly in the first loop iteration */ + mbedtls_mpi_uint cur_limb = 0; + while( 1 ) { size_t window_bits_missing = wsize - window_bits; @@ -711,6 +711,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, } /* Convert X back to normal presentation */ + const mbedtls_mpi_uint one = 1; mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp ); ret = 0; From 0de0a049f1f0c53da0ead6307ab7034d9d4b8534 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 20:12:49 +0100 Subject: [PATCH 300/413] Move window precomputation into an auxiliary function Signed-off-by: Gilles Peskine --- library/bignum_core.c | 49 ++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 17 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index c38daa48c2..14f2f5a876 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -596,6 +596,34 @@ static size_t exp_mod_get_window_size( size_t Ebits ) return( wsize ); } +static void exp_mod_precompute_window( const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, + size_t AN_limbs, + mbedtls_mpi_uint mm, + const mbedtls_mpi_uint *RR, + size_t welem, + mbedtls_mpi_uint *Wtable, + mbedtls_mpi_uint *temp ) +{ + /* pointers to table entries */ + mbedtls_mpi_uint *Wcur, *Wlast, *W1; + + /* W[0] = 1 (in Montgomery presentation) */ + memset( Wtable, 0, AN_limbs * ciL ); + Wtable[0] = 1; + mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp ); + Wcur = Wtable + AN_limbs; + /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */ + memcpy( Wcur, A, AN_limbs * ciL ); + mbedtls_mpi_core_montmul( Wcur, Wcur, RR, AN_limbs, N, AN_limbs, mm, temp ); + W1 = Wcur; + Wcur += AN_limbs; + /* W[i+1] = W[i] * W[1], i >= 2 */ + Wlast = W1; + for( size_t i = 2; i < welem; i++, Wlast += AN_limbs, Wcur += AN_limbs ) + mbedtls_mpi_core_montmul( Wcur, Wlast, W1, AN_limbs, N, AN_limbs, mm, temp ); +} + int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, @@ -635,23 +663,10 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init( N ); - /* pointers to table entries */ - mbedtls_mpi_uint *Wcur, *Wlast, *W1; - - /* W[0] = 1 (in Montgomery presentation) */ - memset( Wtable, 0, AN_limbs * ciL ); - Wtable[0] = 1; - mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp ); - Wcur = Wtable + AN_limbs; - /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */ - memcpy( Wcur, A, AN_limbs * ciL ); - mbedtls_mpi_core_montmul( Wcur, Wcur, RR, AN_limbs, N, AN_limbs, mm, temp ); - W1 = Wcur; - Wcur += AN_limbs; - /* W[i+1] = W[i] * W[1], i >= 2 */ - Wlast = W1; - for( size_t i = 2; i < welem; i++, Wlast += AN_limbs, Wcur += AN_limbs ) - mbedtls_mpi_core_montmul( Wcur, Wlast, W1, AN_limbs, N, AN_limbs, mm, temp ); + /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */ + exp_mod_precompute_window( A, N, AN_limbs, + mm, RR, + welem, Wtable, temp ); /* * Fixed window exponentiation From d83b5cb504cfc8ff17faf55fff20c68f25b44a86 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 20:26:14 +0100 Subject: [PATCH 301/413] Local readability improvements Signed-off-by: Gilles Peskine --- library/bignum_core.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 14f2f5a876..b7d6b62534 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -605,23 +605,23 @@ static void exp_mod_precompute_window( const mbedtls_mpi_uint *A, mbedtls_mpi_uint *Wtable, mbedtls_mpi_uint *temp ) { - /* pointers to table entries */ - mbedtls_mpi_uint *Wcur, *Wlast, *W1; - /* W[0] = 1 (in Montgomery presentation) */ memset( Wtable, 0, AN_limbs * ciL ); Wtable[0] = 1; mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp ); - Wcur = Wtable + AN_limbs; + /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */ - memcpy( Wcur, A, AN_limbs * ciL ); - mbedtls_mpi_core_montmul( Wcur, Wcur, RR, AN_limbs, N, AN_limbs, mm, temp ); - W1 = Wcur; - Wcur += AN_limbs; + mbedtls_mpi_uint *W1 = Wtable + AN_limbs; + mbedtls_mpi_core_montmul( W1, A, RR, AN_limbs, N, AN_limbs, mm, temp ); + /* W[i+1] = W[i] * W[1], i >= 2 */ - Wlast = W1; - for( size_t i = 2; i < welem; i++, Wlast += AN_limbs, Wcur += AN_limbs ) - mbedtls_mpi_core_montmul( Wcur, Wlast, W1, AN_limbs, N, AN_limbs, mm, temp ); + mbedtls_mpi_uint *Wprev = W1; + for( size_t i = 2; i < welem; i++ ) + { + mbedtls_mpi_uint *Wcur = Wprev + AN_limbs; + mbedtls_mpi_core_montmul( Wcur, Wprev, W1, AN_limbs, N, AN_limbs, mm, temp ); + Wprev = Wcur; + } } int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, @@ -702,15 +702,17 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, AN_limbs, welem, window ); mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); - window = window_bits = 0; + window = 0; + window_bits = 0; continue; } /* Load next exponent limb if necessary */ if( limb_bits_remaining == 0 ) { - cur_limb = *--E; - E_limbs--; + --E; + cur_limb = *E; + --E_limbs; limb_bits_remaining = biL; } @@ -721,8 +723,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, window <<= 1; window |= ( cur_limb >> ( biL - 1 ) ); cur_limb <<= 1; - window_bits++; - limb_bits_remaining--; + ++window_bits; + --limb_bits_remaining; } /* Convert X back to normal presentation */ From c718a3ce94897377670a057851a60edca148c4e2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 20:42:09 +0100 Subject: [PATCH 302/413] Simplify exponent bit selection Use indices instead of mutating data to extract the bits of the exponent. Signed-off-by: Gilles Peskine --- library/bignum_core.c | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index b7d6b62534..c05e603226 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -675,21 +675,20 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, /* X = 1 (in Montgomery presentation) initially */ memcpy( X, Wtable, AN_limbs * ciL ); - /* Start from the end of exponent buffer */ - E += E_limbs; - - size_t limb_bits_remaining = 0; + /* We'll process the bits of E from most significant + * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant + * (limb_index=0, E_bit_index=0). */ + size_t E_limb_index = E_limbs; + size_t E_bit_index = 0; mbedtls_mpi_uint window = 0; size_t window_bits = 0; - /* Will be initialized properly in the first loop iteration */ - mbedtls_mpi_uint cur_limb = 0; while( 1 ) { size_t window_bits_missing = wsize - window_bits; const int no_more_bits = - ( limb_bits_remaining == 0 ) && ( E_limbs == 0 ); + ( E_bit_index == 0 ) && ( E_limb_index == 0 ); const int window_full = ( window_bits_missing == 0 ); @@ -707,24 +706,22 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, continue; } - /* Load next exponent limb if necessary */ - if( limb_bits_remaining == 0 ) - { - --E; - cur_limb = *E; - --E_limbs; - limb_bits_remaining = biL; - } - /* Square */ mbedtls_mpi_core_montmul( X, X, X, AN_limbs, N, AN_limbs, mm, temp ); /* Insert next exponent bit into window */ - window <<= 1; - window |= ( cur_limb >> ( biL - 1 ) ); - cur_limb <<= 1; + if( E_bit_index == 0 ) + { + --E_limb_index; + E_bit_index = biL - 1; + } + else + { + --E_bit_index; + } ++window_bits; - --limb_bits_remaining; + window <<= 1; + window |= ( E[E_limb_index] >> E_bit_index ) & 1; } /* Convert X back to normal presentation */ From 3b63d09fead5623c42cb3f0e54e36d52604ccfe8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 22:06:18 +0100 Subject: [PATCH 303/413] Make the main loop's logic clearer The loop ends when there are no more bits to process, with one twist: when that happens, we need to clear the window one last time. Since the window does not start empty (E_limbs==0 is not supported), the loop always starts with a non-empty window and some bits to process. So it's correct to move the window clearing logic to the end of the loop. This lets us exit the loop when the end of the exponent is reached. It would be clearer not to do the final window clearing inside the loop, so we wouldn't need to repeat the loop termination condition (end of exponent reached) inside the loop. However, this requires duplicating the code to clear the window. Empirically, this causes a significant code size increase, even if the window clearing code is placed into a function. Signed-off-by: Gilles Peskine --- library/bignum_core.c | 37 +++++++++++++++---------------------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index c05e603226..737e08df2f 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -683,29 +683,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, mbedtls_mpi_uint window = 0; size_t window_bits = 0; - while( 1 ) + do { - size_t window_bits_missing = wsize - window_bits; - - const int no_more_bits = - ( E_bit_index == 0 ) && ( E_limb_index == 0 ); - const int window_full = - ( window_bits_missing == 0 ); - - /* Clear window if it's full or if we don't have further bits. */ - if( window_full || no_more_bits ) - { - if( window_bits == 0 ) - break; - /* Select table entry, square and multiply */ - mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, - AN_limbs, welem, window ); - mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); - window = 0; - window_bits = 0; - continue; - } - /* Square */ mbedtls_mpi_core_montmul( X, X, X, AN_limbs, N, AN_limbs, mm, temp ); @@ -722,7 +701,21 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, ++window_bits; window <<= 1; window |= ( E[E_limb_index] >> E_bit_index ) & 1; + + /* Clear window if it's full. Also clear the window at the end, + * when we've finished processing the exponent. */ + if( window_bits == wsize || + ( E_bit_index == 0 && E_limb_index == 0 ) ) + { + /* Select table entry, square and multiply */ + mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, + AN_limbs, welem, window ); + mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); + window = 0; + window_bits = 0; + } } + while( ! ( E_bit_index == 0 && E_limb_index == 0 ) ); /* Convert X back to normal presentation */ const mbedtls_mpi_uint one = 1; From 4380d7b7f30785b6bacc032b68f19f2e2a47d786 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 22:20:59 +0100 Subject: [PATCH 304/413] Simplify cleanup logic Take advantage of the fact that there's a single point of failure. Signed-off-by: Gilles Peskine --- library/bignum_core.c | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 737e08df2f..a8879b327f 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -632,10 +632,6 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, size_t E_limbs, const mbedtls_mpi_uint *RR ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* heap allocated memory pool */ - mbedtls_mpi_uint *mempool = NULL; - const size_t wsize = exp_mod_get_window_size( E_limbs * biL ); const size_t welem = ( (size_t) 1 ) << wsize; @@ -645,11 +641,12 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const size_t select_limbs = AN_limbs; const size_t total_limbs = table_limbs + temp_limbs + select_limbs; - mempool = mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) ); + /* heap allocated memory pool */ + mbedtls_mpi_uint *mempool = + mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) ); if( mempool == NULL ) { - ret = MBEDTLS_ERR_MPI_ALLOC_FAILED; - goto cleanup; + return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); } /* pointers to temporaries within memory pool */ @@ -721,12 +718,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint one = 1; mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp ); - ret = 0; - -cleanup: - mbedtls_free( mempool ); - return( ret ); + return( 0 ); } /* END MERGE SLOT 1 */ From 0b270a560340856fed09deb58df8801326cf82d6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 22:54:03 +0100 Subject: [PATCH 305/413] Explain a little more Signed-off-by: Gilles Peskine --- library/bignum_core.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index a8879b327f..247600c521 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -677,8 +677,10 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, * (limb_index=0, E_bit_index=0). */ size_t E_limb_index = E_limbs; size_t E_bit_index = 0; - mbedtls_mpi_uint window = 0; + /* At any given time, window contains window_bits bits from E. + * window_bits can go up to wsize. */ size_t window_bits = 0; + mbedtls_mpi_uint window = 0; do { @@ -704,9 +706,11 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, if( window_bits == wsize || ( E_bit_index == 0 && E_limb_index == 0 ) ) { - /* Select table entry, square and multiply */ + /* Select Wtable[window] without leaking window through + * memory access patterns. */ mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, AN_limbs, welem, window ); + /* Multiply X by the selected element. */ mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); window = 0; window_bits = 0; From 7d89d351e603564cea00942b0d817c90407c8811 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 16 Nov 2022 22:54:14 +0100 Subject: [PATCH 306/413] Zeroize sensitive data Signed-off-by: Gilles Peskine --- library/bignum_core.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/library/bignum_core.c b/library/bignum_core.c index 247600c521..71a2fb16a4 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -624,6 +624,12 @@ static void exp_mod_precompute_window( const mbedtls_mpi_uint *A, } } +/* Exponentiation: X := A^E mod N. + * + * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero. + * + * RR must contain 2^{2*biL} mod N. + */ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, const mbedtls_mpi_uint *N, @@ -722,6 +728,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint one = 1; mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp ); + mbedtls_platform_zeroize( mempool, total_limbs * sizeof(mbedtls_mpi_uint) ); mbedtls_free( mempool ); return( 0 ); } From 3321b5842c2f4d4135c2595c3d01f2f621261b80 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 22 Nov 2022 21:08:33 +0000 Subject: [PATCH 307/413] mpi_exp_mod: improve documentation Signed-off-by: Janos Follath --- library/bignum_core.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/bignum_core.c b/library/bignum_core.c index 71a2fb16a4..2b3405ffc9 100644 --- a/library/bignum_core.c +++ b/library/bignum_core.c @@ -629,6 +629,10 @@ static void exp_mod_precompute_window( const mbedtls_mpi_uint *A, * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero. * * RR must contain 2^{2*biL} mod N. + * + * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82 + * (The difference is that the body in our loop processes a single bit instead + * of a full window.) */ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, @@ -693,7 +697,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, /* Square */ mbedtls_mpi_core_montmul( X, X, X, AN_limbs, N, AN_limbs, mm, temp ); - /* Insert next exponent bit into window */ + /* Move to the next bit of the exponent */ if( E_bit_index == 0 ) { --E_limb_index; @@ -703,6 +707,7 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, { --E_bit_index; } + /* Insert next exponent bit into window */ ++window_bits; window <<= 1; window |= ( E[E_limb_index] >> E_bit_index ) & 1; @@ -717,7 +722,8 @@ int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X, mbedtls_mpi_core_ct_uint_table_lookup( Wselect, Wtable, AN_limbs, welem, window ); /* Multiply X by the selected element. */ - mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp ); + mbedtls_mpi_core_montmul( X, X, Wselect, AN_limbs, N, AN_limbs, mm, + temp ); window = 0; window_bits = 0; } From 05867cb036c40af689c174ee06f49a6a53c73de5 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 22 Nov 2022 21:37:10 +0000 Subject: [PATCH 308/413] mpi_core_exp_mod: add generated tests Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_core.py | 21 ++++++++++++++++++++ tests/suites/test_suite_bignum_core.function | 4 ++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index 4910daea87..f85fb2e36a 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -755,6 +755,27 @@ def mpi_modmul_case_generate() -> None: # BEGIN MERGE SLOT 1 +class BignumCoreExpMod(BignumCoreTarget, bignum_common.ModOperationCommon): + """Test cases for bignum core exponentiation.""" + symbol = "^" + test_function = "mpi_core_exp_mod" + test_name = "Core modular exponentiation" + input_style = "fixed" + + def result(self) -> List[str]: + result = pow(self.int_a, self.int_b, self.int_n) + return [self.format_result(result)] + + @property + def is_valid(self) -> bool: + # The base needs to be canonical, but the exponent can be larger than + # the modulus (see for example exponent blinding) + if self.int_a < self.int_n: + return True + else: + return False + + # END MERGE SLOT 1 # BEGIN MERGE SLOT 2 diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function index e262ec1039..f9a768c0ca 100644 --- a/tests/suites/test_suite_bignum_core.function +++ b/tests/suites/test_suite_bignum_core.function @@ -1042,8 +1042,8 @@ exit: /* BEGIN MERGE SLOT 1 */ /* BEGIN_CASE */ -void mpi_core_exp_mod( char * input_A, char * input_E, - char * input_N, char * input_X ) +void mpi_core_exp_mod( char * input_N, char * input_A, + char * input_E, char * input_X ) { mbedtls_mpi_uint *A = NULL; size_t A_limbs; From cf0e86c9b8ac88ec5dca7522824a53c1c518f036 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 22 Nov 2022 21:40:24 +0000 Subject: [PATCH 309/413] mpi_core_exp_mod: remove manual tests The previous commit added generated tests, we don't need the manually added tests anymore. Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_core.misc.data | 25 ------------------- 1 file changed, 25 deletions(-) diff --git a/tests/suites/test_suite_bignum_core.misc.data b/tests/suites/test_suite_bignum_core.misc.data index 58e45a3f67..62480e47f7 100644 --- a/tests/suites/test_suite_bignum_core.misc.data +++ b/tests/suites/test_suite_bignum_core.misc.data @@ -430,31 +430,6 @@ mpi_core_fill_random:42:0:-5:0:MBEDTLS_ERR_MPI_BAD_INPUT_DATA # BEGIN MERGE SLOT 1 -Base test mbedtls_mpi_core_exp_mod #1 -mpi_core_exp_mod:"17":"0d":"1d":"18" - -Test mbedtls_mpi_core_exp_mod: 0 (1 limb) ^ 0 (1 limb) mod 9 -mpi_core_exp_mod:"00":"00":"09":"01" - -Test mbedtls_mpi_core_exp_mod: 0 (1 limb) ^ 1 mod 9 -mpi_core_exp_mod:"00":"01":"09":"00" - -Test mbedtls_mpi_core_exp_mod: 0 (1 limb) ^ 2 mod 9 -mpi_core_exp_mod:"00":"02":"09":"00" - -Test mbedtls_mpi_core_exp_mod: 1 ^ 0 (1 limb) mod 9 -mpi_core_exp_mod:"01":"00":"09":"01" - -Test mbedtls_mpi_core_exp_mod: 4 ^ 0 (1 limb) mod 9 -mpi_core_exp_mod:"04":"00":"09":"01" - -Test mbedtls_mpi_core_exp_mod: 10 ^ 0 (1 limb) mod 9 -mpi_core_exp_mod:"0a":"00":"09":"01" - -Test mbedtls_mpi_core_exp_mod #1 -depends_on:MPI_MAX_BITS_LARGER_THAN_792 -mpi_core_exp_mod:"00000000000000000000000000109fe45714866e56fdd4ad9b6b686df27224afb7868cf4f0cbb794526932853cbf0beea61594166654d13cd9fe0d9da594a97ee20230f12fb5434de73fb4f8102725a01622b31b1ea42e3a265019039ac1df31869bd97930d792fb72cdaa971d8a8015af":"33ae3764fd06a00cdc3cba5c45dc79a9edb4e67e4d057cc74139d531c25190d111775fc4a0f4439b8b1930bbd766e7b46f170601f316c8a18ff8d5cb5ca5581f168345d101edb462b7d93b7c520ccb8fb276b447a63d869203cc11f67a1122dc4da034218de85e39":"011a9351d2d32ccd568e75bf8b4ebbb2a36be691b55832edac662ff79803df8af525fba453068be16ac3920bcc1b468f8f7fe786e0fa4ecbabcad31e5e3b05def802eb8600deaf11ef452487db878df20a80606e4bb6a163b83895d034cc8b53dbcd005be42ffdd2ce99bed06089a0b79d":"0037880b547b41bda303bddda307eefe24b4aedf076c9b814b903aaf328a10825c7e259a20afc6b70b487bb21a6d32d0ee98a0b9f42ff812c901e2f79237fe3e00856992dd69d93ebc0664c75863829621751b0ac35a8ae8a0965841607d3099b8e0ed24442749ba09acbcb165598dcd40" - # END MERGE SLOT 1 # BEGIN MERGE SLOT 2 From 43d3de4977a86be1cf19bc6e3b7a558ab86737a6 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 22 Nov 2022 21:50:22 +0000 Subject: [PATCH 310/413] Make pylint happy Signed-off-by: Janos Follath --- scripts/mbedtls_dev/bignum_core.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py index f85fb2e36a..ed6ecbd004 100644 --- a/scripts/mbedtls_dev/bignum_core.py +++ b/scripts/mbedtls_dev/bignum_core.py @@ -770,11 +770,7 @@ class BignumCoreExpMod(BignumCoreTarget, bignum_common.ModOperationCommon): def is_valid(self) -> bool: # The base needs to be canonical, but the exponent can be larger than # the modulus (see for example exponent blinding) - if self.int_a < self.int_n: - return True - else: - return False - + return bool(self.int_a < self.int_n) # END MERGE SLOT 1 From ca09afc60ace53dca16e6d1bea697fc308165423 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 22 Nov 2022 10:05:19 +0000 Subject: [PATCH 311/413] Remove useless function and parse early data in ee Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 72 +++++++++----------------------------- 1 file changed, 17 insertions(+), 55 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 839fe3679a..9db2b79289 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1335,53 +1335,6 @@ static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl, return( 0 ); } -#if defined(MBEDTLS_SSL_EARLY_DATA) -/* - * ssl_tls13_parse_ee_early_data_ext() - * Parse early data indication extension in EncryptedExtensions. - * - * struct {} Empty; - * - * struct { - * select (Handshake.msg_type) { - * ... - * case client_hello: Empty; - * case encrypted_extensions: Empty; - * }; - * } EarlyDataIndication; - * - */ - -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_parse_ee_early_data_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) -{ - if( ssl->early_data_status < MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT ) - { - /* The server must not send the EarlyDataIndication if the - * client hasn't indicated the use of early data. */ - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } - - if( len != 0 ) - { - /* The message must be empty. */ - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } - - /* Nothing to parse */ - ((void) buf); - - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; - return( 0 ); -} -#endif /* MBEDTLS_SSL_EARLY_DATA */ - /* Returns a negative value on failure, and otherwise * - SSL_SERVER_HELLO or * - SSL_SERVER_HELLO_HRR @@ -2110,16 +2063,25 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_TLS_EXT_EARLY_DATA: - ret = ssl_tls13_parse_ee_early_data_ext( - ssl, p, (size_t)extension_data_len ); - if( ret != 0 ) + if( ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT ) { - ssl->early_data_status = - MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; - MBEDTLS_SSL_DEBUG_RET( - 1, "ssl_tls13_parse_ee_early_data_ext", ret ); - return( ret ); + /* The server must not send the EarlyDataIndication if the + * client hasn't indicated the use of early data. */ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } + + if( extension_data_len != 0 ) + { + /* The message must be empty. */ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + break; #endif /* MBEDTLS_SSL_EARLY_DATA */ From e861ba01d474034cbde57de9448d697daf8d8349 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 23 Nov 2022 03:21:02 +0000 Subject: [PATCH 312/413] Remove the duplicate early_data_status check Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9db2b79289..57d3adb712 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2063,14 +2063,6 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_EARLY_DATA) case MBEDTLS_TLS_EXT_EARLY_DATA: - if( ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT ) - { - /* The server must not send the EarlyDataIndication if the - * client hasn't indicated the use of early data. */ - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } if( extension_data_len != 0 ) { @@ -2080,7 +2072,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; break; #endif /* MBEDTLS_SSL_EARLY_DATA */ From b157e915ad29e7e47443a2f624d9cb42c497d487 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 23 Nov 2022 08:12:26 +0000 Subject: [PATCH 313/413] Move the early data status set afeter all of the extensions parse Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 57d3adb712..227c99d478 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2072,8 +2072,6 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; - break; #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -2119,6 +2117,14 @@ static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) ); +#if defined(MBEDTLS_SSL_EARLY_DATA) + if( ssl->handshake->received_extensions & + MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) ) + { + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + } +#endif + mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len ); From 3518fb11d0be25ca1e69009899b12fd25bfc0c7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 23 Nov 2022 13:14:52 +0100 Subject: [PATCH 314/413] Improve ChangeLog entry for driver-only hashes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - avoid long unstructured paragraph with long messy sentences - de-emphasize "no longer depends on MD" and emphasize "can work in some driver-only builds" instead - that's what users are interested in (building without MD is just the current way to accomplish that, but that will change in the future) Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/driver-only-hashes.txt | 41 +++++++++++++----------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt index a160f924ba..930aadfef0 100644 --- a/ChangeLog.d/driver-only-hashes.txt +++ b/ChangeLog.d/driver-only-hashes.txt @@ -1,24 +1,19 @@ Features - * Some crypto modules that previously depended on MD or a low-level hash - module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or - for some features (PEM for encrypted files), are now able to use PSA - Crypto instead when the legacy API is not available. This means it is - now possible to use all features from those modules in configurations - where the built-in implementations of hashes are excluded and the hashes - are only provided by PSA drivers. In these configurations, you need to - call `psa_crypto_init()` before you call any function from those - modules; this is not required in configurations where the built-in - implementation is still available. Note that for modules that use MD - (RSA, PKCS5, PKCS12, EC J-PAKE) in builds that have MBEDTLS_MD_C enabled, - all hashes used with those modules need to be built-in, as drivers are only - used when MBEDTLS_MD_C is disabled; configurations where some hashes are - available as built-ins, and some only from drivers, are currently not - supported. Also note that some crypto modules and features still depend on - the built-in implementation of hashes: MBEDTLS_HKDF_C (but the PSA HKDF - functions do not depend on it), MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and - MBEDTLS_ECDSA_DETERMINISTIC. In particular, for now, compiling without - built-in hashes requires use of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. - * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no - longer depend on MD. This means it is now possible to use them in - configurations where the built-in implementations of hashes are excluded - and the hashes are only provided by PSA drivers. + * Some modules can now use PSA drivers for hashes, including with no + built-in implementation present, but only in some configurations. + - RSA PKCS#1 v2.1, PKCS5, PKCS12 and EC J-PAKE now use hashes from PSA + when (and only when) MBEDTLS_MD_C is disabled. + - PEM parsing of encrypted files now uses MD-5 from PSA when (and only + when) MBEDTLS_MD5_C is disabled. + See the documentation of the corresponding macros in mbedtls_config.h for + details. + Note that some modules are not able to use hashes from PSA yet, including + the entropy module. As a consequence, for now the only way to build with + all hashes only provided by drivers (no built-in hash) is to use + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. + * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now + properly negotiate/accept hashes based on their availability in PSA. + As a consequence, they now work in configurations where the built-in + implementations of (some) hashes are excluded and those hashes are only + provided by PSA drivers. (See previous entry for limitation on RSA-PSS + though: that module only use hashes from PSA when MBEDTLS_MD_C is off). From 42649d9270d9f75b63d55b08a10d334d266d3905 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 14:15:57 +0100 Subject: [PATCH 315/413] Fix NULL+0 undefined behavior in ECB encryption and decryption psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to a null pointer when the cipher does not use an IV. This is undefined behavior, although it works as naively expected on most platforms. This can cause a crash with modern Clang+ASan (depending on compiler optimizations). Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-ecb-ub.txt | 3 ++ library/common.h | 37 +++++++++++++++++++++ library/psa_crypto.c | 4 +-- library/psa_crypto_cipher.c | 23 +++++++------ tests/suites/test_suite_psa_crypto.function | 5 +-- 5 files changed, 58 insertions(+), 14 deletions(-) create mode 100644 ChangeLog.d/psa-ecb-ub.txt diff --git a/ChangeLog.d/psa-ecb-ub.txt b/ChangeLog.d/psa-ecb-ub.txt new file mode 100644 index 0000000000..9d725ac706 --- /dev/null +++ b/ChangeLog.d/psa-ecb-ub.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix undefined behavior (typically harmless in practice) in PSA ECB + encryption and decryption. diff --git a/library/common.h b/library/common.h index a630fcc456..53598228b4 100644 --- a/library/common.h +++ b/library/common.h @@ -25,6 +25,7 @@ #include "mbedtls/build_info.h" +#include #include /** Helper to define a function as static except when building invasive tests. @@ -68,6 +69,42 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +/** Return an offset into a buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline unsigned char *mbedtls_buffer_offset( + unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + +/** Return an offset into a read-only buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline const unsigned char *mbedtls_buffer_offset_const( + const unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + /** Byte Reading Macros * * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8c9deffadf..e881f2f3cb 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3454,8 +3454,8 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, local_iv, default_iv_length, input, input_length, - output + default_iv_length, output_size - default_iv_length, - output_length ); + mbedtls_buffer_offset( output, default_iv_length ), + output_size - default_iv_length, output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 70dc74d748..91a0e3b30d 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -516,10 +516,10 @@ psa_status_t mbedtls_psa_cipher_encrypt( if( status != PSA_SUCCESS ) goto exit; - status = mbedtls_psa_cipher_finish( &operation, - output + update_output_length, - output_size - update_output_length, - &finish_output_length ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, update_output_length ), + output_size - update_output_length, &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; @@ -563,17 +563,20 @@ psa_status_t mbedtls_psa_cipher_decrypt( goto exit; } - status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length, - input_length - operation.iv_length, - output, output_size, &olength ); + status = mbedtls_psa_cipher_update( + &operation, + mbedtls_buffer_offset_const( input, operation.iv_length ), + input_length - operation.iv_length, + output, output_size, &olength ); if( status != PSA_SUCCESS ) goto exit; accumulated_length = olength; - status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, - &olength ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, accumulated_length ), + output_size - accumulated_length, &olength ); if( status != PSA_SUCCESS ) goto exit; diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ca1614befa..1f3b3b64a6 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4,6 +4,7 @@ #include "mbedtls/asn1.h" #include "mbedtls/asn1write.h" #include "mbedtls/oid.h" +#include "common.h" /* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() * uses mbedtls_ctr_drbg internally. */ @@ -3983,7 +3984,7 @@ void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, TEST_LE_U( length, output_buffer_size ); output_length += length; PSA_ASSERT( psa_cipher_finish( &operation, - output + output_length, + mbedtls_buffer_offset( output, output_length ), output_buffer_size - output_length, &length ) ); output_length += length; @@ -4001,7 +4002,7 @@ void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, TEST_LE_U( length, output_buffer_size ); output_length += length; PSA_ASSERT( psa_cipher_finish( &operation, - output + output_length, + mbedtls_buffer_offset( output, output_length ), output_buffer_size - output_length, &length ) ); output_length += length; From 4a8c9e2cff36efea58220d124f4850de67352f77 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 26 Oct 2022 18:49:09 +0200 Subject: [PATCH 316/413] tls13: Add definition of mbedtls_ssl_{write,read}_early_data Signed-off-by: Ronald Cron --- docs/architecture/tls13-support.md | 172 +++++++++++++++++++++++++++++ include/mbedtls/ssl.h | 162 +++++++++++++++++++++++++-- library/ssl_tls13_client.c | 8 +- 3 files changed, 326 insertions(+), 16 deletions(-) diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md index f30590bd47..85482ba9ed 100644 --- a/docs/architecture/tls13-support.md +++ b/docs/architecture/tls13-support.md @@ -478,3 +478,175 @@ outbound message on server side as well. * state change: the state change is done in the main state handler to ease the navigation of the state machine transitions. + + +Writing and reading early or 0-RTT data +--------------------------------------- + +An application function to write and send a buffer of data to a server through +TLS may plausibly look like: + +``` +int write_data( mbedtls_ssl_context *ssl, + const unsigned char *data_to_write, + size_t data_to_write_len, + size_t *data_written ) +{ + *data_written = 0; + + while( *data_written < data_to_write_len ) + { + ret = mbedtls_ssl_write( ssl, data_to_write + *data_written, + data_to_write_len - *data_written ); + + if( ret < 0 && + ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + return( ret ); + } + + *data_written += ret; + } + + return( 0 ); +} +``` +where ssl is the SSL context to use, data_to_write the address of the data +buffer and data_to_write_len the number of data bytes. The handshake may +not be completed, not even started for the SSL context ssl when the function is +called and in that case the mbedtls_ssl_write() API takes care transparently of +completing the handshake before to write and send data to the server. The +mbedtls_ssl_write() may not been able to write and send all data in one go thus +the need for a loop calling it as long as there are still data to write and +send. + +An application function to write and send early data and only early data, +data sent during the first flight of client messages while the handshake is in +its initial phase, would look completely similar but the call to +mbedtls_ssl_write_early_data() instead of mbedtls_ssl_write(). +``` +int write_early_data( mbedtls_ssl_context *ssl, + const unsigned char *data_to_write, + size_t data_to_write_len, + size_t *data_written ) +{ + *data_written = 0; + + while( *data_written < data_to_write_len ) + { + ret = mbedtls_ssl_write_early_data( ssl, data_to_write + *data_written, + data_to_write_len - *data_written ); + + if( ret < 0 && + ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + return( ret ); + } + + *data_written += ret; + } + + return( 0 ); +} +``` +Note that compared to write_data(), write_early_data() can also return +MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA and that should be handled +specifically by the user of write_early_data(). A fresh SSL context (typically +just after a call to mbedtls_ssl_setup() or mbedtls_ssl_session_reset()) would +be expected when calling `write_early_data`. + +All together, code to write and send a buffer of data as long as possible as +early data and then as standard post-handshake application data could +plausibly look like: + +``` +ret = write_early_data( ssl, data_to_write, data_to_write_len, + &early_data_written ); +if( ret < 0 && + ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA ) +{ + goto error; +} + +ret = write_data( ssl, data_to_write + early_data_written, + data_to_write_len - early_data_written, &data_written ); +if( ret < 0 ) + goto error; + +data_written += early_data_written; +``` + +Finally, taking into account that the server may reject early data, application +code to write and send a buffer of data could plausibly look like: +``` +ret = write_early_data( ssl, data_to_write, data_to_write_len, + &early_data_written ); +if( ret < 0 && + ret != MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA ) +{ + goto error; +} + +/* + * Make sure the handshake is completed as it is a requisite to + * mbedtls_ssl_get_early_data_status(). + */ +while( !mbedtls_ssl_is_handshake_over( ssl ) ) +{ + ret = mbedtls_ssl_handshake( ssl ); + if( ret < 0 && + ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + goto error; + } +} + +ret = mbedtls_ssl_get_early_data_status( ssl ); +if( ret < 0 ) + goto error; + +if( ret == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED ) + early_data_written = 0; + +ret = write_data( ssl, data_to_write + early_data_written, + data_to_write_len - early_data_written, &data_written ); +if( ret < 0 ) + goto error; + +data_written += early_data_written; +``` + +Basically, the same holds for reading early data on the server side without the +complication of possible rejection. An application function to read early data +into a given buffer could plausibly look like: +``` +int read_early_data( mbedtls_ssl_context *ssl, + unsigned char *buffer, + size_t buffer_size, + size_t *data_len ) +{ + *data_len = 0; + + while( *data_len < buffer_size ) + { + ret = mbedtls_ssl_read_early_data( ssl, buffer + *data_len, + buffer_size - *data_len ); + + if( ret < 0 && + ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + return( ret ); + } + + *data_len += ret; + } + + return( 0 ); +} +``` +with again calls to read_early_data() expected to be done with a fresh SSL +context. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index dddaaea39b..ea58661088 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -96,15 +96,16 @@ /* Error space gap */ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 +/* Error space gap */ /** * Received NewSessionTicket Post Handshake Message. * This error code is experimental and may be changed or removed without notice. */ #define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00 -/* Error space gap */ -/* Error space gap */ -/* Error space gap */ -/* Error space gap */ +/** Not possible to read early data */ +#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 +/** Not possible to write early data */ +#define MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA -0x7C00 /* Error space gap */ /* Error space gap */ /* Error space gap */ @@ -806,14 +807,6 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) -#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 4 -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) typedef uint8_t mbedtls_ssl_tls13_ticket_flags; @@ -4897,6 +4890,151 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, */ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_EARLY_DATA) + +#if defined(MBEDTLS_SSL_SRV_C) +/** + * \brief Read at most 'len' application data bytes while performing + * the handshake (early data). + * + * \note This function behaves mainly as mbedtls_ssl_read(). The + * specification of mbedtls_ssl_read() relevant to TLS 1.3 + * (thus not the parts specific to (D)TLS 1.2) applies to this + * function and the present documentation is restricted to the + * differences with mbedtls_ssl_read(). + * + * \param ssl SSL context + * \param buf buffer that will hold the data + * \param len maximum number of bytes to read + * + * \return One additional specific return value: + * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA. + * + * #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA is returned when it + * is not possible to read early data for the SSL context + * \p ssl. + * + * It may have been possible and it is not possible + * anymore because the server received the End of Early Data + * message or the maximum number of allowed early data for the + * PSK in use has been reached. + * + * It may never have been possible and will never be possible + * for the SSL context \p ssl because the use of early data + * is disabled for that context or more generally the context + * is not suitably configured to enable early data or the + * client does not use early data or the first call to the + * function was done while the handshake was already too + * advanced to gather and accept early data. + * + * It is not possible to read early data for the SSL context + * \p ssl but this does not preclude for using it with + * mbedtls_ssl_write(), mbedtls_ssl_read() or + * mbedtls_ssl_handshake(). + * + * \note When a server wants to retrieve early data, it is expected + * that this function starts the handshake for the SSL context + * \p ssl. But this is not mandatory. + * + */ +int mbedtls_ssl_read_early_data( mbedtls_ssl_context *ssl, + unsigned char *buf, size_t len ); +#endif /* MBEDTLS_SSL_SRV_C */ + +#if defined(MBEDTLS_SSL_CLI_C) +/** + * \brief Try to write exactly 'len' application data bytes while + * performing the handshake (early data). + * + * \note This function behaves mainly as mbedtls_ssl_write(). The + * specification of mbedtls_ssl_write() relevant to TLS 1.3 + * (thus not the parts specific to (D)TLS1.2) applies to this + * function and the present documentation is restricted to the + * differences with mbedtls_ssl_write(). + * + * \param ssl SSL context + * \param buf buffer holding the data + * \param len how many bytes must be written + * + * \return One additional specific return value: + * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA. + * + * #MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA is returned when it + * is not possible to write early data for the SSL context + * \p ssl. + * + * It may have been possible and it is not possible + * anymore because the client received the server Finished + * message, the server rejected early data or the maximum + * number of allowed early data for the PSK in use has been + * reached. + * + * It may never have been possible and will never be possible + * for the SSL context \p ssl because the use of early data + * is disabled for that context or more generally the context + * is not suitably configured to enable early data or the first + * call to the function was done while the handshake was + * already completed. + * + * It is not possible to write early data for the SSL context + * \p ssl but this does not preclude for using it with + * mbedtls_ssl_write(), mbedtls_ssl_read() or + * mbedtls_ssl_handshake(). + * + * \note This function may write early data only if the SSL context + * has been configured for the handshake with a PSK for which + * early data is allowed. + * + * \note To maximize the number of early data that can be written in + * the course of the handshake, it is expected that this + * function starts the handshake for the SSL context \p ssl. + * But this is not mandatory. + * + * \note This function does not provide any information on whether + * the server has accepted or will accept early data or not. + * When it returns a positive value, it just means that it + * has written early data to the server. To know whether the + * server has accepted early data or not, you should call + * mbedtls_ssl_get_early_data_status() with the handshake + * completed. + */ +int mbedtls_ssl_write_early_data( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ); + +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 +/** + * \brief Get the status of the negotiation of the use of early data. + * + * \param ssl The SSL context to query + * + * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * from the server-side. + * + * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * prior to completion of the handshake. + * + * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT if the client has + * not indicated the use of early data to the server. + * + * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED if the client has + * indicated the use of early data and the server has accepted + * it. + * + * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED if the client has + * indicated the use of early data but the server has rejected + * it. In this situation, the client may want to re-send the + * early data it may have tried to send by calling + * mbedtls_ssl_write_early_data() as ordinary post-handshake + * application data by calling mbedtls_ssl_write(). + * + */ +int mbedtls_ssl_get_early_data_status( mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_CLI_C */ + +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /** * \brief Free referenced items in an SSL context and clear memory * diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9d2e69e3e5..0109f776c0 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1183,11 +1183,11 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl, return( ret ); p += ext_len; - /* Initializes the status to `indication sent`. It will be updated to - * `accepted` or `rejected` depending on whether the EncryptedExtension - * message will contain an early data indication extension or not. + /* Initializes the status to `rejected`. It will be updated to + * `accepted` if the EncryptedExtension message contain an early data + * indication extension. */ - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT; + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; } else { From 4c7cf7d742dce297c772fdf94f2de9d8a7237dab Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 9 Nov 2022 14:07:43 +0100 Subject: [PATCH 317/413] Add low level subtraction with modulus Signed-off-by: Gabor Mezei --- library/bignum_mod_raw.c | 10 ++++++++++ library/bignum_mod_raw.h | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index b43add77d3..9a8e3ee9a2 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -108,6 +108,16 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* BEGIN MERGE SLOT 2 */ +void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + const mbedtls_mpi_mod_modulus *N ) +{ + mbedtls_mpi_uint c = mbedtls_mpi_core_sub( X, A, B, N->limbs ); + + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, c ); +} + /* END MERGE SLOT 2 */ /* BEGIN MERGE SLOT 3 */ diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index f738e917e1..0f1b0c0de1 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -144,6 +144,26 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* BEGIN MERGE SLOT 2 */ +/** \brief Perform a subtraction of two MPIs and return the modulus + * of the result. + * + * The size of the operation is determined by \p N. + * + * \param[out] X The address of the result MPI. + * This must be initialized. Must have enough limbs to + * store the full value of the result. + * \param[in] A The address of the first MPI. This must be initialized. + * \param[in] B The address of the second MPI. This must be initialized. + * \param[in] N The address of the modulus. Use to perform a modulu + * operation on the result of the subtraction. + * + * \note Both \p A and \p B must be smaller than the modulus \p N. + */ +void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, + const mbedtls_mpi_mod_modulus *N ); + /* END MERGE SLOT 2 */ /* BEGIN MERGE SLOT 3 */ From cefe03a10cb0e6010670cc9c265c6c1891130f6b Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 15 Nov 2022 18:50:17 +0100 Subject: [PATCH 318/413] Add tests for low level subtraction with modulus Signed-off-by: Gabor Mezei --- tests/suites/test_suite_bignum_mod_raw.data | 39 ++++++++++++++ .../suites/test_suite_bignum_mod_raw.function | 53 +++++++++++++++++++ 2 files changed, 92 insertions(+) diff --git a/tests/suites/test_suite_bignum_mod_raw.data b/tests/suites/test_suite_bignum_mod_raw.data index 8cbd918f88..9290ef4f99 100644 --- a/tests/suites/test_suite_bignum_mod_raw.data +++ b/tests/suites/test_suite_bignum_mod_raw.data @@ -185,6 +185,45 @@ mpi_mod_raw_cond_swap:"00000000FFFFFFFF55555555AAAAAAAA":"FEDCBA9876543210FEDCBA # BEGIN MERGE SLOT 2 +mbedtls_mpi_mod_raw_sub: 0 - 0, mod 2 +mpi_mod_raw_sub:"0":"0":"2":"0" + +mbedtls_mpi_mod_raw_sub: 0 - 1, mod 2 +mpi_mod_raw_sub:"0":"1":"2":"1" + +mbedtls_mpi_mod_raw_sub: 1 - 0, mod 2 +mpi_mod_raw_sub:"1":"0":"2":"1" + +mbedtls_mpi_mod_raw_sub: 9 - 2, mod 10 +mpi_mod_raw_sub:"9":"2":"A":"7" + +mbedtls_mpi_mod_raw_sub: 6 - 7, mod 10 +mpi_mod_raw_sub:"6":"7":"A":"9" + +mbedtls_mpi_mod_raw_sub: 4 byte values, first is bigger +mpi_mod_raw_sub:"7DE15401":"5553FE19":"971F63D9":"288D55E8" + +mbedtls_mpi_mod_raw_sub: 4 byte values, second is bigger +mpi_mod_raw_sub:"58AB5FB1":"B7AFCADC":"DBD9D998":"7CD56E6D" + +mbedtls_mpi_mod_raw_sub: 8 byte values, first is bigger +mpi_mod_raw_sub:"8FE975EFDF264BDF":"6A4E956C95C1649E":"BB63D38C3AF7922E":"259AE0834964E741" + +mbedtls_mpi_mod_raw_sub: 8 byte values, second is bigger +mpi_mod_raw_sub:"0D6A093316013F68":"39DA803DB5C41434":"509876EAB3D1C663":"2427FFE0140EF197" + +mbedtls_mpi_mod_raw_sub: 16 byte values, first is bigger +mpi_mod_raw_sub:"94789C046DEC921C4EF12561271EEB12":"3AD8A050F6CC00354FDE5557E1839859":"A52A910D219A87F4F174FD9481873CEE":"599FFBB3772091E6FF12D009459B52B9" + +mbedtls_mpi_mod_raw_sub: 16 byte values, second is bigger +mpi_mod_raw_sub:"14D92E888E1274EDC37CA73B20B1F8BF":"8B7281E720762FD849948DCFA3CCC7F6":"94D3A7DE6456850BF05EB88B486DD4CD":"1E3A547FD1F2CA216A46D1F6C5530596" + +mbedtls_mpi_mod_raw_sub: 256 byte values, first is bigger +mpi_mod_raw_sub:"A39EE6C3FACCF07EEDDF235E8B31DBF843D2040AE2076B357EDD65FA16E639B9AA22451B9BA9E740343DC4BB0B1E6991B58084E1294A8849A326CAAC736514448D3D45464D5AC9D965046CD258923D892A027C89F4801DC754CAFC0418CF673D04D05E56074F46F59BD89CDE1D11168623293B564141DF7098EBCA253B10B4756C8897E4D23190AC943CE03AAFA7A76BCB8A44D8C76A3ABEC8F854BAD7333E80AAF2FA9A8D8BF148FD257396CD3B8E1418F0EE7C148146BF3DABF22C42E22A5397AC1CFFD77222D16700CDAAC8D9AB6CE1FD7A9DC7C826617748A7489AB77535F51BD9671FBCD1ADA63B4B780F46D325856F91DE68316CA34FEC645055614096":"66FF62A95E9CB6DE7242182484F223EDC6AE1E480773854A40A9EA2AD2349EA134722BCB9D8F55DBFA535CB919CE9A4933660F38DC08848D8A1442044AE3519D697DC85D999F525428A93D8347D975A54FDC46233402DD0E19E67F2146D49DB2990C88C0548DC14EE82E4A56F9C23B0119EC624FDF889D29BA4AB2B85040537649CF210C8F5712F0FD5B05CDA71949A1070FE9D28BF2D57D1D0D5DFD290E97060CA67A83F7C6F463E359E50102C6452E0EEAC3C0638264748466BA836C6CDAEB38B86F3A002324EE8C8690EC4E832692EA0216F71196E883209B62379B73E4474994554ADD57E4095A1004F475923EA44F553F325483328F7776A8DEB6A330F7":"CBB1EA630FEB95DCD8E54CE32CDC2CB7C42FDF8174B534F95247575399CAACBCAC7B6B35494E64308866ADD71C3AAB3875A0444635275F08EB77B52039559B1C9764EA1DA7F36676C4FAEB6F210DC6934156DB306ABDD75460CE3728C307A4829B7015CF1F4C7F086D30AE3B1045353FD590E36383F354AC8CCD38B65887D27F00B2862E0DD1DA0C5003BE346E4DB3980728334EE8DBABD649CE893F17CE64468E552F02EFBF4AF29F75CE032507412531B7B64F4B08BA971E83B3564602BB07129782879E04960319CBD885F6E83AD71D26C14FD5382087D24A6C7D201D0A25B772D194ED64EDC4B153BBB64CC51947752F6AF4E0DBE50EBBF215531144C139":"3C9F841A9C3039A07B9D0B3A063FB80A7D23E5C2DA93E5EB3E337BCF44B19B1875B0194FFE1A916439EA6801F14FCF48821A75A84D4203BC191288A82881C2A723BF7CE8B3BB77853C5B2F4F10B8C7E3DA263666C07D40B93AE47CE2D1FAC98A6BC3D595B2C185A6B3AA5287234EDB85093CD90661B94246DEA1176CEAD060FF22B976D842DA7DBB96E1DA6D088E5DCAC47A5B063B776541ABEAF6BDAE24A77A9E4C801695C4FCE519CB8E95CA7548E60A062ABBB0FEE24AB94537A8D6754F685EF3ADC5D74EFDE2DA7A3CBE7A5684D9F7FB63A6B6313DDE56AD4510FF4390EEAB87841C4264EDA44C2B468399B49481361A52AC13AE3A13D875BB719EBE0F9F" + +mbedtls_mpi_mod_raw_sub: 256 byte values, second is bigger +mpi_mod_raw_sub:"974663D69B8161A296AB77AD971DDA0672BE34E1EE5DB71D68AF76926CFB8C698AB19B45CD6F829260403839088DDF7E5339966D2D51DAC9E6EABB5C797739953D7537FC4B59EF089E5D0845C5501ECBEDECE2575AE8FC67D46E0B59DDED9528D66EF664D8415887CEC9641C0CBCB45B5EA921263B025EC4A7389695C95F7F17737FB4D42B8DA97BB8B4173276156D87E82F6EC157E1980EFBF0D9144CAB42797B5B0B0FA3D4008034456488202F213A7C28C19D514C111530F6895FAAA243BEFCDAB5CAEF4908F31AA2736BE287B81677F36A22C698FE964F88CDF8EE3DC7780735986627297BF63CA9EE8E9754FD443CE45E50165CF444A5CF538657D7E028":"A3B1E589E726DF39C69C7FFAF4A98D20D38F2DFB4DBCDF25FB95B93405C3DF0A2BE1940A3B5F9076389434D943750B48F5C44D13EB5C4502484D21BE3E7CC17BFC4C8AA12EE2EDF0014A64435678A489D0D28EFE2C54F5FBE262A32D27EF8B0172D3E8A40CF00856EDA21BFCD516DE3899838C535031DE227440B6A97B9A58398B6D8DB2CCE10230D9E738655B30022E737CF716F7C6E1C27D30E30FBA57C1A0224B929C6496B9D3DE40B8258211D8889C747069274F30887A717A95FEA4A4AE292F7ECAAFA69995B2ACA5A98F2AB850B291C3B935B260D598189732D2F9BAECC3A49603AEE5AA14D02393834C66B7F3D41D266264806F46533FC1044E52EF67":"B28F0A9BC32356B8DA0A7C0B96E0A7BF1A724C723486B13E050CE1A87A1FCA8868A3DA57C2F04EC578759A32EA96B3113EFA757586BBF93EE422CA2EE5A649D4B38D07729314B4E6E652886027DA61FD5AF4A2B1C38F5465D6B0310DF95D389CCC748961EDA8F24F57B18E3C485467CC13898325A77B609996EC23A9C312A37C135BBB49C50956B7FB2FD4FFE7A1F85538C19E8D84255184B6D98ED49F506831A1CA5198706F887D6F243E49CBC803B205F1FF87CA6E18859BFDB1FADF084F7F696B0C2AC7742ECC37A8270FAF00454D4C152C18AAE80D17B84B3E03CC38BD68E2D28A903F3CB2DC5C4FD2341E5F323B164AF996ADCF45619101BA65AC6B12EE":"A62388E8777DD921AA1973BE3954F4A4B9A15358D527893572269F06E15777E7C773E193550040E1A0219D92AFAF87469C6FBECEC8B18F0682C063CD20A0C1EDF4B5B4CDAF8BB5FF83652C6296B1DC3F780EF60AF2235AD1C8BB993AAF5B42C4300F9722B8FA428038D8D65B7FFA3DEED8AF17F8924BE13BC9E4039610D7CA59FB6DE26B23B5FE02D9FCB3CD028763AEAD741637E44007D1359984D931A3E90AFAD9CA0BAFACCF29C528EAAC69E54C63E5A650BBF46AF9125282C0C48B05EE903D16432B07169E299F9DF4D2025D45131176D2823BCEAAD86FBB74C9E77CC9F426638CF2B78084BDC8D62D3F694D778B7F1231845FABCA5FE3914CE7B5F003AF" + # END MERGE SLOT 2 # BEGIN MERGE SLOT 3 diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 4adccce25b..22a73e0323 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -275,6 +275,59 @@ exit: /* BEGIN MERGE SLOT 2 */ +/* BEGIN_CASE */ +void mpi_mod_raw_sub( char * input_A, + char * input_B, + char * input_N, + char * result ) +{ + mbedtls_mpi_uint *A = NULL; + mbedtls_mpi_uint *B = NULL; + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *X = NULL; + mbedtls_mpi_uint *res = NULL; + size_t limbs_A; + size_t limbs_B; + size_t limbs_N; + size_t limbs_res; + + TEST_EQUAL( mbedtls_test_read_mpi_core( &A, &limbs_A, input_A ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &B, &limbs_B, input_B ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &N, &limbs_N, input_N ), 0 ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &res, &limbs_res, result ), 0 ); + + size_t limbs = limbs_N; + size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); + + TEST_ASSERT( limbs_A <= limbs ); + TEST_ASSERT( limbs_B <= limbs ); + TEST_ASSERT( limbs_res <= limbs ); + + ASSERT_ALLOC( X, limbs ); + + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init( &m ); + + TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( + &m, N, limbs, + MBEDTLS_MPI_MOD_EXT_REP_BE, + MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); + + mbedtls_mpi_mod_raw_sub( X, A, B, &m ); + + ASSERT_COMPARE( X, bytes, res, bytes ); + +exit: + mbedtls_free( A ); + mbedtls_free( B ); + mbedtls_free( X ); + mbedtls_free( res ); + + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_free( N ); +} +/* END_CASE */ + /* END MERGE SLOT 2 */ /* BEGIN MERGE SLOT 3 */ From c426d9b6cc48d2e957c1f0ddeceb2810e878bc24 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 15 Nov 2022 18:51:20 +0100 Subject: [PATCH 319/413] Add generated test for low level subtraction with modulus Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/bignum_mod_raw.py | 90 +++++++++++++++++++++++++++ tests/CMakeLists.txt | 1 + tests/Makefile | 1 + 3 files changed, 92 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 60f2feded6..5d4bda2a7d 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -30,6 +30,96 @@ class BignumModRawTarget(test_data_generation.BaseTarget): # BEGIN MERGE SLOT 2 +class BignumModRawSub(BignumModRawOperation): + """Test cases for bignum mod raw sub.""" + count = 0 + symbol = "-" + test_function = "mpi_mod_raw_sub" + test_name = "mbedtls_mpi_mod_raw_sub" + unique_combinations_only = False + + input_values = [ + "0", "1", "fe", "ff", "fffe", "ffff", + "fffffffffffffffe", "ffffffffffffffff", + "fffffffffffffffffffffffffffffffe", + "ffffffffffffffffffffffffffffffff", + "1234567890abcdef01234567890abcdef0", + "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f", + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe", + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0", + ( + "14c15c910b11ad28cc21ce88d0060cc54278c2614e1bcb383bb4a570294c4ea3" + "738d243a6e58d5ca49c7b59b995253fd6c79a3de69f85e3131f3b9238224b122" + "c3e4a892d9196ada4fcfa583e1df8af9b474c7e89286a1754abcb06ae8abb93f" + "01d89a024cdce7a6d7288ff68c320f89f1347e0cdd905ecfd160c5d0ef412ed6" + ) + ] + + modulus_values = [ + "7", "ff", + "d1c127a667786703830500038ebaef20e5a3e2dc378fb75b" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff43", + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff67", + ( + "c93ba7ec74d96f411ba008bdb78e63ff11bb5df46a51e16b2c9d156f8e4e18ab" + "f5e052cb01f47d0d1925a77f60991577e128fb6f52f34a27950a594baadd3d80" + "57abeb222cf3cca962db16abf79f2ada5bd29ab2f51244bf295eff9f6aaba130" + "2efc449b128be75eeaca04bc3c1a155d11d14e8be32a2c8287b3996cf6ad5223" + ), + ( + "5c083126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac083126e978d4" + "fdf3b645a1cac083126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac0" + "83126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac083126e978d4fdf" + "3b645a1cac083126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac05d2" + ) + ] + + descr_tpl = '{} #{} \"{}\" - \"{}\" % \"{}\".' + + BITS_IN_LIMB = 32 + + @property + def boundary(self) -> int: + return self.int_n + + @property + def x(self): # pylint: disable=invalid-name + return (self.int_a - self.int_b) % self.int_n if self.int_n > 0 else 0 + + @property + def hex_x(self) -> str: + return format(self.x, 'x').zfill(self.hex_digits) + + def description(self) -> str: + return self.descr_tpl.format(self.test_name, + self.count, + self.int_a, + self.int_b, + self.int_n) + + def arguments(self) -> List[str]: + return [bignum_common.quote_str(n) for n in [self.hex_a, + self.hex_b, + self.hex_n, + self.hex_x]] + + def result(self) -> List[str]: + return [self.hex_x] + + @classmethod + def generate_function_tests(cls) -> Iterator[test_case.TestCase]: + for a_value, b_value in cls.get_value_pairs(): + int_a = bignum_common.hex_to_int(a_value) + int_b = bignum_common.hex_to_int(b_value) + highest = max(int_a, int_b) + + # Choose a modulus bigger then the arguments + for n_value in cls.modulus_values: + int_n = bignum_common.hex_to_int(n_value) + if highest < int_n: + yield cls(n_value, a_value, b_value, cls.BITS_IN_LIMB).create_test_case() + # END MERGE SLOT 2 # BEGIN MERGE SLOT 3 diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index c23cb6b3d9..0ef6fdbc4c 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -70,6 +70,7 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_core.py + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod_raw.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py ) diff --git a/tests/Makefile b/tests/Makefile index 7c08f54e14..0b31cdd076 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -94,6 +94,7 @@ $(GENERATED_BIGNUM_DATA_FILES): generated_bignum_test_data generated_bignum_test_data: scripts/generate_bignum_tests.py generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_core.py +generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod_raw.py generated_bignum_test_data: ../scripts/mbedtls_dev/test_case.py generated_bignum_test_data: ../scripts/mbedtls_dev/test_data_generation.py generated_bignum_test_data: From 3411e949cdc202824634af489ad5492ef46210d9 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 16 Nov 2022 11:31:00 +0100 Subject: [PATCH 320/413] Cas variable to proper type Signed-off-by: Gabor Mezei --- library/bignum_mod_raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 9a8e3ee9a2..6c694b0c58 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -115,7 +115,7 @@ void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X, { mbedtls_mpi_uint c = mbedtls_mpi_core_sub( X, A, B, N->limbs ); - (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, c ); + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned) c ); } /* END MERGE SLOT 2 */ From 02d2313829b1dad945b95873a502fd8dcd248559 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 23 Nov 2022 13:09:43 +0100 Subject: [PATCH 321/413] Fix documentation Signed-off-by: Gabor Mezei --- library/bignum_mod_raw.h | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index 0f1b0c0de1..05fa9d6ac8 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -144,20 +144,22 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* BEGIN MERGE SLOT 2 */ -/** \brief Perform a subtraction of two MPIs and return the modulus - * of the result. +/** \brief Subtract two MPIs, returning the residue modulo the specified + * modulus. * - * The size of the operation is determined by \p N. + * The size of the operation is determined by \p N. \p A and \p B must have + * the same number of limbs as \p N. + * + * \p X may be aliased to \p A or \p B, or even both, but may not overlap + * either otherwise. * * \param[out] X The address of the result MPI. * This must be initialized. Must have enough limbs to * store the full value of the result. * \param[in] A The address of the first MPI. This must be initialized. * \param[in] B The address of the second MPI. This must be initialized. - * \param[in] N The address of the modulus. Use to perform a modulu + * \param[in] N The address of the modulus. Used to perform a modulo * operation on the result of the subtraction. - * - * \note Both \p A and \p B must be smaller than the modulus \p N. */ void mbedtls_mpi_mod_raw_sub( mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, From 68a45e0aaff5409e75d2eee01d179dcbd29e59fd Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 23 Nov 2022 13:12:51 +0100 Subject: [PATCH 322/413] Fix potential not initialized warning Signed-off-by: Gabor Mezei --- tests/suites/test_suite_bignum_mod_raw.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 22a73e0323..aaf26ca794 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -291,6 +291,9 @@ void mpi_mod_raw_sub( char * input_A, size_t limbs_N; size_t limbs_res; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_modulus_init( &m ); + TEST_EQUAL( mbedtls_test_read_mpi_core( &A, &limbs_A, input_A ), 0 ); TEST_EQUAL( mbedtls_test_read_mpi_core( &B, &limbs_B, input_B ), 0 ); TEST_EQUAL( mbedtls_test_read_mpi_core( &N, &limbs_N, input_N ), 0 ); @@ -305,9 +308,6 @@ void mpi_mod_raw_sub( char * input_A, ASSERT_ALLOC( X, limbs ); - mbedtls_mpi_mod_modulus m; - mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, N, limbs, MBEDTLS_MPI_MOD_EXT_REP_BE, From 4d3f3c54305b06c084ea8e9b6f64339d6e5174bc Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 23 Nov 2022 13:14:15 +0100 Subject: [PATCH 323/413] Fix the checking of the used limbs Signed-off-by: Gabor Mezei --- tests/suites/test_suite_bignum_mod_raw.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index aaf26ca794..256ec9dcb7 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -302,9 +302,9 @@ void mpi_mod_raw_sub( char * input_A, size_t limbs = limbs_N; size_t bytes = limbs * sizeof( mbedtls_mpi_uint ); - TEST_ASSERT( limbs_A <= limbs ); - TEST_ASSERT( limbs_B <= limbs ); - TEST_ASSERT( limbs_res <= limbs ); + TEST_EQUAL( limbs_A, limbs ); + TEST_EQUAL( limbs_B, limbs ); + TEST_EQUAL( limbs_res, limbs ); ASSERT_ALLOC( X, limbs ); From b3b34666575f0a1ac8e828fa5efb12d42ecb4da5 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 23 Nov 2022 13:17:13 +0100 Subject: [PATCH 324/413] Test subtraction if the parameters are aliased to each other Signed-off-by: Gabor Mezei --- .../suites/test_suite_bignum_mod_raw.function | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 256ec9dcb7..2d9e412280 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -314,9 +314,29 @@ void mpi_mod_raw_sub( char * input_A, MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); mbedtls_mpi_mod_raw_sub( X, A, B, &m ); - ASSERT_COMPARE( X, bytes, res, bytes ); + /* alias X to A */ + memcpy( X, A, bytes ); + mbedtls_mpi_mod_raw_sub( X, X, B, &m ); + ASSERT_COMPARE( X, bytes, res, bytes ); + + /* alias X to B */ + memcpy( X, B, bytes ); + mbedtls_mpi_mod_raw_sub( X, A, X, &m ); + ASSERT_COMPARE( X, bytes, res, bytes ); + + /* A == B: alias A and B */ + if( memcmp( A, B, bytes ) == 0 ) + { + mbedtls_mpi_mod_raw_sub( X, A, A, &m ); + ASSERT_COMPARE( X, bytes, res, bytes ); + + /* X, A, B all aliased together */ + memcpy( X, A, bytes ); + mbedtls_mpi_mod_raw_sub( X, X, X, &m ); + ASSERT_COMPARE( X, bytes, res, bytes ); + } exit: mbedtls_free( A ); mbedtls_free( B ); From 6157fee306e581f12d4affc2b7eec2f5cb72d556 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 16:13:13 +0100 Subject: [PATCH 325/413] Unify defintions of inline for MSVC (and old armcc?) Having multiple definitions was cumbersome, and meant we might forget the definition when adding an inline definition to a file that didn't have one before (as I did when I added an inline definition in common.h). Resolves #6649. Signed-off-by: Gilles Peskine --- include/mbedtls/aes.h | 5 ----- include/mbedtls/build_info.h | 6 ++++++ include/mbedtls/cipher.h | 5 ----- include/mbedtls/error.h | 5 ----- include/mbedtls/pem.h | 5 ----- include/mbedtls/pk.h | 5 ----- 6 files changed, 6 insertions(+), 25 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index c359011227..1cd20fe06c 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -61,11 +61,6 @@ /** Invalid input data. */ #define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #ifdef __cplusplus extern "C" { #endif diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 170cbebbee..362ce2fd59 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -53,6 +53,12 @@ #define _CRT_SECURE_NO_DEPRECATE 1 #endif +/* Define `inline` on some non-C99-compliant compilers. */ +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" #else diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index a3f52ea71f..151da1d83e 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -46,11 +46,6 @@ #define MBEDTLS_CIPHER_MODE_STREAM #endif -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** The selected feature is not available. */ #define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 /** Bad input parameters. */ diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index eb8391311f..04e0896055 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -26,11 +26,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** * Error code layout. * diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index c75a1246ad..a4c6fb89f9 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -27,11 +27,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** * \name PEM Error codes * These error codes are returned in case of errors reading the diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 867961d329..db0bfacab3 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -44,11 +44,6 @@ #include "psa/crypto.h" #endif -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** Memory allocation failed. */ #define MBEDTLS_ERR_PK_ALLOC_FAILED -0x3F80 /** Type mismatch, eg attempt to encrypt with an ECDSA key */ From 6b3c0c59433d5354e255fbdc3e6c5a37299a34b4 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 23 Nov 2022 16:45:05 +0100 Subject: [PATCH 326/413] Update the test case generator Signed-off-by: Gabor Mezei --- scripts/mbedtls_dev/bignum_mod_raw.py | 93 ++++----------------------- 1 file changed, 11 insertions(+), 82 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 5d4bda2a7d..c271048548 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -30,95 +30,24 @@ class BignumModRawTarget(test_data_generation.BaseTarget): # BEGIN MERGE SLOT 2 -class BignumModRawSub(BignumModRawOperation): - """Test cases for bignum mod raw sub.""" - count = 0 +class BignumModRawSub(bignum_common.ModOperationCommon, + BignumModRawTarget): + """Test cases for bignum mpi_mod_raw_sub().""" symbol = "-" test_function = "mpi_mod_raw_sub" test_name = "mbedtls_mpi_mod_raw_sub" - unique_combinations_only = False - - input_values = [ - "0", "1", "fe", "ff", "fffe", "ffff", - "fffffffffffffffe", "ffffffffffffffff", - "fffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffff", - "1234567890abcdef01234567890abcdef0", - "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f", - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe", - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0", - ( - "14c15c910b11ad28cc21ce88d0060cc54278c2614e1bcb383bb4a570294c4ea3" - "738d243a6e58d5ca49c7b59b995253fd6c79a3de69f85e3131f3b9238224b122" - "c3e4a892d9196ada4fcfa583e1df8af9b474c7e89286a1754abcb06ae8abb93f" - "01d89a024cdce7a6d7288ff68c320f89f1347e0cdd905ecfd160c5d0ef412ed6" - ) - ] - - modulus_values = [ - "7", "ff", - "d1c127a667786703830500038ebaef20e5a3e2dc378fb75b" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff43", - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff67", - ( - "c93ba7ec74d96f411ba008bdb78e63ff11bb5df46a51e16b2c9d156f8e4e18ab" - "f5e052cb01f47d0d1925a77f60991577e128fb6f52f34a27950a594baadd3d80" - "57abeb222cf3cca962db16abf79f2ada5bd29ab2f51244bf295eff9f6aaba130" - "2efc449b128be75eeaca04bc3c1a155d11d14e8be32a2c8287b3996cf6ad5223" - ), - ( - "5c083126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac083126e978d4" - "fdf3b645a1cac083126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac0" - "83126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac083126e978d4fdf" - "3b645a1cac083126e978d4fdf3b645a1cac083126e978d4fdf3b645a1cac05d2" - ) - ] - - descr_tpl = '{} #{} \"{}\" - \"{}\" % \"{}\".' - - BITS_IN_LIMB = 32 - - @property - def boundary(self) -> int: - return self.int_n - - @property - def x(self): # pylint: disable=invalid-name - return (self.int_a - self.int_b) % self.int_n if self.int_n > 0 else 0 - - @property - def hex_x(self) -> str: - return format(self.x, 'x').zfill(self.hex_digits) - - def description(self) -> str: - return self.descr_tpl.format(self.test_name, - self.count, - self.int_a, - self.int_b, - self.int_n) + input_style = "fixed" + arity = 2 def arguments(self) -> List[str]: - return [bignum_common.quote_str(n) for n in [self.hex_a, - self.hex_b, - self.hex_n, - self.hex_x]] + return [bignum_common.quote_str(n) for n in [self.arg_a, + self.arg_b, + self.arg_n] + ] + self.result() def result(self) -> List[str]: - return [self.hex_x] - - @classmethod - def generate_function_tests(cls) -> Iterator[test_case.TestCase]: - for a_value, b_value in cls.get_value_pairs(): - int_a = bignum_common.hex_to_int(a_value) - int_b = bignum_common.hex_to_int(b_value) - highest = max(int_a, int_b) - - # Choose a modulus bigger then the arguments - for n_value in cls.modulus_values: - int_n = bignum_common.hex_to_int(n_value) - if highest < int_n: - yield cls(n_value, a_value, b_value, cls.BITS_IN_LIMB).create_test_case() + result = (self.int_a - self.int_b) % self.int_n + return [self.format_result(result)] # END MERGE SLOT 2 From fecc6b2fe49d8ca8567080f289c876210e6c4f75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 24 Nov 2022 09:40:12 +0100 Subject: [PATCH 327/413] Minor tune-up to ChangeLog & documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - fix a recurring typo - use clearer names Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/driver-only-hashes.txt | 4 ++-- include/mbedtls/mbedtls_config.h | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt index 930aadfef0..6ccd199ba1 100644 --- a/ChangeLog.d/driver-only-hashes.txt +++ b/ChangeLog.d/driver-only-hashes.txt @@ -1,8 +1,8 @@ Features * Some modules can now use PSA drivers for hashes, including with no built-in implementation present, but only in some configurations. - - RSA PKCS#1 v2.1, PKCS5, PKCS12 and EC J-PAKE now use hashes from PSA - when (and only when) MBEDTLS_MD_C is disabled. + - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use + hashes from PSA when (and only when) MBEDTLS_MD_C is disabled. - PEM parsing of encrypted files now uses MD-5 from PSA when (and only when) MBEDTLS_MD5_C is disabled. See the documentation of the corresponding macros in mbedtls_config.h for diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index b16a5b4d49..0688073b12 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1147,7 +1147,7 @@ * before doing any PKCS#1 v2.1 operation. * * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by * this module in builds where MBEDTLS_MD_C is disabled. * @@ -2440,7 +2440,7 @@ * before doing any EC J-PAKE operations. * * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by * this module in builds where MBEDTLS_MD_C is disabled. */ @@ -2788,7 +2788,7 @@ * before doing any PKCS5 operation. * * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by * this module in builds where MBEDTLS_MD_C is disabled. * @@ -2812,7 +2812,7 @@ * before doing any PKCS12 operation. * * \warning When building with MBEDTLS_MD_C, all hashes used with this - * need to be available a built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C, * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by * this module in builds where MBEDTLS_MD_C is disabled. * From cbcbf4e4340b92380960ac7fe1267b9ab869a8f6 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 24 Nov 2022 11:48:59 +0100 Subject: [PATCH 328/413] Remove hand-written tests got raw_mod_sub The generated tests cover all off the hand-written tests. Signed-off-by: Gabor Mezei --- tests/suites/test_suite_bignum_mod_raw.data | 39 --------------------- 1 file changed, 39 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.data b/tests/suites/test_suite_bignum_mod_raw.data index 9290ef4f99..8cbd918f88 100644 --- a/tests/suites/test_suite_bignum_mod_raw.data +++ b/tests/suites/test_suite_bignum_mod_raw.data @@ -185,45 +185,6 @@ mpi_mod_raw_cond_swap:"00000000FFFFFFFF55555555AAAAAAAA":"FEDCBA9876543210FEDCBA # BEGIN MERGE SLOT 2 -mbedtls_mpi_mod_raw_sub: 0 - 0, mod 2 -mpi_mod_raw_sub:"0":"0":"2":"0" - -mbedtls_mpi_mod_raw_sub: 0 - 1, mod 2 -mpi_mod_raw_sub:"0":"1":"2":"1" - -mbedtls_mpi_mod_raw_sub: 1 - 0, mod 2 -mpi_mod_raw_sub:"1":"0":"2":"1" - -mbedtls_mpi_mod_raw_sub: 9 - 2, mod 10 -mpi_mod_raw_sub:"9":"2":"A":"7" - -mbedtls_mpi_mod_raw_sub: 6 - 7, mod 10 -mpi_mod_raw_sub:"6":"7":"A":"9" - -mbedtls_mpi_mod_raw_sub: 4 byte values, first is bigger -mpi_mod_raw_sub:"7DE15401":"5553FE19":"971F63D9":"288D55E8" - -mbedtls_mpi_mod_raw_sub: 4 byte values, second is bigger -mpi_mod_raw_sub:"58AB5FB1":"B7AFCADC":"DBD9D998":"7CD56E6D" - -mbedtls_mpi_mod_raw_sub: 8 byte values, first is bigger -mpi_mod_raw_sub:"8FE975EFDF264BDF":"6A4E956C95C1649E":"BB63D38C3AF7922E":"259AE0834964E741" - -mbedtls_mpi_mod_raw_sub: 8 byte values, second is bigger -mpi_mod_raw_sub:"0D6A093316013F68":"39DA803DB5C41434":"509876EAB3D1C663":"2427FFE0140EF197" - -mbedtls_mpi_mod_raw_sub: 16 byte values, first is bigger -mpi_mod_raw_sub:"94789C046DEC921C4EF12561271EEB12":"3AD8A050F6CC00354FDE5557E1839859":"A52A910D219A87F4F174FD9481873CEE":"599FFBB3772091E6FF12D009459B52B9" - -mbedtls_mpi_mod_raw_sub: 16 byte values, second is bigger -mpi_mod_raw_sub:"14D92E888E1274EDC37CA73B20B1F8BF":"8B7281E720762FD849948DCFA3CCC7F6":"94D3A7DE6456850BF05EB88B486DD4CD":"1E3A547FD1F2CA216A46D1F6C5530596" - -mbedtls_mpi_mod_raw_sub: 256 byte values, first is bigger -mpi_mod_raw_sub:"A39EE6C3FACCF07EEDDF235E8B31DBF843D2040AE2076B357EDD65FA16E639B9AA22451B9BA9E740343DC4BB0B1E6991B58084E1294A8849A326CAAC736514448D3D45464D5AC9D965046CD258923D892A027C89F4801DC754CAFC0418CF673D04D05E56074F46F59BD89CDE1D11168623293B564141DF7098EBCA253B10B4756C8897E4D23190AC943CE03AAFA7A76BCB8A44D8C76A3ABEC8F854BAD7333E80AAF2FA9A8D8BF148FD257396CD3B8E1418F0EE7C148146BF3DABF22C42E22A5397AC1CFFD77222D16700CDAAC8D9AB6CE1FD7A9DC7C826617748A7489AB77535F51BD9671FBCD1ADA63B4B780F46D325856F91DE68316CA34FEC645055614096":"66FF62A95E9CB6DE7242182484F223EDC6AE1E480773854A40A9EA2AD2349EA134722BCB9D8F55DBFA535CB919CE9A4933660F38DC08848D8A1442044AE3519D697DC85D999F525428A93D8347D975A54FDC46233402DD0E19E67F2146D49DB2990C88C0548DC14EE82E4A56F9C23B0119EC624FDF889D29BA4AB2B85040537649CF210C8F5712F0FD5B05CDA71949A1070FE9D28BF2D57D1D0D5DFD290E97060CA67A83F7C6F463E359E50102C6452E0EEAC3C0638264748466BA836C6CDAEB38B86F3A002324EE8C8690EC4E832692EA0216F71196E883209B62379B73E4474994554ADD57E4095A1004F475923EA44F553F325483328F7776A8DEB6A330F7":"CBB1EA630FEB95DCD8E54CE32CDC2CB7C42FDF8174B534F95247575399CAACBCAC7B6B35494E64308866ADD71C3AAB3875A0444635275F08EB77B52039559B1C9764EA1DA7F36676C4FAEB6F210DC6934156DB306ABDD75460CE3728C307A4829B7015CF1F4C7F086D30AE3B1045353FD590E36383F354AC8CCD38B65887D27F00B2862E0DD1DA0C5003BE346E4DB3980728334EE8DBABD649CE893F17CE64468E552F02EFBF4AF29F75CE032507412531B7B64F4B08BA971E83B3564602BB07129782879E04960319CBD885F6E83AD71D26C14FD5382087D24A6C7D201D0A25B772D194ED64EDC4B153BBB64CC51947752F6AF4E0DBE50EBBF215531144C139":"3C9F841A9C3039A07B9D0B3A063FB80A7D23E5C2DA93E5EB3E337BCF44B19B1875B0194FFE1A916439EA6801F14FCF48821A75A84D4203BC191288A82881C2A723BF7CE8B3BB77853C5B2F4F10B8C7E3DA263666C07D40B93AE47CE2D1FAC98A6BC3D595B2C185A6B3AA5287234EDB85093CD90661B94246DEA1176CEAD060FF22B976D842DA7DBB96E1DA6D088E5DCAC47A5B063B776541ABEAF6BDAE24A77A9E4C801695C4FCE519CB8E95CA7548E60A062ABBB0FEE24AB94537A8D6754F685EF3ADC5D74EFDE2DA7A3CBE7A5684D9F7FB63A6B6313DDE56AD4510FF4390EEAB87841C4264EDA44C2B468399B49481361A52AC13AE3A13D875BB719EBE0F9F" - -mbedtls_mpi_mod_raw_sub: 256 byte values, second is bigger -mpi_mod_raw_sub:"974663D69B8161A296AB77AD971DDA0672BE34E1EE5DB71D68AF76926CFB8C698AB19B45CD6F829260403839088DDF7E5339966D2D51DAC9E6EABB5C797739953D7537FC4B59EF089E5D0845C5501ECBEDECE2575AE8FC67D46E0B59DDED9528D66EF664D8415887CEC9641C0CBCB45B5EA921263B025EC4A7389695C95F7F17737FB4D42B8DA97BB8B4173276156D87E82F6EC157E1980EFBF0D9144CAB42797B5B0B0FA3D4008034456488202F213A7C28C19D514C111530F6895FAAA243BEFCDAB5CAEF4908F31AA2736BE287B81677F36A22C698FE964F88CDF8EE3DC7780735986627297BF63CA9EE8E9754FD443CE45E50165CF444A5CF538657D7E028":"A3B1E589E726DF39C69C7FFAF4A98D20D38F2DFB4DBCDF25FB95B93405C3DF0A2BE1940A3B5F9076389434D943750B48F5C44D13EB5C4502484D21BE3E7CC17BFC4C8AA12EE2EDF0014A64435678A489D0D28EFE2C54F5FBE262A32D27EF8B0172D3E8A40CF00856EDA21BFCD516DE3899838C535031DE227440B6A97B9A58398B6D8DB2CCE10230D9E738655B30022E737CF716F7C6E1C27D30E30FBA57C1A0224B929C6496B9D3DE40B8258211D8889C747069274F30887A717A95FEA4A4AE292F7ECAAFA69995B2ACA5A98F2AB850B291C3B935B260D598189732D2F9BAECC3A49603AEE5AA14D02393834C66B7F3D41D266264806F46533FC1044E52EF67":"B28F0A9BC32356B8DA0A7C0B96E0A7BF1A724C723486B13E050CE1A87A1FCA8868A3DA57C2F04EC578759A32EA96B3113EFA757586BBF93EE422CA2EE5A649D4B38D07729314B4E6E652886027DA61FD5AF4A2B1C38F5465D6B0310DF95D389CCC748961EDA8F24F57B18E3C485467CC13898325A77B609996EC23A9C312A37C135BBB49C50956B7FB2FD4FFE7A1F85538C19E8D84255184B6D98ED49F506831A1CA5198706F887D6F243E49CBC803B205F1FF87CA6E18859BFDB1FADF084F7F696B0C2AC7742ECC37A8270FAF00454D4C152C18AAE80D17B84B3E03CC38BD68E2D28A903F3CB2DC5C4FD2341E5F323B164AF996ADCF45619101BA65AC6B12EE":"A62388E8777DD921AA1973BE3954F4A4B9A15358D527893572269F06E15777E7C773E193550040E1A0219D92AFAF87469C6FBECEC8B18F0682C063CD20A0C1EDF4B5B4CDAF8BB5FF83652C6296B1DC3F780EF60AF2235AD1C8BB993AAF5B42C4300F9722B8FA428038D8D65B7FFA3DEED8AF17F8924BE13BC9E4039610D7CA59FB6DE26B23B5FE02D9FCB3CD028763AEAD741637E44007D1359984D931A3E90AFAD9CA0BAFACCF29C528EAAC69E54C63E5A650BBF46AF9125282C0C48B05EE903D16432B07169E299F9DF4D2025D45131176D2823BCEAAD86FBB74C9E77CC9F426638CF2B78084BDC8D62D3F694D778B7F1231845FABCA5FE3914CE7B5F003AF" - # END MERGE SLOT 2 # BEGIN MERGE SLOT 3 From a45b6fee91e597c16872a14d20a5aa58e60ea4c9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 1 Nov 2022 13:14:28 +0000 Subject: [PATCH 329/413] Extract MPI_CORE(add_mod) from the prototype Signed-off-by: Tom Cosgrove --- library/bignum_mod_raw.c | 13 ++++++++++++- library/bignum_mod_raw.h | 15 ++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index b43add77d3..7c17e56029 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -119,7 +119,18 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 4 */ /* BEGIN MERGE SLOT 5 */ - +void MPI_CORE(add_mod)( mbedtls_mpi_uint *X, + mbedtls_mpi_uint const *A, + mbedtls_mpi_uint const *B, + const mbedtls_mpi_uint *N, + size_t n ) +{ + size_t carry, borrow = 0, fixup; + carry = mbedtls_mpi_core_add( X, A, B, n ); + borrow = mbedtls_mpi_core_sub( X, X, N, n); + fixup = ( carry < borrow ); + (void) mbedtls_mpi_core_add_if( X, N, n, fixup ); +} /* END MERGE SLOT 5 */ /* BEGIN MERGE SLOT 6 */ diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index f738e917e1..c57372c94a 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -155,7 +155,20 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 4 */ /* BEGIN MERGE SLOT 5 */ - +/** + * \brief Perform a known-size modular addition. + * + * Calculate A + B mod N. + * + * \param[out] X The result of the modular addition. + * \param[in] A The left operand. This must be smaller than \p N. + * \param[in] B The right operand. This must be smaller than \p N. + * \param[in] N The modulus. + * \param n Number of limbs of \p X, \p A, \p B and \p N. + */ +void MPI_CORE(add_mod)( mbedtls_mpi_uint *X, mbedtls_mpi_uint const *A, + mbedtls_mpi_uint const *B, const mbedtls_mpi_uint *N, + size_t n ); /* END MERGE SLOT 5 */ /* BEGIN MERGE SLOT 6 */ From 0eea827cbda3a10ca6515e21901b23942b43aa5a Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Tue, 1 Nov 2022 13:27:29 +0000 Subject: [PATCH 330/413] Rename MPI_CORE(add_mod) to mbedtls_mpi_mod_raw_add Signed-off-by: Werner Lewis --- library/bignum_mod_raw.c | 19 +++++++++---------- library/bignum_mod_raw.h | 22 +++++++++++++--------- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 7c17e56029..2460329df6 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -119,17 +119,16 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* END MERGE SLOT 4 */ /* BEGIN MERGE SLOT 5 */ -void MPI_CORE(add_mod)( mbedtls_mpi_uint *X, - mbedtls_mpi_uint const *A, - mbedtls_mpi_uint const *B, - const mbedtls_mpi_uint *N, - size_t n ) +void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, + mbedtls_mpi_uint const *A, + mbedtls_mpi_uint const *B, + const mbedtls_mpi_uint *N, + size_t limbs ) { - size_t carry, borrow = 0, fixup; - carry = mbedtls_mpi_core_add( X, A, B, n ); - borrow = mbedtls_mpi_core_sub( X, X, N, n); - fixup = ( carry < borrow ); - (void) mbedtls_mpi_core_add_if( X, N, n, fixup ); + size_t carry, borrow = 0; + carry = mbedtls_mpi_core_add( X, A, B, limbs ); + borrow = mbedtls_mpi_core_sub( X, X, N, limbs); + (void) mbedtls_mpi_core_add_if( X, N, limbs, ( carry < borrow ) ); } /* END MERGE SLOT 5 */ diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index c57372c94a..7b82c0639e 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -158,17 +158,21 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /** * \brief Perform a known-size modular addition. * - * Calculate A + B mod N. + * Calculate `A + B modulo N` where \p A, \p B, and \p N have the same size. * - * \param[out] X The result of the modular addition. - * \param[in] A The left operand. This must be smaller than \p N. - * \param[in] B The right operand. This must be smaller than \p N. - * \param[in] N The modulus. - * \param n Number of limbs of \p X, \p A, \p B and \p N. + * \param[out] X The result of the modular addition. + * \param[in] A Little-endian presentation of the left operand. This + * must be smaller than \p N. + * \param[in] B Little-endian presentation of the right operand. This + * must be smaller than \p N. + * \param[in] N Little-endian presentation of the modulus. + * \param limbs Number of limbs of \p X, \p A, \p B and \p N. */ -void MPI_CORE(add_mod)( mbedtls_mpi_uint *X, mbedtls_mpi_uint const *A, - mbedtls_mpi_uint const *B, const mbedtls_mpi_uint *N, - size_t n ); +void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, + mbedtls_mpi_uint const *A, + mbedtls_mpi_uint const *B, + const mbedtls_mpi_uint *N, + size_t limbs ); /* END MERGE SLOT 5 */ /* BEGIN MERGE SLOT 6 */ From 9fa91ebcb906ad93218d92bbf816bdad17f9f198 Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Tue, 1 Nov 2022 13:36:51 +0000 Subject: [PATCH 331/413] Use modulus structure in mbedtls_mpi_mod_raw_add Signed-off-by: Werner Lewis --- library/bignum_mod_raw.c | 9 ++++----- library/bignum_mod_raw.h | 12 ++++++------ 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 2460329df6..01f5a4423f 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -122,13 +122,12 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, mbedtls_mpi_uint const *A, mbedtls_mpi_uint const *B, - const mbedtls_mpi_uint *N, - size_t limbs ) + const mbedtls_mpi_mod_modulus *N ) { size_t carry, borrow = 0; - carry = mbedtls_mpi_core_add( X, A, B, limbs ); - borrow = mbedtls_mpi_core_sub( X, X, N, limbs); - (void) mbedtls_mpi_core_add_if( X, N, limbs, ( carry < borrow ) ); + carry = mbedtls_mpi_core_add( X, A, B, N->limbs ); + borrow = mbedtls_mpi_core_sub( X, X, N->p, N->limbs ); + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, ( carry < borrow ) ); } /* END MERGE SLOT 5 */ diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index 7b82c0639e..d6522381bb 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -162,17 +162,17 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, * * \param[out] X The result of the modular addition. * \param[in] A Little-endian presentation of the left operand. This - * must be smaller than \p N. + * must be smaller than \p N, and have the same number of + * limbs. * \param[in] B Little-endian presentation of the right operand. This - * must be smaller than \p N. - * \param[in] N Little-endian presentation of the modulus. - * \param limbs Number of limbs of \p X, \p A, \p B and \p N. + * must be smaller than \p N, and have the same number of + * limbs. + * \param[in] N The address of the modulus. */ void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, mbedtls_mpi_uint const *A, mbedtls_mpi_uint const *B, - const mbedtls_mpi_uint *N, - size_t limbs ); + const mbedtls_mpi_mod_modulus *N ); /* END MERGE SLOT 5 */ /* BEGIN MERGE SLOT 6 */ From baa34b6248b29a5c8153137b0b292dfa82095e6a Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Tue, 1 Nov 2022 15:37:50 +0000 Subject: [PATCH 332/413] Add test function for mpi_mod_raw_add Signed-off-by: Werner Lewis --- .../suites/test_suite_bignum_mod_raw.function | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 4adccce25b..cf385e0813 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -287,6 +287,97 @@ exit: /* BEGIN MERGE SLOT 5 */ +/* BEGIN_CASE */ +void mpi_mod_raw_add( char * input_A, char * input_B, + char * input_N, char * input_S ) +{ + mbedtls_mpi_uint *A = NULL; + mbedtls_mpi_uint *B = NULL; + mbedtls_mpi_uint *S = NULL; + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *X = NULL; + mbedtls_mpi_mod_modulus m; + size_t A_limbs, B_limbs, N_limbs, S_limbs; + + mbedtls_mpi_mod_modulus_init( &m ); + + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &B, &B_limbs, input_B ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &N_limbs, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &S, &S_limbs, input_S ) ); + + /* All inputs must have have the same number of limbs. */ + TEST_EQUAL( A_limbs, B_limbs ); + TEST_EQUAL( S_limbs, N_limbs ); + TEST_EQUAL( A_limbs, S_limbs ); + + size_t limbs = A_limbs; + size_t bytes = limbs * sizeof( *A ); + + ASSERT_ALLOC( X, limbs ); + + TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( + &m, N, limbs, + MBEDTLS_MPI_MOD_EXT_REP_BE, + MBEDTLS_MPI_MOD_REP_MONTGOMERY + ), 0 ); + + /* A + B => Correct result */ + mbedtls_mpi_mod_raw_add( X, A, B, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + + /* A + B: alias X to A => Correct result */ + memcpy( X, A, bytes ); + mbedtls_mpi_mod_raw_add( X, X, B, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + + /* A + B: alias X to B => Correct result */ + memcpy( X, B, bytes ); + mbedtls_mpi_mod_raw_add( X, A, X, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + + if ( memcmp(A, B, bytes ) == 0 ) + { + /* A == B: alias A and B */ + + /* A + A => Correct result */ + mbedtls_mpi_mod_raw_add( X, A, A, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + + /* A + A, alias X to A => Correct result */ + memcpy( X, A, bytes ); + mbedtls_mpi_mod_raw_add( X, A, A, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + } + else + { + /* A != B: test B + A */ + + /* B + A => Correct result */ + mbedtls_mpi_mod_raw_add( X, B, A, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + + /* B + A: alias X to A => Correct result */ + memcpy( X, A, bytes ); + mbedtls_mpi_mod_raw_add( X, B, X, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + + /* B + A: alias X to B => Correct result */ + memcpy( X, B, bytes ); + mbedtls_mpi_mod_raw_add( X, X, A, &m ); + ASSERT_COMPARE( X, bytes, S, bytes ); + } + +exit: + mbedtls_free( A ); + mbedtls_free( B ); + mbedtls_free( S ); + mbedtls_free( N ); + mbedtls_free( X ); + + mbedtls_mpi_mod_modulus_free( &m ); +} +/* END_CASE */ /* END MERGE SLOT 5 */ /* BEGIN MERGE SLOT 6 */ From d391b8ce612d5472e3cb7a86ff8f69e642a43ba2 Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Tue, 8 Nov 2022 15:53:47 +0000 Subject: [PATCH 333/413] Change types and move const before type Signed-off-by: Werner Lewis --- library/bignum_mod_raw.c | 6 +++--- library/bignum_mod_raw.h | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 01f5a4423f..94dcf7724c 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -120,11 +120,11 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /* BEGIN MERGE SLOT 5 */ void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, - mbedtls_mpi_uint const *A, - mbedtls_mpi_uint const *B, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, const mbedtls_mpi_mod_modulus *N ) { - size_t carry, borrow = 0; + mbedtls_mpi_uint carry, borrow; carry = mbedtls_mpi_core_add( X, A, B, N->limbs ); borrow = mbedtls_mpi_core_sub( X, X, N->p, N->limbs ); (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, ( carry < borrow ) ); diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index d6522381bb..bcb4a1596c 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -170,8 +170,8 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, * \param[in] N The address of the modulus. */ void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, - mbedtls_mpi_uint const *A, - mbedtls_mpi_uint const *B, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *B, const mbedtls_mpi_mod_modulus *N ); /* END MERGE SLOT 5 */ From 1a277d9ad69eb75d8934d356838680116daf3ff6 Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Tue, 8 Nov 2022 15:55:17 +0000 Subject: [PATCH 334/413] Replace comparison with XOR Signed-off-by: Werner Lewis --- library/bignum_mod_raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 94dcf7724c..8889f55410 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -127,7 +127,7 @@ void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, mbedtls_mpi_uint carry, borrow; carry = mbedtls_mpi_core_add( X, A, B, N->limbs ); borrow = mbedtls_mpi_core_sub( X, X, N->p, N->limbs ); - (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, ( carry < borrow ) ); + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned char) ( carry ^ borrow ) ); } /* END MERGE SLOT 5 */ From f9075762455005d036ce2529df4a6138b2841284 Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Tue, 8 Nov 2022 16:01:06 +0000 Subject: [PATCH 335/413] Pass correct arguments in test Signed-off-by: Werner Lewis --- tests/suites/test_suite_bignum_mod_raw.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index cf385e0813..c510ac5d89 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -344,9 +344,9 @@ void mpi_mod_raw_add( char * input_A, char * input_B, mbedtls_mpi_mod_raw_add( X, A, A, &m ); ASSERT_COMPARE( X, bytes, S, bytes ); - /* A + A, alias X to A => Correct result */ + /* A + A: X, A, B all aliased together => Correct result */ memcpy( X, A, bytes ); - mbedtls_mpi_mod_raw_add( X, A, A, &m ); + mbedtls_mpi_mod_raw_add( X, X, X, &m ); ASSERT_COMPARE( X, bytes, S, bytes ); } else From e4c0a6c3ba7348dc1d4e9d0d653c11bccf02bad4 Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Thu, 17 Nov 2022 11:19:58 +0000 Subject: [PATCH 336/413] Change cast to correct type Signed-off-by: Werner Lewis --- library/bignum_mod_raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 8889f55410..6ffe0a7e63 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -127,7 +127,7 @@ void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, mbedtls_mpi_uint carry, borrow; carry = mbedtls_mpi_core_add( X, A, B, N->limbs ); borrow = mbedtls_mpi_core_sub( X, X, N->p, N->limbs ); - (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned char) ( carry ^ borrow ) ); + (void) mbedtls_mpi_core_add_if( X, N->p, N->limbs, (unsigned) ( carry ^ borrow ) ); } /* END MERGE SLOT 5 */ From 54d87bf5c29ea0bac64f84b4d67d58e8804a14f5 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 24 Nov 2022 15:47:02 +0000 Subject: [PATCH 337/413] Take limb count from the modulus in mod_raw_add tests Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum_mod_raw.function | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index c510ac5d89..7b1bda708c 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -296,9 +296,9 @@ void mpi_mod_raw_add( char * input_A, char * input_B, mbedtls_mpi_uint *S = NULL; mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *X = NULL; - mbedtls_mpi_mod_modulus m; size_t A_limbs, B_limbs, N_limbs, S_limbs; + mbedtls_mpi_mod_modulus m; mbedtls_mpi_mod_modulus_init( &m ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &A_limbs, input_A ) ); @@ -306,14 +306,14 @@ void mpi_mod_raw_add( char * input_A, char * input_B, TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &N_limbs, input_N ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &S, &S_limbs, input_S ) ); - /* All inputs must have have the same number of limbs. */ - TEST_EQUAL( A_limbs, B_limbs ); - TEST_EQUAL( S_limbs, N_limbs ); - TEST_EQUAL( A_limbs, S_limbs ); - - size_t limbs = A_limbs; + /* Modulus gives the number of limbs; all inputs must have the same. */ + size_t limbs = N_limbs; size_t bytes = limbs * sizeof( *A ); + TEST_EQUAL( A_limbs, limbs ); + TEST_EQUAL( B_limbs, limbs ); + TEST_EQUAL( S_limbs, limbs ); + ASSERT_ALLOC( X, limbs ); TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( From abddad4af88b2aa9c2e6c09448112efd529a18a7 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 24 Nov 2022 15:54:16 +0000 Subject: [PATCH 338/413] Add note about aliasing of operands for mbedtls_mpi_mod_raw_add() Signed-off-by: Tom Cosgrove --- library/bignum_mod_raw.h | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index bcb4a1596c..56a9f860d6 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -158,15 +158,19 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, /** * \brief Perform a known-size modular addition. * - * Calculate `A + B modulo N` where \p A, \p B, and \p N have the same size. + * Calculate `A + B modulo N`. + * + * The number of limbs in each operand, and the result, is given by the + * modulus \p N. + * + * \p X may be aliased to \p A or \p B, or even both, but may not overlap + * either otherwise. * * \param[out] X The result of the modular addition. * \param[in] A Little-endian presentation of the left operand. This - * must be smaller than \p N, and have the same number of - * limbs. + * must be smaller than \p N. * \param[in] B Little-endian presentation of the right operand. This - * must be smaller than \p N, and have the same number of - * limbs. + * must be smaller than \p N. * \param[in] N The address of the modulus. */ void mbedtls_mpi_mod_raw_add( mbedtls_mpi_uint *X, From 1923009cdb6f60964f80c84d3493dbfa47ec6cc4 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 24 Nov 2022 15:56:53 +0000 Subject: [PATCH 339/413] Add test generation for mbedtls_mpi_mod_raw_add() Signed-off-by: Tom Cosgrove --- scripts/mbedtls_dev/bignum_mod_raw.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index 60f2feded6..ee144aa1ec 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -42,6 +42,25 @@ class BignumModRawTarget(test_data_generation.BaseTarget): # BEGIN MERGE SLOT 5 +class BignumModRawAdd(bignum_common.ModOperationCommon, + BignumModRawTarget): + """Test cases for bignum mpi_mod_raw_add().""" + symbol = "+" + test_function = "mpi_mod_raw_add" + test_name = "mbedtls_mpi_mod_raw_add" + input_style = "fixed" + arity = 2 + + def arguments(self) -> List[str]: + return [bignum_common.quote_str(n) for n in [self.arg_a, + self.arg_b, + self.arg_n] + ] + self.result() + + def result(self) -> List[str]: + result = (self.int_a + self.int_b) % self.int_n + return [self.format_result(result)] + # END MERGE SLOT 5 # BEGIN MERGE SLOT 6 From 50fc127a4e3ef8d3ac2ca1c5c51f9fd6f1065fcd Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 24 Nov 2022 21:29:23 +0000 Subject: [PATCH 340/413] Change order of test arguments for bignum_mod_raw to simplify Python script Signed-off-by: Tom Cosgrove --- scripts/mbedtls_dev/bignum_mod_raw.py | 6 ------ tests/suites/test_suite_bignum_mod_raw.function | 5 +++-- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py index ee144aa1ec..4c53a7f4c1 100644 --- a/scripts/mbedtls_dev/bignum_mod_raw.py +++ b/scripts/mbedtls_dev/bignum_mod_raw.py @@ -51,12 +51,6 @@ class BignumModRawAdd(bignum_common.ModOperationCommon, input_style = "fixed" arity = 2 - def arguments(self) -> List[str]: - return [bignum_common.quote_str(n) for n in [self.arg_a, - self.arg_b, - self.arg_n] - ] + self.result() - def result(self) -> List[str]: result = (self.int_a + self.int_b) % self.int_n return [self.format_result(result)] diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 7b1bda708c..148386189a 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -288,8 +288,9 @@ exit: /* BEGIN MERGE SLOT 5 */ /* BEGIN_CASE */ -void mpi_mod_raw_add( char * input_A, char * input_B, - char * input_N, char * input_S ) +void mpi_mod_raw_add( char * input_N, + char * input_A, char * input_B, + char * input_S ) { mbedtls_mpi_uint *A = NULL; mbedtls_mpi_uint *B = NULL; From 4bdb9fbfa2fed35bffd675e56ed9028b08387520 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Nov 2022 22:21:15 +0100 Subject: [PATCH 341/413] Enable all ciphers in OpenSSL >=1.1.0 OpenSSL may be configured to support features such as cipher suites or protocol versions that are disabled by default. Enable them all: we're testing, we don't care about enabling insecure stuff. This is not needed with the builds of OpenSSL that we're currently using on the Jenkins CI, but it's needed with more recent versions such as typically found on developer machines, and with future CI additions. The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we don't need to do anything special with earlier versions. With OpenSSL 1.1.1f on Ubuntu 20.04, this allows SHA-1 in certificates, which is still needed for a few test cases in ssl-opt.sh. Curiously, this is also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and no other, including other DHE-PSK or ARIA cipher suites). Signed-off-by: Gilles Peskine --- tests/compat.sh | 14 ++++++++++++++ tests/ssl-opt.sh | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index d681217127..529c2c5422 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -595,6 +595,20 @@ setup_arguments() G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" + # Newer versions of OpenSSL have a syntax to enable all "ciphers", even + # low-security ones. This covers not just cipher suites but also protocol + # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on + # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in + # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find + # a way to discover it from -help, so check the openssl version. + case $($OPENSSL_CMD version) in + "OpenSSL 0"*|"OpenSSL 1.0"*) :;; + *) + O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0" + O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0" + ;; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b460c67dc1..c6f6e29635 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1689,6 +1689,20 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT" fi +# Newer versions of OpenSSL have a syntax to enable all "ciphers", even +# low-security ones. This covers not just cipher suites but also protocol +# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on +# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in +# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find +# a way to discover it from -help, so check the openssl version. +case $($OPENSSL_CMD version) in + "OpenSSL 0"*|"OpenSSL 1.0"*) :;; + *) + O_CLI="$O_CLI -cipher ALL@SECLEVEL=0" + O_SRV="$O_SRV -cipher ALL@SECLEVEL=0" + ;; +esac + if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT" From 187db00399dc05c1e1ad29adf55a9f480334a780 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 14:30:00 +0100 Subject: [PATCH 342/413] Update the Travis "full" build to use modern Clang Don't use an all.sh component because there isn't one that does what we want (modern Clang with ASan, and test everything). * We need to set CC explicitly or tweak PATH, because clang in $PATH on Travis focal instances is Clang 7 which is too old (we want Clang 10). * Travis lacks the array of versions of openssl and gnutls that we normally use for testing, so we need to exclude some tests (or build our own multiple versions of openssl and gnutls). The SSL test exclusions are ad hoc and based on what currently works. Signed-off-by: Gilles Peskine --- .travis.yml | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 67cb3ca61e..eaf817a7b9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,8 +25,40 @@ jobs: - tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus - name: full configuration + os: linux + dist: focal + addons: + apt: + packages: + - clang-10 + - gnutls-bin script: - - tests/scripts/all.sh -k test_full_cmake_gcc_asan + # Do a manual build+test sequence rather than using all.sh, + # because there's no all.sh component that does what we want, + # which is a build with Clang >= 10 and ASan, running all the SSL + # testing. + # - The clang executable in the default PATH is Clang 7 on + # Travis's focal instances, but we want Clang >= 10. + # - Running all the SSL testing requires a specific set of + # OpenSSL and GnuTLS versions and we don't want to bother + # with those on Travis. + # So we explicitly select clang-10 as the compiler, and we + # have ad hoc restrictions on SSL testing based on what is + # passing at the time of writing. We will remove these limitations + # gradually. + - make generated_files + - make CC=clang-10 CFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all -O2' LDFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all' + - make test + - programs/test/selftest + - tests/scripts/test_psa_constant_names.py + - tests/ssl-opt.sh + # Modern OpenSSL does not support fixed ECDH or null ciphers. + - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-' + - tests/scripts/travis-log-failure.sh + # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. + - tests/compat.sh -p GnuTLS -e 'CAMELLIA' + - tests/scripts/travis-log-failure.sh + - tests/context-info.sh - name: Windows os: windows From 12269e27b190ae399916c81c02ded099864c1b28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Fri, 25 Nov 2022 05:51:02 +0100 Subject: [PATCH 343/413] Add changelog for PKCS7 parser MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Bence Szépkúti --- ChangeLog.d/pkcs7-parser.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 ChangeLog.d/pkcs7-parser.txt diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt new file mode 100644 index 0000000000..7f85f0ce1d --- /dev/null +++ b/ChangeLog.d/pkcs7-parser.txt @@ -0,0 +1,13 @@ +Features + * Added partial support for parsing the PKCS7 cryptographic message syntax, + as defined in RFC 2315. Currently, support is limited to the following: + - Only the signed data content type, version 1 is supported. + - Only DER encoding is supported. + - Only a single digest algorithm per message is supported. + - Only 0 or 1, certificate is supported per message, which must be in + X509 format. + - There is no support for certificate-revocation lists. + - The authenticated and unauthenticated attribute fields of SignerInfo + must be empty. + Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for + contributing this feature. From 88e5566a9bc489039e0345e82d62afb3e0e531b7 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:14:54 +0100 Subject: [PATCH 344/413] Changed order of conditions in check_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 43e538cf97..519c2b1ffc 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -903,8 +903,8 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif -#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites" #endif From e2c46e0413f9b6c145e54bc60a5848a03492dc70 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:44:11 +0100 Subject: [PATCH 345/413] Reference to RFC 9146 added MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added deprecated keyword to MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/mbedtls_config.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 7706250104..8f45236940 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1320,9 +1320,10 @@ /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID * - * Enable support for the DTLS Connection ID extension, + * Enable support for the DTLS Connection ID (CID) extension, * which allows to identify DTLS connections across changes - * in the underlying transport. + * in the underlying transport. The CID functionality is described + * in RFC 9146. * * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and @@ -1352,6 +1353,13 @@ * Set the value to 0 for the standard version, and * 1 for the legacy draft version. * + * \deprecated Support for the legacy version of the DTLS + * Connection ID feature is deprecated. Please + * switch to the standardized version defined + * in RFC 9146 enabled by utilizing + * MBEDTLS_SSL_DTLS_CONNECTION_ID without use + * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. + * * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID */ #define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 From b2e661562557568aef263e880b80c6a441f0c385 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:53:44 +0100 Subject: [PATCH 346/413] Added deprecated warning in check_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Warns about the removal of the legacy DTLS Connection ID feature in a future version of Mbed TLS. Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 519c2b1ffc..6bfb9faa55 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -908,6 +908,13 @@ #error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites" #endif +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 +#if defined(MBEDTLS_DEPRECATED_REMOVED) +#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" +#endif +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) From 6b6b63f039ebb19d5a7eafd05aa84b98c68a1075 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 10:57:06 +0100 Subject: [PATCH 347/413] Added closing SECTION of doxygen markup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2a8a06dfb9..3a4d660cf9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -402,6 +402,8 @@ #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 #endif +/** \} name SECTION: Module settings */ + /* * Default to standard CID mode */ From df84bb30abf4a9d4e71ea5cf20fd64962ed379c4 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 11:14:03 +0100 Subject: [PATCH 348/413] Removed MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH from CID tests in all.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added also extra text. Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ce92c1b417..51a88b7fbd 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2711,39 +2711,37 @@ component_test_variable_ssl_in_out_buffer_len () { } component_test_variable_ssl_in_out_buffer_len_CID () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled (ASan build)" scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID" + msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard)" make test - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" tests/ssl-opt.sh - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" tests/compat.sh } component_test_variable_ssl_in_out_buffer_len_CID_legacy () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID" + msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" make test - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/ssl-opt.sh - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled" + msg "test: compat.sh, MMBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/compat.sh } From db01d050112a4f41be5719db4e0fb1bdd71d9631 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Wed, 23 Nov 2022 11:18:19 +0100 Subject: [PATCH 349/413] Removal of redundant DTLS CID test in ssl-opt.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per suggestion from Manuel, I removed this redundant test. Signed-off-by: Hannes Tschofenig Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 31c007e622..cc0ac55cbf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2580,18 +2580,6 @@ run_test "Context serialization, client serializes, with CID" \ -c "Deserializing connection..." \ -S "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, client serializes, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -c "Deserializing connection..." \ - -S "Deserializing connection..." - - requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, server serializes, CCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ From 61336848a922d29e45b06e79e3058be2a1a5a1b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 25 Nov 2022 11:12:38 +0100 Subject: [PATCH 350/413] Fix bug when legacy CID is enabled but not used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When legacy CID is enabled at compile time, but not used at runtime, we would incorrectly skip the sequence number at the beginning of the AAD. There was already two "else" branches for writing the sequence number but none of them was taken in that particular case. Simplify the structure of the code: with TLS 1.2 (we're already in that branch), we always write the sequence number, unless we're using standard CID. Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 58e6af2a56..c523b82492 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -551,9 +551,8 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, ((void) tls_version); ((void) taglen); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - -#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 if( rec->cid_len != 0 ) { // seq_num_placeholder @@ -569,17 +568,12 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, cur++; } else +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ { // epoch + sequence number memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); cur += sizeof( rec->ctr ); } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 */ -#else - // epoch + sequence number - memcpy(cur, rec->ctr, sizeof(rec->ctr)); - cur += sizeof(rec->ctr); -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ } // type From 5a454f7781a36dbf9c34eeaf1db892184a7496ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 25 Nov 2022 11:25:08 +0100 Subject: [PATCH 351/413] Remove redundant tests in ssl-opt.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We don't need to have two copies of the test with one of them depending on legacy/compat CID: we can have just one copy, but make sure we run ssl-opt.sh both in a build with standard CID and in a build with legacy/compat - that's the job of all.sh (see next commit). Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 41 ----------------------------------------- 1 file changed, 41 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index cc0ac55cbf..de9498374a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -525,14 +525,6 @@ requires_max_content_len() { requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1 } -CID_MODE=$( get_config_value_or_default "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT" ) - -requires_cid_compat() { - if [ "$CID_MODE" = "0" ]; then - SKIP_NEXT="YES" - fi -} - # skip next test if GnuTLS isn't available requires_gnutls() { if [ -z "${GNUTLS_AVAILABLE:-}" ]; then @@ -2616,16 +2608,6 @@ run_test "Context serialization, server serializes, with CID" \ -C "Deserializing connection..." \ -s "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, server serializes, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -C "Deserializing connection..." \ - -s "Deserializing connection..." - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, both serialize, CCM" \ @@ -2663,18 +2645,6 @@ run_test "Context serialization, both serialize, with CID" \ -c "Deserializing connection..." \ -s "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, both serialize, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -c "Deserializing connection..." \ - -s "Deserializing connection..." - - requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, client serializes, CCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ @@ -2711,17 +2681,6 @@ run_test "Context serialization, re-init, client serializes, with CID" \ -c "Deserializing connection..." \ -S "Deserializing connection..." -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_cid_compat -run_test "Context serialization, re-init, client serializes, with CID (legacy)" \ - "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ - "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \ - 0 \ - -c "Deserializing connection..." \ - -S "Deserializing connection..." - requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION run_test "Context serialization, re-init, server serializes, CCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ From 6a543ba1d3f55a161e2f7c6195535a2386e9431e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 25 Nov 2022 11:30:10 +0100 Subject: [PATCH 352/413] Remove redundant component in all.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CID is now enabled in the default config (as well as full), so it's already tested in numerous all.sh components, not need to add one for that. We need a component for the legacy/compat option though as it's never enabled in existing components. So, keep that one, but adjust the name and fix a typo in a message. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 51a88b7fbd..397e765053 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2710,26 +2710,8 @@ component_test_variable_ssl_in_out_buffer_len () { tests/compat.sh } -component_test_variable_ssl_in_out_buffer_len_CID () { - msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID - - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (standard)" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (standard) enabled" - tests/compat.sh -} - -component_test_variable_ssl_in_out_buffer_len_CID_legacy () { +component_test_dtls_cid_legacy () { msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . @@ -2741,7 +2723,7 @@ component_test_variable_ssl_in_out_buffer_len_CID_legacy () { msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/ssl-opt.sh - msg "test: compat.sh, MMBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" + msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" tests/compat.sh } From 5a34b36bbd329254dd0a305fe32019d5cba6aa66 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:26:18 +0100 Subject: [PATCH 353/413] Remove more now-redundant definitions of inline Signed-off-by: Gilles Peskine --- include/psa/crypto_platform.h | 5 ----- library/aria.c | 5 ----- library/chacha20.c | 5 ----- library/debug.c | 5 ----- library/ecp.c | 5 ----- library/ecp_curves.c | 5 ----- library/mps_reader.c | 5 ----- library/poly1305.c | 5 ----- library/ssl_misc.h | 5 ----- 9 files changed, 45 deletions(-) diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 47ab1cf9f2..573b33c856 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -45,11 +45,6 @@ /* PSA requires several types which C99 provides in stdint.h. */ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) /* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA diff --git a/library/aria.c b/library/aria.c index 924f952834..5e52eea91e 100644 --- a/library/aria.c +++ b/library/aria.c @@ -37,11 +37,6 @@ #include "mbedtls/platform_util.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Parameter validation macros */ #define ARIA_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) diff --git a/library/chacha20.c b/library/chacha20.c index e53eb82f54..85d7461aac 100644 --- a/library/chacha20.c +++ b/library/chacha20.c @@ -36,11 +36,6 @@ #if !defined(MBEDTLS_CHACHA20_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define ROTL32( value, amount ) \ ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) ) diff --git a/library/debug.c b/library/debug.c index bdbf6dd11e..6114a460fd 100644 --- a/library/debug.c +++ b/library/debug.c @@ -30,11 +30,6 @@ #include #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define DEBUG_BUF_SIZE 512 static int debug_threshold = 0; diff --git a/library/ecp.c b/library/ecp.c index 37f6090a83..cd7d5543c3 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -88,11 +88,6 @@ #include "ecp_internal_alt.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_SELF_TEST) /* * Counts of point addition and doubling, and field multiplications. diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 7b142370dd..5cd2828f73 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -39,11 +39,6 @@ #define ECP_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} #define ECP_MPI_INIT_ARRAY(x) \ diff --git a/library/mps_reader.c b/library/mps_reader.c index 36958b46b8..6f823bde15 100644 --- a/library/mps_reader.c +++ b/library/mps_reader.c @@ -29,11 +29,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_MPS_ENABLE_TRACE) static int mbedtls_mps_trace_id = MBEDTLS_MPS_TRACE_BIT_READER; #endif /* MBEDTLS_MPS_ENABLE_TRACE */ diff --git a/library/poly1305.c b/library/poly1305.c index 0850f66a34..4d0cdee257 100644 --- a/library/poly1305.c +++ b/library/poly1305.c @@ -32,11 +32,6 @@ #if !defined(MBEDTLS_POLY1305_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define POLY1305_BLOCK_SIZE_BYTES ( 16U ) /* diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4d7f63547d..59910e4ea3 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -56,11 +56,6 @@ #include "common.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Shorthand for restartable ECC */ #if defined(MBEDTLS_ECP_RESTARTABLE) && \ defined(MBEDTLS_SSL_CLI_C) && \ From 7d23778178582afa9033bcbb2264300bac3767c6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:34:59 +0100 Subject: [PATCH 354/413] Explain why p + n isn't good enough Signed-off-by: Gilles Peskine --- library/common.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/common.h b/library/common.h index 53598228b4..25d5294e1a 100644 --- a/library/common.h +++ b/library/common.h @@ -73,6 +73,9 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * * This is just the addition of an offset to a pointer, except that this * function also accepts an offset of 0 into a buffer whose pointer is null. + * (`p + n` has undefined behavior when `p` is null, even when `n == 0`. + * A null pointer is a valid buffer pointer when the size is 0, for example + * as the result of `malloc(0)` on some platforms.) * * \param p Pointer to a buffer of at least n bytes. * This may be \p NULL if \p n is zero. @@ -89,8 +92,7 @@ static inline unsigned char *mbedtls_buffer_offset( /** Return an offset into a read-only buffer. * - * This is just the addition of an offset to a pointer, except that this - * function also accepts an offset of 0 into a buffer whose pointer is null. + * Similar to mbedtls_buffer_offset(), but for const pointers. * * \param p Pointer to a buffer of at least n bytes. * This may be \p NULL if \p n is zero. From ddad40b1de89f2b65090af1c8723d0352a700b71 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Fri, 25 Nov 2022 14:18:52 +0000 Subject: [PATCH 355/413] Free the modulus before the data in it in mod_raw_add tests Signed-off-by: Tom Cosgrove --- tests/suites/test_suite_bignum_mod_raw.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 148386189a..1939493816 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -370,13 +370,13 @@ void mpi_mod_raw_add( char * input_N, } exit: + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_free( A ); mbedtls_free( B ); mbedtls_free( S ); mbedtls_free( N ); mbedtls_free( X ); - - mbedtls_mpi_mod_modulus_free( &m ); } /* END_CASE */ /* END MERGE SLOT 5 */ From 119d7e20115fa93577bb32c6d54aaf7cad5f7967 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 25 Nov 2022 15:50:30 +0000 Subject: [PATCH 356/413] Fix typo 'unsupoported' -> 'unsupported' Signed-off-by: David Horstmann --- tests/data_files/Makefile | 2 +- tests/data_files/test-ca.opensslconf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index d4f2011e93..aacf3e2a7c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -280,7 +280,7 @@ server5-nonprintable_othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -out $@ server5-unsupported_othername.crt: server5.key - $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@ + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupported_othername_san -days 3650 -sha256 -key $< -out $@ server5-fan.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS FAN" -set_serial 77 -config $(test_ca_config_file) -extensions fan_cert -days 3650 -sha256 -key server5.key -out $@ diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 3bb237903c..b2c2fa1bcc 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -18,7 +18,7 @@ subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name [nonprintable_othername_san] subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name -[unsupoported_othername_san] +[unsupported_othername_san] subjectAltName=otherName:1.2.3.4;UTF8:some other identifier [dns_alt_names] From 81f4b11010097d578e81df49927a3743c4cfa210 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 10 Nov 2022 14:40:38 +0000 Subject: [PATCH 357/413] bignum_mod: Added `mbedtls_mpi_mod_read/write()` IO functions This patch adds input and ouput fucntions in the `bignum_mod` layer. The data will be automatically converted between Cannonical and Montgomery representation if required. Signed-off-by: Minos Galanakis --- library/bignum_mod.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ library/bignum_mod.h | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 13108c51f1..a4ed32b6a3 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -209,7 +209,54 @@ exit: /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ +int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, + mbedtls_mpi_mod_modulus *m, + unsigned char *buf, + size_t buflen ) +{ + int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + if ( r == NULL || m == NULL ) + goto cleanup; + + if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs ||\ + r->limbs == 0 || m->limbs == 0 ) + goto cleanup; + + ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen ); + + if( ret != 0 ) + goto cleanup; + + if (m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) + ret = mbedtls_mpi_mod_raw_to_mont_rep(r->p, m); + +cleanup: + return ( ret ); +} + +int mbedtls_mpi_mod_write( mbedtls_mpi_mod_residue *r, + mbedtls_mpi_mod_modulus *m, + unsigned char *buf, + size_t buflen ) +{ + int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + + if ( r == NULL || m == NULL ) + goto cleanup; + + if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs ||\ + r->limbs == 0 || m->limbs == 0 ) + goto cleanup; + + if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) + ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); + + ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen ); + +cleanup: + return ( ret ); +} /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 29c26f2ef9..9378aabacd 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -173,7 +173,51 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ +/** Read public representation data stored in a buffer into a residue structure. + * + * The `mbedtls_mpi_mod_residue` and `mbedtls_mpi_mod_modulus` structures must + * be compatible. The data will be automatically converted into the appropriate + * representation based on the value of `m->int_rep field`. + * + * \param r The address of the residue related to \p m. It must have as + * many limbs as the modulus \p m. + * \param m The address of the modulus. + * \param buf The input buffer to import from. + * \param buflen The length in bytes of \p buf. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't + * large enough to hold the value in \p buf. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation + * of \p m is invalid or \p X is not less than \p m. + */ +int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, + mbedtls_mpi_mod_modulus *m, + unsigned char *buf, + size_t buflen ); +/** Write residue data onto a buffer using public representation data. + * + * The `mbedtls_mpi_mod_residue` and `mbedtls_mpi_mod_modulus` structures must + * be compatible. The data will be automatically converted into the appropriate + * representation based on the value of `m->int_rep field`. + * + * \param r The address of the residue related to \p m. It must have as + * many limbs as the modulus \p m. + * \param m The address of the modulus. + * \param buf The output buffer to export to. + * \param buflen The length in bytes of \p buf. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't + * large enough to hold the value of \p X. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation + * of \p m is invalid. + */ +int mbedtls_mpi_mod_write( mbedtls_mpi_mod_residue *r, + mbedtls_mpi_mod_modulus *m, + unsigned char *buf, + size_t buflen ); /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ From 8f242706303b4b681fbe4e350ece31928b151098 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 10 Nov 2022 16:56:02 +0000 Subject: [PATCH 358/413] test_suite_bignum_mod: Added tests for hight level IO This patch adds the following tests for the high levet IO api: * mpi_mod_io_neg * mpi_mod_io Manually generated test data has also been included. Signed-off-by: Minos Galanakis --- tests/suites/test_suite_bignum_mod.data | 231 +++++++++++++++++++- tests/suites/test_suite_bignum_mod.function | 142 ++++++++++++ 2 files changed, 366 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index 95faa53b80..6b25c49ee2 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -50,17 +50,234 @@ mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0 # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 +Test mbedtls_mpi_mod_io_neg +mpi_mod_io_neg: -# END MERGE SLOT 7 +Test mbedtls_mpi_mod_io #1 N: "11" A: "119". +mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE -# BEGIN MERGE SLOT 8 +Test mbedtls_mpi_mod_io #2 N: "11" A: "136". +mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE -# END MERGE SLOT 8 +Test mbedtls_mpi_mod_io #3 N: "11" A: "119". +mpi_mod_io:"000000000000000b":"0000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE -# BEGIN MERGE SLOT 9 +Test mbedtls_mpi_mod_io #4 N: "11" A: "136". +mpi_mod_io:"000000000000000b":"0100000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE -# END MERGE SLOT 9 +Test mbedtls_mpi_mod_io #5 N: "140737488355333" A: "119". +mpi_mod_io:"0000800000000005":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE -# BEGIN MERGE SLOT 10 +Test mbedtls_mpi_mod_io #6 N: "140737488355333" A: "136". +mpi_mod_io:"0000800000000005":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #7 N: "140737488355333" A: "119". +mpi_mod_io:"0000800000000005":"0000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #8 N: "140737488355333" A: "136". +mpi_mod_io:"0000800000000005":"0100000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #9 N: "140737488355333" A: "119". +mpi_mod_io:"0000800000000005":"00000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #10 N: "140737488355333" A: "136". +mpi_mod_io:"0000800000000005":"ca03000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #11 N: "140737488355333" A: "119". +mpi_mod_io:"0000800000000005":"00000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #12 N: "140737488355333" A: "136". +mpi_mod_io:"0000800000000005":"28d49e5300000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #13 N: "9223372036854775807" A: "119". +mpi_mod_io:"7fffffffffffffff":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #14 N: "9223372036854775807" A: "136". +mpi_mod_io:"7fffffffffffffff":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #15 N: "9223372036854775807" A: "119". +mpi_mod_io:"7fffffffffffffff":"0000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #16 N: "9223372036854775807" A: "136". +mpi_mod_io:"7fffffffffffffff":"0100000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #17 N: "9223372036854775807" A: "119". +mpi_mod_io:"7fffffffffffffff":"00000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #18 N: "9223372036854775807" A: "136". +mpi_mod_io:"7fffffffffffffff":"ca03000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #19 N: "9223372036854775807" A: "119". +mpi_mod_io:"7fffffffffffffff":"00000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #20 N: "9223372036854775807" A: "136". +mpi_mod_io:"7fffffffffffffff":"28d49e5300000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #21 N: "9223372036854775807" A: "119". +mpi_mod_io:"7fffffffffffffff":"7dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #22 N: "9223372036854775807" A: "136". +mpi_mod_io:"7fffffffffffffff":"d6a235eb6b5cfe7d":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #23 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #24 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #25 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #26 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #27 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #28 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"ca030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #29 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #30 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"28d49e53000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #31 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #32 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"d6a235eb6b5cfe7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #33 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dca8de1c2adfc6d7aafb9b48e":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #34 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"8eb4b9af7a6dfcadc2e18dca0d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #35 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a7d17b6c4be72f3d5c16bf9c1af6fc933":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #36 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"33c96fafc1f96bc1d5f372bec4b6177d0a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #37 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fec97beec546f9553142ed52f147845463f579":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #38 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"79f563548447f152ed423155f946c5ee7bc9fe020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #39 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "119". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"00000000000000000000000000000000000000000000000000000000000000000000000000000000378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #40 N: "6610145858169835373800827072568987987787972943497619105736762797475099959212160692262984293277166612477845864397201463825139894315919781838969391314120587" A: "136". +mpi_mod_io:"7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a98df75154f8c914a282f8b":"4fdcca75f1d4e6dc789591f45a49ba2cb6a7c58b3bc88d3700000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #41 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #42 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #43 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000000000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #44 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"010000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #45 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"0000000000000000000000000000000000000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #46 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"ca0300000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #47 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"0000000000000000000000000000000000000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #48 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"28d49e530000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #49 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000000000000000000007dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #50 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"d6a235eb6b5cfe7d00000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #51 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"00000000000000000000000dca8de1c2adfc6d7aafb9b48e":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #52 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"8eb4b9af7a6dfcadc2e18dca0d0000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #53 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"000000000000000a7d17b6c4be72f3d5c16bf9c1af6fc933":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #54 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"33c96fafc1f96bc1d5f372bec4b6177d0a00000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #55 N: "201076468338594879614802819276237850336264827391977454179" A: "119". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"0000000002fec97beec546f9553142ed52f147845463f579":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #56 N: "201076468338594879614802819276237850336264827391977454179" A: "136". +mpi_mod_io:"08335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63":"79f563548447f152ed423155f946c5ee7bc9fe0200000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #57 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #58 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #59 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #60 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #61 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003ca":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #62 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"ca030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #63 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000539ed428":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #64 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"28d49e53000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #65 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007dfe5c6beb35a2d6":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #66 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"d6a235eb6b5cfe7d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #67 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dca8de1c2adfc6d7aafb9b48e":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #68 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"8eb4b9af7a6dfcadc2e18dca0d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #69 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a7d17b6c4be72f3d5c16bf9c1af6fc933":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #70 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"33c96fafc1f96bc1d5f372bec4b6177d0a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #71 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002fec97beec546f9553142ed52f147845463f579":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #72 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"79f563548447f152ed423155f946c5ee7bc9fe020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #73 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #74 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"4fdcca75f1d4e6dc789591f45a49ba2cb6a7c58b3bc88d3700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_MPI_MOD_EXT_REP_LE + +Test mbedtls_mpi_mod_io #75 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "119". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395ab3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab358d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627":MBEDTLS_MPI_MOD_EXT_REP_BE + +Test mbedtls_mpi_mod_io #76 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". +mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"27d6b9ef85b7ecf293f6cb59a3b9ac5d72d1eb19c3fb6b7e8a1332ea2cfe352bb9cdd5f3cf35594a16fbe34fd726d96c372c27e174bda39d4a9e157d6de2fc7976af965c63ecd8c94e852ea3e68dcaf1c2752567a36f9dc5659dc9e2c1476c3a24a3a439b87c6e4c4dafdce56b1712b9e39d685bf21ccf87b2cf796c92e49b8d35aba846a87d2ad7a1dedc13c52a152336d4e9a386a2d275ae41ea5bb375d1a346317a822bdec9d1bcda63cb512a854c4fea437dc5f141732eada619ce2561cfa542524aa897d1a9de7a687f4875a679289cb5c4bfecc6d4deb64ea818eb86aff4be4ceac23aab95a3b45a41c6f2c82938db561fb15d3418a5488e1a2a5f41b6":MBEDTLS_MPI_MOD_EXT_REP_LE -# END MERGE SLOT 10 diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 1a2d0c135b..00e8306701 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -80,7 +80,149 @@ exit: /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ +/* BEGIN_CASE */ +void mpi_mod_io_neg( ) +{ + #define IO_ZERO 0 + #define IO_ONE 1 + #define IO_MIN1 2 + #define IO_MAX 3 + #define IO_2LIMBS_MIN1 4 + #define IO_2LIMBS 5 + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *R = NULL; + mbedtls_mpi_uint *N2 = NULL; + mbedtls_mpi_uint *R2 = NULL; + unsigned char *r_buff = NULL; + + size_t n_limbs, r_limbs, n2_limbs, r2_limbs; + + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_residue r; + mbedtls_mpi_mod_modulus m2; + mbedtls_mpi_mod_residue rn = { NULL, 0 }; + + const char * s_data[ 6 ] = { "00", "01", "fe", "ff", + "7ffffffffffffffff0" ,"7ffffffffffffffff1" }; + const size_t buff_bytes = 1024; + + /* Allocate the memory for intermediate data structures */ + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, s_data[ IO_MIN1 ] ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, s_data[ IO_ONE ] ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N2, &n2_limbs, s_data[ IO_2LIMBS ] ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R2, &r2_limbs, s_data[ IO_2LIMBS_MIN1 ] ) ); + + mbedtls_mpi_mod_modulus_init( &m ); + mbedtls_mpi_mod_modulus_init( &m2 ); + + /* Allocate more than required space on buffer so we can test for input_r > mpi */ + ASSERT_ALLOC( r_buff, buff_bytes ); + memset( r_buff, 0x1, 1 ); + + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, + MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); + + /* Pass for input_r < modulo */ + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + + /* input_r == modulo -1 */ + memset( r_buff, 0xfd, buff_bytes ); + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + + /* modulo->p == NULL || residue->p == NULL ( m2 has not been set-up ) */ + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m2, r_buff, 1 ) ); + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &rn, &m, r_buff, 1 ) ); + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &r, &m2, r_buff, 1 ) ); + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &rn, &m, r_buff, 1 ) ); + + /* Fail for r_limbs < m->limbs */ + r.limbs = m.limbs - 1; + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &rn, &m, r_buff, 1 ) ); + r.limbs = r_limbs; + + /* Fail if input_r >= modulo m */ + /* input_r = modulo */ + memset( r_buff, 0xfe, buff_bytes ); + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + + /* input_r > modulo */ + memset( r_buff, 0xff, buff_bytes ); + TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + + /* Data too large to fit */ + TEST_EQUAL(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes ) ); + + /* Read the two limbs input data into a larger modulus and residue */ + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m2, N2, n2_limbs, + MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + rn.p = R2; + rn.limbs = r2_limbs; + TEST_EQUAL(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_write( &rn, &m2, r_buff, 1 ) ); + +exit: + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_mpi_mod_modulus_free( &m2 ); + mbedtls_free( N ); + mbedtls_free( R ); + mbedtls_free( N2 ); + mbedtls_free( R2 ); + mbedtls_free( r_buff ); + + #undef IO_ZERO + #undef IO_ONE + #undef IO_MIN1 + #undef IO_MAX + #undef IO_2LIMBS_MIN1 + #undef IO_2LIMBS +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mpi_mod_io( char * input_N, data_t * input_A, int iendian ) +{ + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *R = NULL; + unsigned char *r_buff = NULL; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_residue r; + size_t n_limbs, n_bytes, a_bytes; + + /* Read inputs */ + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); + n_bytes = n_limbs * sizeof( mbedtls_mpi_uint ); + a_bytes = input_A->len * sizeof( char ); + + /* Allocate the memory for intermediate data structures */ + ASSERT_ALLOC( R, n_bytes ); + ASSERT_ALLOC( r_buff, a_bytes ); + + /* Test that input's size is not greater to modulo's */ + TEST_LE_U(a_bytes, n_bytes ); + + /* Init Structures */ + mbedtls_mpi_mod_modulus_init( &m ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, iendian, + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + + /* Enforcing p_limbs >= m->limbs */ + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); + + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, input_A->x, input_A->len ) ); + + TEST_EQUAL( 0,mbedtls_mpi_mod_write( &r, &m, r_buff, a_bytes ) ); + + ASSERT_COMPARE( r_buff, a_bytes, input_A->x, a_bytes ); +exit: + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_free( N ); + mbedtls_free( R ); + mbedtls_free( r_buff ); +} +/* END_CASE */ /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ From a17ad48e2d139d171dfe3bb59703b41eb869b18b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 16 Nov 2022 16:29:15 +0000 Subject: [PATCH 359/413] bignum_mod: Fixed an issue with input checking in `mpi_mod_residue_setup` This patch is inverting the input type checking logic in the method, in order to ensure that residue < modulus. Signed-off-by: Minos Galanakis --- library/bignum_mod.c | 2 +- tests/suites/test_suite_bignum_mod.data | 4 +- tests/suites/test_suite_bignum_mod.function | 47 +++++++++++++++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index a4ed32b6a3..6c13b4b220 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -39,7 +39,7 @@ int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, mbedtls_mpi_uint *p, size_t p_limbs ) { - if( p_limbs < m->limbs || !mbedtls_mpi_core_lt_ct( m->p, p, p_limbs ) ) + if( p_limbs > m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) ) return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); r->limbs = m->limbs; diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index 6b25c49ee2..5edb283aee 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -50,6 +50,9 @@ mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0 # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 +Test mbedtls_mpi_residue_setup +mpi_residue_setup: + Test mbedtls_mpi_mod_io_neg mpi_mod_io_neg: @@ -280,4 +283,3 @@ mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a Test mbedtls_mpi_mod_io #76 N: "32292747613635961694771916499883650667878589411552643628627186850993060141490368296439843252993342320145797691611646027435006878234727648863911408777308953382400333083852585109256846643097239747078406546553406955958288616728627292699264194880486908744773379992784153004816057528456043920098334713005039494478693892693017304730883448003944721685094014669042959451482141781404822386404101555113742346277194830729517252154824958327000717338180410404929239489607893939166712107274943411892079802406181464789204374234653633818543559183821503846194953493439237710780169796543565449952151334229364816621060143650318299210551" A: "136". mpi_mod_io:"ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a64d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a07e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d3898c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3ad4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181db8896f33bb12e6ef73f12ec5c5ea7a8a337":"27d6b9ef85b7ecf293f6cb59a3b9ac5d72d1eb19c3fb6b7e8a1332ea2cfe352bb9cdd5f3cf35594a16fbe34fd726d96c372c27e174bda39d4a9e157d6de2fc7976af965c63ecd8c94e852ea3e68dcaf1c2752567a36f9dc5659dc9e2c1476c3a24a3a439b87c6e4c4dafdce56b1712b9e39d685bf21ccf87b2cf796c92e49b8d35aba846a87d2ad7a1dedc13c52a152336d4e9a386a2d275ae41ea5bb375d1a346317a822bdec9d1bcda63cb512a854c4fea437dc5f141732eada619ce2561cfa542524aa897d1a9de7a687f4875a679289cb5c4bfecc6d4deb64ea818eb86aff4be4ceac23aab95a3b45a41c6f2c82938db561fb15d3418a5488e1a2a5f41b6":MBEDTLS_MPI_MOD_EXT_REP_LE - diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 00e8306701..5a2d000cab 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -81,6 +81,53 @@ exit: /* BEGIN MERGE SLOT 7 */ /* BEGIN_CASE */ +void mpi_residue_setup( ) +{ + #define RS_ONE 0 + #define RS_MAX_MIN1 1 + #define RS_MAX 2 + const char * s_data[ 3 ] = { "01", "fe", "ff" }; + + mbedtls_mpi_uint *N = NULL; + mbedtls_mpi_uint *R = NULL; + mbedtls_mpi_uint *R_MAX = NULL; + size_t n_limbs, r_limbs, r_max_limbs; + mbedtls_mpi_mod_modulus m; + mbedtls_mpi_mod_residue r; + + /* Allocate the memory for intermediate data structures */ + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, s_data[ RS_MAX_MIN1 ] ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, s_data[ RS_ONE ] ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R_MAX, &r_max_limbs, s_data[ RS_MAX ] ) ); + + mbedtls_mpi_mod_modulus_init( &m ); + + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, + MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); + + /* Test for r-> limbs > m-> limbs */ + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs + 1 ) ); + + /* Test for r-> p > m-> p */ + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_residue_setup( &r, &m, R_MAX , r_max_limbs ) ); + + /* Test for r-> p == m-> p */ + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_residue_setup( &r, &m, N , r_max_limbs ) ); + +exit: + mbedtls_mpi_mod_modulus_free( &m ); + mbedtls_free( N ); + mbedtls_free( R ); + mbedtls_free( R_MAX ); + + #undef RS_ONE + #undef RS_MAX_MIN1 + #undef RS_MAX +} +/* END_CASE */ +/* BEGIN_CASE */ void mpi_mod_io_neg( ) { #define IO_ZERO 0 From aed832ac16a488c5e9dacfba5fa048420a2ffa6e Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 24 Nov 2022 09:09:47 +0000 Subject: [PATCH 360/413] bignum_mod: Adjusted input checking for `mbedtls_mpi_mod_residue_setup()` This patch adjusts the logic of the size checking of the method, and refactors the tests. Documentation has also been updated. Signed-off-by: Minos Galanakis --- library/bignum_mod.c | 2 +- library/bignum_mod.h | 13 ++++---- tests/suites/test_suite_bignum_mod.data | 25 ++++++++++++-- tests/suites/test_suite_bignum_mod.function | 36 +++++---------------- 4 files changed, 39 insertions(+), 37 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 6c13b4b220..770e633582 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -39,7 +39,7 @@ int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, mbedtls_mpi_uint *p, size_t p_limbs ) { - if( p_limbs > m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) ) + if( p_limbs > m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, p_limbs ) ) return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); r->limbs = m->limbs; diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 9378aabacd..4a01dfc69a 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -75,16 +75,17 @@ typedef struct { /** Setup a residue structure. * - * \param[out] r The address of residue to setup. The size is determined by - * \p m. - * (In particular, it must have at least as many limbs as the - * modulus \p m.) + * \param[out] r The address of residue to setup. The resulting structure's + * size is determined by \p m. * \param[in] m The address of the modulus related to \p r. * \param[in] p The address of the limb array storing the value of \p r. * The memory pointed to by \p p will be used by \p r and must * not be modified in any way until after - * mbedtls_mpi_mod_residue_release() is called. - * \param p_limbs The number of limbs of \p p. + * mbedtls_mpi_mod_residue_release() is called. The data + * pointed by p should be compatible (in terms of size/endianness) + * with the representation used in \p m. + * \param p_limbs The number of limbs of \p p. It must have at most as + * many limbs as the modulus \p m.) * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index 5edb283aee..e0aa5407f7 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -50,8 +50,29 @@ mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0 # END MERGE SLOT 6 # BEGIN MERGE SLOT 7 -Test mbedtls_mpi_residue_setup -mpi_residue_setup: +Test mbedtls_mpi_residue_setup #1 m > r +mpi_residue_setup:"fe":"01":0 + +Test mbedtls_mpi_residue_setup #2 r == m - 1 +mpi_residue_setup:"ff":"fe":0 + +Test mbedtls_mpi_residue_setup #3 m->limbs > r-> limbs && m > r +mpi_residue_setup:"000000000000000000000000000000007dfe5c6beb35a2d6":"fe":0 + +Test mbedtls_mpi_residue_setup #4 m->limbs > r-> limbs && m > r +mpi_residue_setup:"7ffffffffffffffffffffffffffffffffffffffffffffff1":"fe":0 + +Test mbedtls_mpi_residue_setup #5 m->limbs > r-> limbs && m > r +mpi_residue_setup:"7ffffffffffffffffffff000000000000000000000000000":"fe":-4 + +Test mbedtls_mpi_residue_setup #6 m->limbs < r-> limbs && m > r +mpi_residue_setup:"ff":"000000000000000000000000000000000000000000000001":-4 + +Test mbedtls_mpi_residue_setup #7 r == m +mpi_residue_setup:"fe":"fe":-4 + +Test mbedtls_mpi_residue_setup #8 r > m +mpi_residue_setup:"fe":"ff":-4 Test mbedtls_mpi_mod_io_neg mpi_mod_io_neg: diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 5a2d000cab..e4d7b41bc8 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -81,52 +81,32 @@ exit: /* BEGIN MERGE SLOT 7 */ /* BEGIN_CASE */ -void mpi_residue_setup( ) +void mpi_residue_setup( char * input_X, char * input_Y, int ret ) { - #define RS_ONE 0 - #define RS_MAX_MIN1 1 - #define RS_MAX 2 - const char * s_data[ 3 ] = { "01", "fe", "ff" }; - mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; - mbedtls_mpi_uint *R_MAX = NULL; - size_t n_limbs, r_limbs, r_max_limbs; + size_t n_limbs, r_limbs; mbedtls_mpi_mod_modulus m; mbedtls_mpi_mod_residue r; - /* Allocate the memory for intermediate data structures */ - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, s_data[ RS_MAX_MIN1 ] ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, s_data[ RS_ONE ] ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R_MAX, &r_max_limbs, s_data[ RS_MAX ] ) ); - mbedtls_mpi_mod_modulus_init( &m ); + /* Allocate the memory for intermediate data structures */ + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_X ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_Y ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); - TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); - - /* Test for r-> limbs > m-> limbs */ - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs + 1 ) ); - - /* Test for r-> p > m-> p */ - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_residue_setup( &r, &m, R_MAX , r_max_limbs ) ); - - /* Test for r-> p == m-> p */ - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_residue_setup( &r, &m, N , r_max_limbs ) ); + TEST_EQUAL( ret, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); exit: mbedtls_mpi_mod_modulus_free( &m ); mbedtls_free( N ); mbedtls_free( R ); - mbedtls_free( R_MAX ); - - #undef RS_ONE - #undef RS_MAX_MIN1 - #undef RS_MAX } /* END_CASE */ + /* BEGIN_CASE */ void mpi_mod_io_neg( ) { From 8b375451c55600f32319771b3e36a3dce47b7881 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 24 Nov 2022 11:04:11 +0000 Subject: [PATCH 361/413] bignum_mod: Refactored `mbedtls_mpi_mod_read/write()` This patch adjusts the I/O methods and the tests. Documentation has also been updated to be more clear. Signed-off-by: Minos Galanakis --- library/bignum_mod.c | 14 ++++++---- library/bignum_mod.h | 19 +++++++------ tests/suites/test_suite_bignum_mod.function | 31 +++++++-------------- 3 files changed, 29 insertions(+), 35 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 770e633582..c10fb2ed33 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -210,8 +210,8 @@ exit: /* BEGIN MERGE SLOT 7 */ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, - mbedtls_mpi_mod_modulus *m, - unsigned char *buf, + const mbedtls_mpi_mod_modulus *m, + const unsigned char *buf, size_t buflen ) { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -219,7 +219,7 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, if ( r == NULL || m == NULL ) goto cleanup; - if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs ||\ + if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs || r->limbs == 0 || m->limbs == 0 ) goto cleanup; @@ -228,6 +228,8 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, if( ret != 0 ) goto cleanup; + r->limbs = m->limbs; + if (m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) ret = mbedtls_mpi_mod_raw_to_mont_rep(r->p, m); @@ -235,8 +237,8 @@ cleanup: return ( ret ); } -int mbedtls_mpi_mod_write( mbedtls_mpi_mod_residue *r, - mbedtls_mpi_mod_modulus *m, +int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, unsigned char *buf, size_t buflen ) { @@ -245,7 +247,7 @@ int mbedtls_mpi_mod_write( mbedtls_mpi_mod_residue *r, if ( r == NULL || m == NULL ) goto cleanup; - if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs ||\ + if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs || r->limbs == 0 || m->limbs == 0 ) goto cleanup; diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 4a01dfc69a..f0ce3c4443 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -177,8 +177,9 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); /** Read public representation data stored in a buffer into a residue structure. * * The `mbedtls_mpi_mod_residue` and `mbedtls_mpi_mod_modulus` structures must - * be compatible. The data will be automatically converted into the appropriate - * representation based on the value of `m->int_rep field`. + * be compatible (Data in public representation is assumed to be in the m->ext_rep + * and will be padded to m->limbs). The data will be automatically converted + * into the appropriate internal representation based on the value of `m->int_rep`. * * \param r The address of the residue related to \p m. It must have as * many limbs as the modulus \p m. @@ -193,15 +194,17 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); * of \p m is invalid or \p X is not less than \p m. */ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, - mbedtls_mpi_mod_modulus *m, - unsigned char *buf, + const mbedtls_mpi_mod_modulus *m, + const unsigned char *buf, size_t buflen ); /** Write residue data onto a buffer using public representation data. * * The `mbedtls_mpi_mod_residue` and `mbedtls_mpi_mod_modulus` structures must - * be compatible. The data will be automatically converted into the appropriate - * representation based on the value of `m->int_rep field`. + * be compatible (Data will be exported onto the bufer using the m->ext_rep + * and will be read as of m->limbs length).The data will be automatically + * converted from the appropriate internal representation based on the + * value of `m->int_rep field`. * * \param r The address of the residue related to \p m. It must have as * many limbs as the modulus \p m. @@ -215,8 +218,8 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation * of \p m is invalid. */ -int mbedtls_mpi_mod_write( mbedtls_mpi_mod_residue *r, - mbedtls_mpi_mod_modulus *m, +int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, + const mbedtls_mpi_mod_modulus *m, unsigned char *buf, size_t buflen ); /* END MERGE SLOT 7 */ diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index e4d7b41bc8..715a839988 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -110,13 +110,6 @@ exit: /* BEGIN_CASE */ void mpi_mod_io_neg( ) { - #define IO_ZERO 0 - #define IO_ONE 1 - #define IO_MIN1 2 - #define IO_MAX 3 - #define IO_2LIMBS_MIN1 4 - #define IO_2LIMBS 5 - mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; mbedtls_mpi_uint *N2 = NULL; @@ -130,15 +123,18 @@ void mpi_mod_io_neg( ) mbedtls_mpi_mod_modulus m2; mbedtls_mpi_mod_residue rn = { NULL, 0 }; - const char * s_data[ 6 ] = { "00", "01", "fe", "ff", - "7ffffffffffffffff0" ,"7ffffffffffffffff1" }; + const char *hex_residue_single = "01"; + const char *hex_modulus_single = "fe"; + const char *hex_residue_multi = "7ffffffffffffffffffffffffffffff0"; + const char *hex_modulus_multi = "7ffffffffffffffffffffffffffffff1"; + const size_t buff_bytes = 1024; /* Allocate the memory for intermediate data structures */ - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, s_data[ IO_MIN1 ] ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, s_data[ IO_ONE ] ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N2, &n2_limbs, s_data[ IO_2LIMBS ] ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R2, &r2_limbs, s_data[ IO_2LIMBS_MIN1 ] ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, hex_modulus_single ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, hex_residue_single ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N2, &n2_limbs, hex_modulus_multi ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R2, &r2_limbs, hex_residue_multi ) ); mbedtls_mpi_mod_modulus_init( &m ); mbedtls_mpi_mod_modulus_init( &m2 ); @@ -155,7 +151,7 @@ void mpi_mod_io_neg( ) /* Pass for input_r < modulo */ TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); - /* input_r == modulo -1 */ + /* Pass for input_r == modulo -1 */ memset( r_buff, 0xfd, buff_bytes ); TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); @@ -198,13 +194,6 @@ exit: mbedtls_free( N2 ); mbedtls_free( R2 ); mbedtls_free( r_buff ); - - #undef IO_ZERO - #undef IO_ONE - #undef IO_MIN1 - #undef IO_MAX - #undef IO_2LIMBS_MIN1 - #undef IO_2LIMBS } /* END_CASE */ From b62bad442e6afc863829d130f3cb5e5b5bacdf61 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 24 Nov 2022 16:48:41 +0000 Subject: [PATCH 362/413] Bidnum Mod: fix check in setup We want to make sure that the value has at least as many limbs allocated as the modulus as we need this to be able to do any operations in constant time. An invariant of the API is that the residue values are canonical, make sure that the residue is compared to the entire modulus. Signed-off-by: Janos Follath --- library/bignum_mod.c | 2 +- tests/suites/test_suite_bignum_mod.data | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index c10fb2ed33..1b3aff6a3a 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -39,7 +39,7 @@ int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, mbedtls_mpi_uint *p, size_t p_limbs ) { - if( p_limbs > m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, p_limbs ) ) + if( p_limbs < m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) ) return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); r->limbs = m->limbs; diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index e0aa5407f7..02bc9f7931 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -57,16 +57,16 @@ Test mbedtls_mpi_residue_setup #2 r == m - 1 mpi_residue_setup:"ff":"fe":0 Test mbedtls_mpi_residue_setup #3 m->limbs > r-> limbs && m > r -mpi_residue_setup:"000000000000000000000000000000007dfe5c6beb35a2d6":"fe":0 +mpi_residue_setup:"000000000000000000000000000000007dfe5c6beb35a2d6":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Test mbedtls_mpi_residue_setup #4 m->limbs > r-> limbs && m > r -mpi_residue_setup:"7ffffffffffffffffffffffffffffffffffffffffffffff1":"fe":0 +Test mbedtls_mpi_residue_setup #4 m->limbs = r-> limbs && m > r +mpi_residue_setup:"7ffffffffffffffffffffffffffffffffffffffffffffff1":"0000000000000000000000000000000000000000000000fe":0 -Test mbedtls_mpi_residue_setup #5 m->limbs > r-> limbs && m > r -mpi_residue_setup:"7ffffffffffffffffffff000000000000000000000000000":"fe":-4 +Test mbedtls_mpi_residue_setup #5 m->limbs < r-> limbs && m > r +mpi_residue_setup:"7ffffffff0000000":"000000000000000fe":0 Test mbedtls_mpi_residue_setup #6 m->limbs < r-> limbs && m > r -mpi_residue_setup:"ff":"000000000000000000000000000000000000000000000001":-4 +mpi_residue_setup:"ff":"000000000000000000000000000000000000000000000001":0 Test mbedtls_mpi_residue_setup #7 r == m mpi_residue_setup:"fe":"fe":-4 From 50cd4b842b02c1a6d3052121f64e7b6b7dce6fd4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 24 Nov 2022 17:08:13 +0000 Subject: [PATCH 363/413] Bignum Mod: Restrict residue setup In theory we could allow residues to have more allocated limbs than the modulus, but we might or might not need it in the end. Go for the simpler option for now and we can extend it later if we really need it. Signed-off-by: Janos Follath --- library/bignum_mod.c | 2 +- tests/suites/test_suite_bignum_mod.data | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 1b3aff6a3a..4303efefa6 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -39,7 +39,7 @@ int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, mbedtls_mpi_uint *p, size_t p_limbs ) { - if( p_limbs < m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) ) + if( p_limbs != m->limbs || !mbedtls_mpi_core_lt_ct( p, m->p, m->limbs ) ) return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); r->limbs = m->limbs; diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index 02bc9f7931..ba7d5779ff 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -56,17 +56,17 @@ mpi_residue_setup:"fe":"01":0 Test mbedtls_mpi_residue_setup #2 r == m - 1 mpi_residue_setup:"ff":"fe":0 -Test mbedtls_mpi_residue_setup #3 m->limbs > r-> limbs && m > r -mpi_residue_setup:"000000000000000000000000000000007dfe5c6beb35a2d6":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Test mbedtls_mpi_residue_setup #3 m->limbs = r-> limbs && m > r +mpi_residue_setup:"7dfe5c6":"fe":0 Test mbedtls_mpi_residue_setup #4 m->limbs = r-> limbs && m > r mpi_residue_setup:"7ffffffffffffffffffffffffffffffffffffffffffffff1":"0000000000000000000000000000000000000000000000fe":0 -Test mbedtls_mpi_residue_setup #5 m->limbs < r-> limbs && m > r -mpi_residue_setup:"7ffffffff0000000":"000000000000000fe":0 +Test mbedtls_mpi_residue_setup #5 m->limbs > r-> limbs && m > r +mpi_residue_setup:"7ffffffff00000000":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_residue_setup #6 m->limbs < r-> limbs && m > r -mpi_residue_setup:"ff":"000000000000000000000000000000000000000000000001":0 +mpi_residue_setup:"ff":"000000000000000000000000000000000000000000000001":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_residue_setup #7 r == m mpi_residue_setup:"fe":"fe":-4 From d3eed3370902b84213118f533f512464da01d691 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 24 Nov 2022 17:42:02 +0000 Subject: [PATCH 364/413] Bignum Mod Raw: pass endianness as a parameter The external representation before included more than just endianness (like reading in Mongtomery curve scalars or converting hashes to numbers in a standard compliant way). These are higher level concepts and are out of scope for Bignum and for the modulus structure. Passing endianness as a parameter is a step towards removing it from the modulus structure. Signed-off-by: Janos Follath --- library/bignum_mod_raw.c | 10 ++++++---- library/bignum_mod_raw.h | 8 ++++++-- tests/suites/test_suite_bignum_mod_raw.function | 8 ++++---- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 2f49ea2d9e..22e56b7e63 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -52,11 +52,12 @@ void mbedtls_mpi_mod_raw_cond_swap( mbedtls_mpi_uint *X, int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X, const mbedtls_mpi_mod_modulus *m, const unsigned char *input, - size_t input_length ) + size_t input_length, + mbedtls_mpi_mod_ext_rep ext_rep ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - switch( m->ext_rep ) + switch( ext_rep ) { case MBEDTLS_MPI_MOD_EXT_REP_LE: ret = mbedtls_mpi_core_read_le( X, m->limbs, @@ -87,9 +88,10 @@ cleanup: int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, const mbedtls_mpi_mod_modulus *m, unsigned char *output, - size_t output_length ) + size_t output_length, + mbedtls_mpi_mod_ext_rep ext_rep ) { - switch( m->ext_rep ) + switch( ext_rep ) { case MBEDTLS_MPI_MOD_EXT_REP_LE: return( mbedtls_mpi_core_write_le( A, m->limbs, diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h index f6c6ebd8f2..d7b6dd115e 100644 --- a/library/bignum_mod_raw.h +++ b/library/bignum_mod_raw.h @@ -106,6 +106,7 @@ void mbedtls_mpi_mod_raw_cond_swap( mbedtls_mpi_uint *X, * \param[in] m The address of the modulus related to \p X. * \param[in] input The input buffer to import from. * \param input_length The length in bytes of \p input. + * \param ext_rep The endianness of the number in the input buffer. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't @@ -116,7 +117,8 @@ void mbedtls_mpi_mod_raw_cond_swap( mbedtls_mpi_uint *X, int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X, const mbedtls_mpi_mod_modulus *m, const unsigned char *input, - size_t input_length ); + size_t input_length, + mbedtls_mpi_mod_ext_rep ext_rep ); /** Export A into unsigned binary data. * @@ -126,6 +128,7 @@ int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X, * \param[in] m The address of the modulus related to \p A. * \param[out] output The output buffer to export to. * \param output_length The length in bytes of \p output. + * \param ext_rep The endianness in which the number should be written into the output buffer. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't @@ -136,7 +139,8 @@ int mbedtls_mpi_mod_raw_read( mbedtls_mpi_uint *X, int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A, const mbedtls_mpi_mod_modulus *m, unsigned char *output, - size_t output_length ); + size_t output_length, + mbedtls_mpi_mod_ext_rep ext_rep ); /* BEGIN MERGE SLOT 1 */ diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 00ed005f50..031897889c 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -54,17 +54,17 @@ void mpi_mod_raw_io( data_t *input, int nb_int, int nx_32_int, TEST_EQUAL( ret, 0 ); if( iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID && iret != 0 ) - m.ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID; + endian = MBEDTLS_MPI_MOD_EXT_REP_INVALID; - ret = mbedtls_mpi_mod_raw_read( X, &m, input->x, input->len ); + ret = mbedtls_mpi_mod_raw_read( X, &m, input->x, input->len, endian ); TEST_EQUAL( ret, iret ); if( iret == 0 ) { if( iendian == MBEDTLS_MPI_MOD_EXT_REP_INVALID && oret != 0 ) - m.ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID; + endian = MBEDTLS_MPI_MOD_EXT_REP_INVALID; - ret = mbedtls_mpi_mod_raw_write( X, &m, buf, nb ); + ret = mbedtls_mpi_mod_raw_write( X, &m, buf, nb, endian ); TEST_EQUAL( ret, oret ); } From 3e3fc91c33d985f806ea336accec1fe3e1ec1b44 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 24 Nov 2022 18:02:46 +0000 Subject: [PATCH 365/413] Bignum Mod: pass endianness as a parameter The external representation before included more than just endianness (like reading in Mongtomery curve scalars or converting hashes to numbers in a standard compliant way). These are higher level concepts and are out of scope for Bignum and for the modulus structure. Passing endianness as a parameter is a step towards removing it from the modulus structure. Signed-off-by: Janos Follath --- library/bignum_mod.c | 10 ++-- library/bignum_mod.h | 28 ++++++----- tests/suites/test_suite_bignum_mod.function | 51 +++++++++++++-------- 3 files changed, 54 insertions(+), 35 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 4303efefa6..fa4831c7ac 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -212,7 +212,8 @@ exit: int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, const unsigned char *buf, - size_t buflen ) + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ) { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -223,7 +224,7 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, r->limbs == 0 || m->limbs == 0 ) goto cleanup; - ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen ); + ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen, ext_rep ); if( ret != 0 ) goto cleanup; @@ -240,7 +241,8 @@ cleanup: int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, unsigned char *buf, - size_t buflen ) + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ) { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; @@ -254,7 +256,7 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); - ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen ); + ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen, ext_rep ); cleanup: return ( ret ); diff --git a/library/bignum_mod.h b/library/bignum_mod.h index f0ce3c4443..e6da15fbcc 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -181,11 +181,12 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); * and will be padded to m->limbs). The data will be automatically converted * into the appropriate internal representation based on the value of `m->int_rep`. * - * \param r The address of the residue related to \p m. It must have as - * many limbs as the modulus \p m. - * \param m The address of the modulus. - * \param buf The input buffer to import from. - * \param buflen The length in bytes of \p buf. + * \param r The address of the residue related to \p m. It must have as + * many limbs as the modulus \p m. + * \param m The address of the modulus. + * \param buf The input buffer to import from. + * \param buflen The length in bytes of \p buf. + * \param ext_rep The endianness of the number in the input buffer. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't @@ -196,7 +197,8 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, const unsigned char *buf, - size_t buflen ); + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ); /** Write residue data onto a buffer using public representation data. * @@ -206,11 +208,12 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, * converted from the appropriate internal representation based on the * value of `m->int_rep field`. * - * \param r The address of the residue related to \p m. It must have as - * many limbs as the modulus \p m. - * \param m The address of the modulus. - * \param buf The output buffer to export to. - * \param buflen The length in bytes of \p buf. + * \param r The address of the residue related to \p m. It must have as + * many limbs as the modulus \p m. + * \param m The address of the modulus. + * \param buf The output buffer to export to. + * \param buflen The length in bytes of \p buf. + * \param ext_rep The endianness in which the number should be written into the output buffer. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't @@ -221,7 +224,8 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, unsigned char *buf, - size_t buflen ); + size_t buflen, + mbedtls_mpi_mod_ext_rep ext_rep ); /* END MERGE SLOT 7 */ /* BEGIN MERGE SLOT 8 */ diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 715a839988..5a75ebc3a6 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -143,48 +143,59 @@ void mpi_mod_io_neg( ) ASSERT_ALLOC( r_buff, buff_bytes ); memset( r_buff, 0x1, 1 ); + mbedtls_mpi_mod_ext_rep endian = MBEDTLS_MPI_MOD_EXT_REP_LE; TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, - MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + endian, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); /* Pass for input_r < modulo */ - TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); /* Pass for input_r == modulo -1 */ memset( r_buff, 0xfd, buff_bytes ); - TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); /* modulo->p == NULL || residue->p == NULL ( m2 has not been set-up ) */ - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m2, r_buff, 1 ) ); - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &rn, &m, r_buff, 1 ) ); - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &r, &m2, r_buff, 1 ) ); - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &rn, &m, r_buff, 1 ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &r, &m2, r_buff, 1, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &rn, &m, r_buff, 1, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &r, &m2, r_buff, 1, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &rn, &m, r_buff, 1, endian ) ); /* Fail for r_limbs < m->limbs */ r.limbs = m.limbs - 1; - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &rn, &m, r_buff, 1 ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &rn, &m, r_buff, 1, endian ) ); r.limbs = r_limbs; /* Fail if input_r >= modulo m */ /* input_r = modulo */ memset( r_buff, 0xfe, buff_bytes ); - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); /* input_r > modulo */ memset( r_buff, 0xff, buff_bytes ); - TEST_EQUAL(MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, r_buff, 1 ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); /* Data too large to fit */ - TEST_EQUAL(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, + mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); /* Read the two limbs input data into a larger modulus and residue */ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m2, N2, n2_limbs, - MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + endian, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); rn.p = R2; rn.limbs = r2_limbs; - TEST_EQUAL(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_write( &rn, &m2, r_buff, 1 ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, + mbedtls_mpi_mod_write( &rn, &m2, r_buff, 1, endian ) ); exit: mbedtls_mpi_mod_modulus_free( &m ); @@ -198,7 +209,7 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_mod_io( char * input_N, data_t * input_A, int iendian ) +void mpi_mod_io( char * input_N, data_t * input_A, int endian ) { mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; @@ -221,15 +232,17 @@ void mpi_mod_io( char * input_N, data_t * input_A, int iendian ) /* Init Structures */ mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, iendian, + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, endian, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); /* Enforcing p_limbs >= m->limbs */ - TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R, n_limbs ) ); - TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, input_A->x, input_A->len ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, input_A->x, input_A->len, + endian ) ); - TEST_EQUAL( 0,mbedtls_mpi_mod_write( &r, &m, r_buff, a_bytes ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_write( &r, &m, r_buff, a_bytes, + endian ) ); ASSERT_COMPARE( r_buff, a_bytes, input_A->x, a_bytes ); exit: From 91295d2b8f3a6163b6cf29897548a1779f00b9fb Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 24 Nov 2022 18:20:26 +0000 Subject: [PATCH 366/413] Bignum Mod: remove endianness from modulus The external representation before included more than just endianness (like reading in Mongtomery curve scalars or converting hashes to numbers in a standard compliant way). These are higher level concepts and are out of scope for Bignum and for the modulus structure. Signed-off-by: Janos Follath --- library/bignum_mod.c | 14 --------- library/bignum_mod.h | 4 --- tests/suites/test_suite_bignum_mod.data | 30 ++++--------------- tests/suites/test_suite_bignum_mod.function | 12 ++++---- .../suites/test_suite_bignum_mod_raw.function | 8 ++--- 5 files changed, 15 insertions(+), 53 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index fa4831c7ac..3cb3c436d9 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -65,7 +65,6 @@ void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ) m->p = NULL; m->limbs = 0; m->bits = 0; - m->ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID; m->int_rep = MBEDTLS_MPI_MOD_REP_INVALID; } @@ -96,7 +95,6 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ) m->p = NULL; m->limbs = 0; m->bits = 0; - m->ext_rep = MBEDTLS_MPI_MOD_EXT_REP_INVALID; m->int_rep = MBEDTLS_MPI_MOD_REP_INVALID; } @@ -138,7 +136,6 @@ cleanup: int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m, const mbedtls_mpi_uint *p, size_t p_limbs, - mbedtls_mpi_mod_ext_rep ext_rep, mbedtls_mpi_mod_rep_selector int_rep ) { int ret = 0; @@ -147,17 +144,6 @@ int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m, m->limbs = p_limbs; m->bits = mbedtls_mpi_core_bitlen( p, p_limbs ); - switch( ext_rep ) - { - case MBEDTLS_MPI_MOD_EXT_REP_LE: - case MBEDTLS_MPI_MOD_EXT_REP_BE: - m->ext_rep = ext_rep; - break; - default: - ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; - goto exit; - } - switch( int_rep ) { case MBEDTLS_MPI_MOD_REP_MONTGOMERY: diff --git a/library/bignum_mod.h b/library/bignum_mod.h index e6da15fbcc..5f948a499a 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -64,7 +64,6 @@ typedef struct { const mbedtls_mpi_uint *p; size_t limbs; // number of limbs size_t bits; // bitlen of p - mbedtls_mpi_mod_ext_rep ext_rep; // signals external representation (eg. byte order) mbedtls_mpi_mod_rep_selector int_rep; // selector to signal the active member of the union union rep { @@ -122,8 +121,6 @@ void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ); * not be modified in any way until after * mbedtls_mpi_mod_modulus_free() is called. * \param p_limbs The number of limbs of \p p. - * \param ext_rep The external representation to be used for residues - * associated with \p m (see #mbedtls_mpi_mod_ext_rep). * \param int_rep The internal representation to be used for residues * associated with \p m (see #mbedtls_mpi_mod_rep_selector). * @@ -134,7 +131,6 @@ void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ); int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m, const mbedtls_mpi_uint *p, size_t p_limbs, - mbedtls_mpi_mod_ext_rep ext_rep, mbedtls_mpi_mod_rep_selector int_rep ); /** Free elements of a modulus structure. diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index ba7d5779ff..ef9416e169 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -1,29 +1,11 @@ -Test mbedtls_mpi_mod_setup #1 (Both representations invalid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_INVALID:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Test mbedtls_mpi_mod_setup #1 (Internal representation invalid) +mpi_mod_setup:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Test mbedtls_mpi_mod_setup #2 (Internal representation invalid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA +Test mbedtls_mpi_mod_setup #6 (Optimised reduction) +mpi_mod_setup:MBEDTLS_MPI_MOD_REP_OPT_RED:0 -Test mbedtls_mpi_mod_setup #3 (Internal representation invalid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_BE:MBEDTLS_MPI_MOD_REP_INVALID:MBEDTLS_ERR_MPI_BAD_INPUT_DATA - -Test mbedtls_mpi_mod_setup #4 (External representation invalid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_INVALID:MBEDTLS_MPI_MOD_REP_MONTGOMERY:MBEDTLS_ERR_MPI_BAD_INPUT_DATA - -Test mbedtls_mpi_mod_setup #5 (External representation invalid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_INVALID:MBEDTLS_MPI_MOD_REP_OPT_RED:MBEDTLS_ERR_MPI_BAD_INPUT_DATA - -Test mbedtls_mpi_mod_setup #6 (Both representations valid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_BE:MBEDTLS_MPI_MOD_REP_OPT_RED:0 - -Test mbedtls_mpi_mod_setup #7 (Both representations valid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_BE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0 - -Test mbedtls_mpi_mod_setup #8 (Both representations valid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_OPT_RED:0 - -Test mbedtls_mpi_mod_setup #9 (Both representations valid) -mpi_mod_setup:MBEDTLS_MPI_MOD_EXT_REP_LE:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0 +Test mbedtls_mpi_mod_setup #7 (Montgomery representation) +mpi_mod_setup:MBEDTLS_MPI_MOD_REP_MONTGOMERY:0 # BEGIN MERGE SLOT 1 diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 5a75ebc3a6..bb87ba9d9d 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -12,7 +12,7 @@ */ /* BEGIN_CASE */ -void mpi_mod_setup( int ext_rep, int int_rep, int iret ) +void mpi_mod_setup( int int_rep, int iret ) { #define MLIMBS 8 mbedtls_mpi_uint mp[MLIMBS]; @@ -22,7 +22,7 @@ void mpi_mod_setup( int ext_rep, int int_rep, int iret ) memset( mp, 0xFF, sizeof(mp) ); mbedtls_mpi_mod_modulus_init( &m ); - ret = mbedtls_mpi_mod_modulus_setup( &m, mp, MLIMBS, ext_rep, int_rep ); + ret = mbedtls_mpi_mod_modulus_setup( &m, mp, MLIMBS, int_rep ); TEST_EQUAL( ret, iret ); /* Only test if the constants have been set-up */ @@ -96,7 +96,7 @@ void mpi_residue_setup( char * input_X, char * input_Y, int ret ) TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_Y ) ); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, - MBEDTLS_MPI_MOD_EXT_REP_LE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); TEST_EQUAL( ret, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); @@ -145,7 +145,7 @@ void mpi_mod_io_neg( ) mbedtls_mpi_mod_ext_rep endian = MBEDTLS_MPI_MOD_EXT_REP_LE; TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, - endian, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); @@ -191,7 +191,7 @@ void mpi_mod_io_neg( ) /* Read the two limbs input data into a larger modulus and residue */ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m2, N2, n2_limbs, - endian, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); rn.p = R2; rn.limbs = r2_limbs; TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, @@ -232,7 +232,7 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) /* Init Structures */ mbedtls_mpi_mod_modulus_init( &m ); - TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, endian, + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); /* Enforcing p_limbs >= m->limbs */ diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 031897889c..eb1980c291 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -49,7 +49,7 @@ void mpi_mod_raw_io( data_t *input, int nb_int, int nx_32_int, mbedtls_mpi_uint init[sizeof( X ) / sizeof( X[0] )]; memset( init, 0xFF, sizeof( init ) ); - int ret = mbedtls_mpi_mod_modulus_setup( &m, init, nx, endian, + int ret = mbedtls_mpi_mod_modulus_setup( &m, init, nx, MBEDTLS_MPI_MOD_REP_MONTGOMERY ); TEST_EQUAL( ret, 0 ); @@ -138,7 +138,6 @@ void mpi_mod_raw_cond_assign( char * input_X, memset( buff_m, 0xFF, copy_limbs ); TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, buff_m, copy_limbs, - MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); /* condition is false */ @@ -211,7 +210,6 @@ void mpi_mod_raw_cond_swap( char * input_X, memset( buff_m, 0xFF, copy_limbs ); TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, buff_m, copy_limbs, - MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); ASSERT_ALLOC( X, limbs ); @@ -480,7 +478,7 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X ) TEST_LE_U(a_limbs, n_limbs); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, - MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); /* Convert from cannonical into Montgomery representation */ TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A, &m ) ); @@ -516,7 +514,7 @@ void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X ) TEST_LE_U(a_limbs, n_limbs); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, - MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); /* Convert from Montgomery into cannonical representation */ TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A, &m ) ); From 41427dee80c1d2d1ea9feada36904b84549d7242 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 24 Nov 2022 19:04:54 +0000 Subject: [PATCH 367/413] Bignum Mod: improve documentation Signed-off-by: Janos Follath --- library/bignum_mod.h | 72 +++++++++++++++++++++++++++++--------------- 1 file changed, 47 insertions(+), 25 deletions(-) diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 5f948a499a..52a5a56749 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -73,6 +73,18 @@ typedef struct { } mbedtls_mpi_mod_modulus; /** Setup a residue structure. + * + * The residue will be set up with the \p p buffer \p m modulus. + * + * The memory pointed by \p p will be used by the resulting residue structure. + * The value at the pointed memory will be the initial value of \p r and must + * hold a value that is less than the modulus. This value will be used as it is + * and interpreted according to the value of the `m->int_rep` field. + * + * The modulus \p m will be the modulus associated with \p r. The residue \p r + * should only be used in operations where the modulus is \p m or a modulus + * equivalent to \p m (in the sense that all their fields or memory pointed by + * their fields hold the same value). * * \param[out] r The address of residue to setup. The resulting structure's * size is determined by \p m. @@ -81,8 +93,9 @@ typedef struct { * The memory pointed to by \p p will be used by \p r and must * not be modified in any way until after * mbedtls_mpi_mod_residue_release() is called. The data - * pointed by p should be compatible (in terms of size/endianness) - * with the representation used in \p m. + * pointed by \p p should be less than the modulus (the value + * pointed by `m->p`) and already in the representation + * indicated by `m->int_rep`. * \param p_limbs The number of limbs of \p p. It must have at most as * many limbs as the modulus \p m.) * @@ -170,25 +183,28 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); /* END MERGE SLOT 6 */ /* BEGIN MERGE SLOT 7 */ -/** Read public representation data stored in a buffer into a residue structure. +/** Read a residue from a byte buffer. * - * The `mbedtls_mpi_mod_residue` and `mbedtls_mpi_mod_modulus` structures must - * be compatible (Data in public representation is assumed to be in the m->ext_rep - * and will be padded to m->limbs). The data will be automatically converted - * into the appropriate internal representation based on the value of `m->int_rep`. + * The residue will be automatically converted to the internal representation + * based on the value of `m->int_rep` field. * - * \param r The address of the residue related to \p m. It must have as - * many limbs as the modulus \p m. + * The modulus \p m will be the modulus associated with \p r. The residue \p r + * should only be used in operations where the modulus is \p m or a modulus + * equivalent to \p m (in the sense that all their fields or memory pointed by + * their fields hold the same value). + * + * \param r The address of the residue. It must have as many limbs as + * the modulus \p m. * \param m The address of the modulus. * \param buf The input buffer to import from. * \param buflen The length in bytes of \p buf. * \param ext_rep The endianness of the number in the input buffer. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't + * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p r isn't * large enough to hold the value in \p buf. - * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation - * of \p m is invalid or \p X is not less than \p m. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep + * is invalid or the value in the buffer is not less than \p m. */ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, @@ -196,26 +212,32 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, size_t buflen, mbedtls_mpi_mod_ext_rep ext_rep ); -/** Write residue data onto a buffer using public representation data. +/** Write a residue into a byte buffer. * - * The `mbedtls_mpi_mod_residue` and `mbedtls_mpi_mod_modulus` structures must - * be compatible (Data will be exported onto the bufer using the m->ext_rep - * and will be read as of m->limbs length).The data will be automatically - * converted from the appropriate internal representation based on the - * value of `m->int_rep field`. + * The modulus \p m must be the modulus associated with \p r (see + * mbedtls_mpi_mod_residue_setup() and mbedtls_mpi_mod_read()). * - * \param r The address of the residue related to \p m. It must have as - * many limbs as the modulus \p m. - * \param m The address of the modulus. + * The residue will be automatically converted from the internal representation + * based on the value of `m->int_rep` field. + * + * \warning If the buffer is smaller than `m->bits`, the number of + * leading zeroes is leaked through side channels. If \p r is + * secret, the caller must ensure that \p buflen is at least + * (`m->bits`+7)/8. + * + * \param r The address of the residue. It must have as many limbs as + * the modulus \p m. + * \param m The address of the modulus associated with \r. * \param buf The output buffer to export to. * \param buflen The length in bytes of \p buf. - * \param ext_rep The endianness in which the number should be written into the output buffer. + * \param ext_rep The endianness in which the number should be written into + * the output buffer. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't - * large enough to hold the value of \p X. - * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation - * of \p m is invalid. + * large enough to hold the value of \p r (without leading + * zeroes). + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if of \p ext_rep is invalid. */ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, From fc6fbb4e969bc01857287c50ace8b197f2ffb1b7 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 25 Nov 2022 15:43:17 +0000 Subject: [PATCH 368/413] Bignum Mod: improve documentation Signed-off-by: Janos Follath Co-authored-by: Tom Cosgrove Signed-off-by: Janos Follath --- library/bignum_mod.h | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 52a5a56749..0706dd7a16 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -74,30 +74,30 @@ typedef struct { /** Setup a residue structure. * - * The residue will be set up with the \p p buffer \p m modulus. + * The residue will be set up with the buffer \p p and modulus \p m. * - * The memory pointed by \p p will be used by the resulting residue structure. - * The value at the pointed memory will be the initial value of \p r and must - * hold a value that is less than the modulus. This value will be used as it is + * The memory pointed to by \p p will be used by the resulting residue structure. + * The value at the pointed-to memory will be the initial value of \p r and must + * hold a value that is less than the modulus. This value will be used as-is * and interpreted according to the value of the `m->int_rep` field. * * The modulus \p m will be the modulus associated with \p r. The residue \p r * should only be used in operations where the modulus is \p m or a modulus - * equivalent to \p m (in the sense that all their fields or memory pointed by + * equivalent to \p m (in the sense that all their fields or memory pointed to by * their fields hold the same value). * - * \param[out] r The address of residue to setup. The resulting structure's + * \param[out] r The address of the residue to setup. The resulting structure's * size is determined by \p m. * \param[in] m The address of the modulus related to \p r. - * \param[in] p The address of the limb array storing the value of \p r. + * \param[in] p The address of the limb array containing the value of \p r. * The memory pointed to by \p p will be used by \p r and must * not be modified in any way until after * mbedtls_mpi_mod_residue_release() is called. The data - * pointed by \p p should be less than the modulus (the value - * pointed by `m->p`) and already in the representation + * pointed to by \p p must be less than the modulus (the value + * pointed to by `m->p`) and already in the representation * indicated by `m->int_rep`. - * \param p_limbs The number of limbs of \p p. It must have at most as - * many limbs as the modulus \p m.) + * \param p_limbs The number of limbs of \p p. Must be <= the number of + * limbs in the modulus \p m.) * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the @@ -186,15 +186,15 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); /** Read a residue from a byte buffer. * * The residue will be automatically converted to the internal representation - * based on the value of `m->int_rep` field. + * based on the value of the `m->int_rep` field. * * The modulus \p m will be the modulus associated with \p r. The residue \p r * should only be used in operations where the modulus is \p m or a modulus * equivalent to \p m (in the sense that all their fields or memory pointed by * their fields hold the same value). * - * \param r The address of the residue. It must have as many limbs as - * the modulus \p m. + * \param r The address of the residue. It must have exactly the same + * number of limbs as the modulus \p m. * \param m The address of the modulus. * \param buf The input buffer to import from. * \param buflen The length in bytes of \p buf. @@ -237,7 +237,7 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't * large enough to hold the value of \p r (without leading * zeroes). - * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if of \p ext_rep is invalid. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid. */ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, From ee530cc6445e3f8138cd2217b92e78394d892c47 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 25 Nov 2022 15:54:40 +0000 Subject: [PATCH 369/413] Bignum Mod: improve documentation Signed-off-by: Janos Follath --- library/bignum_mod.h | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 0706dd7a16..67c48498e1 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -86,8 +86,7 @@ typedef struct { * equivalent to \p m (in the sense that all their fields or memory pointed to by * their fields hold the same value). * - * \param[out] r The address of the residue to setup. The resulting structure's - * size is determined by \p m. + * \param[out] r The address of the residue to setup. * \param[in] m The address of the modulus related to \p r. * \param[in] p The address of the limb array containing the value of \p r. * The memory pointed to by \p p will be used by \p r and must @@ -96,8 +95,8 @@ typedef struct { * pointed to by \p p must be less than the modulus (the value * pointed to by `m->p`) and already in the representation * indicated by `m->int_rep`. - * \param p_limbs The number of limbs of \p p. Must be <= the number of - * limbs in the modulus \p m.) + * \param p_limbs The number of limbs of \p p. Must be the same as the number + * of limbs in the modulus \p m.) * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the @@ -138,8 +137,7 @@ void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ); * associated with \p m (see #mbedtls_mpi_mod_rep_selector). * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep or \p int_rep is - * invalid. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p int_rep is invalid. */ int mbedtls_mpi_mod_modulus_setup( mbedtls_mpi_mod_modulus *m, const mbedtls_mpi_uint *p, From 799eaeefdb585478c192cf13974e762ed6269b80 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 25 Nov 2022 15:57:04 +0000 Subject: [PATCH 370/413] Bignum Mod: move init before any goto Test macros have goto instructions to the end where everything is freed. We need to call init before that happens to make calling free functions safe. Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.function | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index bb87ba9d9d..b716ab5ca3 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -130,15 +130,15 @@ void mpi_mod_io_neg( ) const size_t buff_bytes = 1024; + mbedtls_mpi_mod_modulus_init( &m ); + mbedtls_mpi_mod_modulus_init( &m2 ); + /* Allocate the memory for intermediate data structures */ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, hex_modulus_single ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, hex_residue_single ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N2, &n2_limbs, hex_modulus_multi ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R2, &r2_limbs, hex_residue_multi ) ); - mbedtls_mpi_mod_modulus_init( &m ); - mbedtls_mpi_mod_modulus_init( &m2 ); - /* Allocate more than required space on buffer so we can test for input_r > mpi */ ASSERT_ALLOC( r_buff, buff_bytes ); memset( r_buff, 0x1, 1 ); @@ -218,6 +218,8 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) mbedtls_mpi_mod_residue r; size_t n_limbs, n_bytes, a_bytes; + mbedtls_mpi_mod_modulus_init( &m ); + /* Read inputs */ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); n_bytes = n_limbs * sizeof( mbedtls_mpi_uint ); @@ -231,7 +233,6 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) TEST_LE_U(a_bytes, n_bytes ); /* Init Structures */ - mbedtls_mpi_mod_modulus_init( &m ); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); From f55505d38b330274c03148139667f0ca94278baa Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 25 Nov 2022 17:58:40 +0000 Subject: [PATCH 371/413] Bignum Mod Raw: fix tests after rebase Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod_raw.function | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index eb1980c291..c7decf0071 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -308,7 +308,6 @@ void mpi_mod_raw_sub( char * input_A, TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, N, limbs, - MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); mbedtls_mpi_mod_raw_sub( X, A, B, &m ); @@ -390,7 +389,6 @@ void mpi_mod_raw_add( char * input_N, TEST_EQUAL( mbedtls_mpi_mod_modulus_setup( &m, N, limbs, - MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ), 0 ); From 91f3abdfdadcf1271bc88b9861324ca1b52d0ee4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 11:47:14 +0000 Subject: [PATCH 372/413] Bignum Mod: improve residue_setup test - Rename input variables to match their purpose. - Assert fields upon success Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.function | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index b716ab5ca3..6aaa9df768 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -81,7 +81,7 @@ exit: /* BEGIN MERGE SLOT 7 */ /* BEGIN_CASE */ -void mpi_residue_setup( char * input_X, char * input_Y, int ret ) +void mpi_residue_setup( char * input_N, char * input_R, int ret ) { mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; @@ -92,14 +92,20 @@ void mpi_residue_setup( char * input_X, char * input_Y, int ret ) mbedtls_mpi_mod_modulus_init( &m ); /* Allocate the memory for intermediate data structures */ - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_X ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_Y ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_R ) ); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); TEST_EQUAL( ret, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); + if ( ret == 0 ) + { + TEST_EQUAL( r.limbs, r_limbs ); + TEST_ASSERT( r.p == R ); + } + exit: mbedtls_mpi_mod_modulus_free( &m ); mbedtls_free( N ); From 96070a53a872a02c3cd70a0fde37dd254e0a79a9 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 25 Nov 2022 19:32:10 +0000 Subject: [PATCH 373/413] bignum_tests: Refactored `mpi_mod_io_neg()` This patch refactores the negative testing suite to utilised non-hardcoded input data. Signed-off-by: Minos Galanakis --- tests/suites/test_suite_bignum_mod.data | 16 ++- tests/suites/test_suite_bignum_mod.function | 108 +++++++------------- 2 files changed, 49 insertions(+), 75 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index ef9416e169..1c2f75b119 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -56,8 +56,20 @@ mpi_residue_setup:"fe":"fe":-4 Test mbedtls_mpi_residue_setup #8 r > m mpi_residue_setup:"fe":"ff":-4 -Test mbedtls_mpi_mod_io_neg -mpi_mod_io_neg: +Test mbedtls_mpi_mod_io_neg #1 input_r < modulo m +mpi_mod_io_neg:"fe":"01":1:253:0 + +Test mbedtls_mpi_mod_io_neg #2 input_r == modulo m +mpi_mod_io_neg:"fe":"01":1:254:-4 + +Test mbedtls_mpi_mod_io_neg #3 input_r >= modulo m +mpi_mod_io_neg:"fe":"01":1:255:-4 + +Test mbedtls_mpi_mod_io_neg #4 input_r too large to fit +mpi_mod_io_neg:"fe":"01":1024:255:-8 + +Test mbedtls_mpi_mod_io_neg #5 Sucesfull read / output buffer too small +mpi_mod_io_neg:"7ffffffffffffffffffffffffffffff1":"7ffffffffffffffffffffffffffffff0":2:255:0 Test mbedtls_mpi_mod_io #1 N: "11" A: "119". mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 6aaa9df768..d318ba89cb 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -114,102 +114,64 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_mod_io_neg( ) +void mpi_mod_io_neg( char * input_N, char * input_R, int buff_bytes, int buff_byte_val, int ret ) { mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; - mbedtls_mpi_uint *N2 = NULL; - mbedtls_mpi_uint *R2 = NULL; unsigned char *r_buff = NULL; - - size_t n_limbs, r_limbs, n2_limbs, r2_limbs; + size_t n_limbs, r_limbs; mbedtls_mpi_mod_modulus m; mbedtls_mpi_mod_residue r; - mbedtls_mpi_mod_modulus m2; mbedtls_mpi_mod_residue rn = { NULL, 0 }; - - const char *hex_residue_single = "01"; - const char *hex_modulus_single = "fe"; - const char *hex_residue_multi = "7ffffffffffffffffffffffffffffff0"; - const char *hex_modulus_multi = "7ffffffffffffffffffffffffffffff1"; - - const size_t buff_bytes = 1024; + mbedtls_mpi_mod_ext_rep endian = MBEDTLS_MPI_MOD_EXT_REP_LE; mbedtls_mpi_mod_modulus_init( &m ); - mbedtls_mpi_mod_modulus_init( &m2 ); /* Allocate the memory for intermediate data structures */ - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, hex_modulus_single ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, hex_residue_single ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N2, &n2_limbs, hex_modulus_multi ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R2, &r2_limbs, hex_residue_multi ) ); - - /* Allocate more than required space on buffer so we can test for input_r > mpi */ ASSERT_ALLOC( r_buff, buff_bytes ); - memset( r_buff, 0x1, 1 ); + /* Fill the buffer with the value passed in */ + memset( r_buff, buff_byte_val, buff_bytes ); - mbedtls_mpi_mod_ext_rep endian = MBEDTLS_MPI_MOD_EXT_REP_LE; - TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, - MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); + TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_R ) ); - TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); - - /* Pass for input_r < modulo */ - TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); - - /* Pass for input_r == modulo -1 */ - memset( r_buff, 0xfd, buff_bytes ); - TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); - - /* modulo->p == NULL || residue->p == NULL ( m2 has not been set-up ) */ + /* modulo->p == NULL || residue->p == NULL ( m has not been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &r, &m2, r_buff, 1, endian ) ); - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &rn, &m, r_buff, 1, endian ) ); - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &r, &m2, r_buff, 1, endian ) ); - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &rn, &m, r_buff, 1, endian ) ); - - /* Fail for r_limbs < m->limbs */ - r.limbs = m.limbs - 1; - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &rn, &m, r_buff, 1, endian ) ); - r.limbs = r_limbs; - - /* Fail if input_r >= modulo m */ - /* input_r = modulo */ - memset( r_buff, 0xfe, buff_bytes ); - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); - - /* input_r > modulo */ - memset( r_buff, 0xff, buff_bytes ); - TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &r, &m, r_buff, 1, endian ) ); - - /* Data too large to fit */ - TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); - /* Read the two limbs input data into a larger modulus and residue */ - TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m2, N2, n2_limbs, - MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); - rn.p = R2; - rn.limbs = r2_limbs; - TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, - mbedtls_mpi_mod_write( &rn, &m2, r_buff, 1, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &r, &m, r_buff, buff_bytes, endian ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, + MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); + + /* modulo->p == NULL || residue->p == NULL ( m has been set-up ) */ + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &rn, &m, r_buff, buff_bytes, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &rn, &m, r_buff, buff_bytes, endian ) ); + + /* Fail for r_limbs > m->limbs */ + r.limbs = m.limbs + 1; + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &r, &m, r_buff, buff_bytes, endian ) ); + r.limbs = r_limbs; + + /* Test the read */ + TEST_EQUAL( ret, mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); + + /* Test write overflow only when the representation is large and read is successful */ + if (r.limbs > 1 && ret == 0) + TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, + mbedtls_mpi_mod_write( &r, &m, r_buff, 1, endian ) ); exit: mbedtls_mpi_mod_modulus_free( &m ); - mbedtls_mpi_mod_modulus_free( &m2 ); mbedtls_free( N ); mbedtls_free( R ); - mbedtls_free( N2 ); - mbedtls_free( R2 ); mbedtls_free( r_buff ); } /* END_CASE */ From 566c91db27a3b0d2b90e205db904966a6e5aa47f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 12:05:50 +0000 Subject: [PATCH 374/413] Bignum Mod: io_neg test pass data directly Pass buffer directly instead of constructing it in the function. Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.data | 12 +++++----- tests/suites/test_suite_bignum_mod.function | 25 ++++++++------------- 2 files changed, 15 insertions(+), 22 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index 1c2f75b119..8579becfaf 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -57,19 +57,19 @@ Test mbedtls_mpi_residue_setup #8 r > m mpi_residue_setup:"fe":"ff":-4 Test mbedtls_mpi_mod_io_neg #1 input_r < modulo m -mpi_mod_io_neg:"fe":"01":1:253:0 +mpi_mod_io_neg:"fe":"01":"fd":0 Test mbedtls_mpi_mod_io_neg #2 input_r == modulo m -mpi_mod_io_neg:"fe":"01":1:254:-4 +mpi_mod_io_neg:"fe":"01":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA -Test mbedtls_mpi_mod_io_neg #3 input_r >= modulo m -mpi_mod_io_neg:"fe":"01":1:255:-4 +Test mbedtls_mpi_mod_io_neg #3 input_r > modulo m +mpi_mod_io_neg:"fe":"01":"ff":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_mod_io_neg #4 input_r too large to fit -mpi_mod_io_neg:"fe":"01":1024:255:-8 +mpi_mod_io_neg:"fe":"01":"ffffffffffffffffff":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL Test mbedtls_mpi_mod_io_neg #5 Sucesfull read / output buffer too small -mpi_mod_io_neg:"7ffffffffffffffffffffffffffffff1":"7ffffffffffffffffffffffffffffff0":2:255:0 +mpi_mod_io_neg:"7ffffffffffffffffffffffffffffff1":"7ffffffffffffffffffffffffffffff0":"ffff":0 Test mbedtls_mpi_mod_io #1 N: "11" A: "119". mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index d318ba89cb..1d6b850b56 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -114,11 +114,10 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_mod_io_neg( char * input_N, char * input_R, int buff_bytes, int buff_byte_val, int ret ) +void mpi_mod_io_neg( char * input_N, char * input_R, data_t * buf, int ret ) { mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; - unsigned char *r_buff = NULL; size_t n_limbs, r_limbs; mbedtls_mpi_mod_modulus m; @@ -128,20 +127,15 @@ void mpi_mod_io_neg( char * input_N, char * input_R, int buff_bytes, int buff_by mbedtls_mpi_mod_modulus_init( &m ); - /* Allocate the memory for intermediate data structures */ - ASSERT_ALLOC( r_buff, buff_bytes ); - /* Fill the buffer with the value passed in */ - memset( r_buff, buff_byte_val, buff_bytes ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_R ) ); /* modulo->p == NULL || residue->p == NULL ( m has not been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); + mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &r, &m, r_buff, buff_bytes, endian ) ); + mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); @@ -149,30 +143,29 @@ void mpi_mod_io_neg( char * input_N, char * input_R, int buff_bytes, int buff_by /* modulo->p == NULL || residue->p == NULL ( m has been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &rn, &m, r_buff, buff_bytes, endian ) ); + mbedtls_mpi_mod_read( &rn, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &rn, &m, r_buff, buff_bytes, endian ) ); + mbedtls_mpi_mod_write( &rn, &m, buf->x, buf->len, endian ) ); /* Fail for r_limbs > m->limbs */ r.limbs = m.limbs + 1; TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); + mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &r, &m, r_buff, buff_bytes, endian ) ); + mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) ); r.limbs = r_limbs; /* Test the read */ - TEST_EQUAL( ret, mbedtls_mpi_mod_read( &r, &m, r_buff, buff_bytes, endian ) ); + TEST_EQUAL( ret, mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); /* Test write overflow only when the representation is large and read is successful */ if (r.limbs > 1 && ret == 0) TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, - mbedtls_mpi_mod_write( &r, &m, r_buff, 1, endian ) ); + mbedtls_mpi_mod_write( &r, &m, buf->x, 1, endian ) ); exit: mbedtls_mpi_mod_modulus_free( &m ); mbedtls_free( N ); mbedtls_free( R ); - mbedtls_free( r_buff ); } /* END_CASE */ From 339b439906f9f36d36dac1ca5ece8eac73e72449 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 12:20:41 +0000 Subject: [PATCH 375/413] Bignum Mod: remove unused parameter in io_neg test The value was overwritten and the length wasn't used either. This latter could have lead to a buffer overflow as well. Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.data | 10 +++++----- tests/suites/test_suite_bignum_mod.function | 9 +++++---- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data index 8579becfaf..2ea4a5833c 100644 --- a/tests/suites/test_suite_bignum_mod.data +++ b/tests/suites/test_suite_bignum_mod.data @@ -57,19 +57,19 @@ Test mbedtls_mpi_residue_setup #8 r > m mpi_residue_setup:"fe":"ff":-4 Test mbedtls_mpi_mod_io_neg #1 input_r < modulo m -mpi_mod_io_neg:"fe":"01":"fd":0 +mpi_mod_io_neg:"fe":"fd":0 Test mbedtls_mpi_mod_io_neg #2 input_r == modulo m -mpi_mod_io_neg:"fe":"01":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +mpi_mod_io_neg:"fe":"fe":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_mod_io_neg #3 input_r > modulo m -mpi_mod_io_neg:"fe":"01":"ff":MBEDTLS_ERR_MPI_BAD_INPUT_DATA +mpi_mod_io_neg:"fe":"ff":MBEDTLS_ERR_MPI_BAD_INPUT_DATA Test mbedtls_mpi_mod_io_neg #4 input_r too large to fit -mpi_mod_io_neg:"fe":"01":"ffffffffffffffffff":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL +mpi_mod_io_neg:"fe":"ffffffffffffffffff":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL Test mbedtls_mpi_mod_io_neg #5 Sucesfull read / output buffer too small -mpi_mod_io_neg:"7ffffffffffffffffffffffffffffff1":"7ffffffffffffffffffffffffffffff0":"ffff":0 +mpi_mod_io_neg:"7ffffffffffffffffffffffffffffff1":"ffff":0 Test mbedtls_mpi_mod_io #1 N: "11" A: "119". mpi_mod_io:"000000000000000b":"0000000000000000":MBEDTLS_MPI_MOD_EXT_REP_BE diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 1d6b850b56..6a70e72877 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -114,11 +114,10 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void mpi_mod_io_neg( char * input_N, char * input_R, data_t * buf, int ret ) +void mpi_mod_io_neg( char * input_N, data_t * buf, int ret ) { mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; - size_t n_limbs, r_limbs; mbedtls_mpi_mod_modulus m; mbedtls_mpi_mod_residue r; @@ -127,8 +126,10 @@ void mpi_mod_io_neg( char * input_N, char * input_R, data_t * buf, int ret ) mbedtls_mpi_mod_modulus_init( &m ); + size_t n_limbs; TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); - TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &R, &r_limbs, input_R ) ); + size_t r_limbs = n_limbs; + ASSERT_ALLOC( R, r_limbs ); /* modulo->p == NULL || residue->p == NULL ( m has not been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, @@ -139,7 +140,7 @@ void mpi_mod_io_neg( char * input_N, char * input_R, data_t * buf, int ret ) TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); - TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , n_limbs ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); /* modulo->p == NULL || residue->p == NULL ( m has been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, From 898db6b8e5d24745128a4cf9bd4b63122af055c8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Nov 2022 14:15:32 +0100 Subject: [PATCH 376/413] Move ssl_debug_helpers_generated to the correct library This is a private interface only, so it's an ABI change but not an API change. Signed-off-by: Gilles Peskine --- ChangeLog.d/move-ssl-modules.txt | 3 +++ library/CMakeLists.txt | 2 +- library/Makefile | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/move-ssl-modules.txt diff --git a/ChangeLog.d/move-ssl-modules.txt b/ChangeLog.d/move-ssl-modules.txt new file mode 100644 index 0000000000..f00e5ad837 --- /dev/null +++ b/ChangeLog.d/move-ssl-modules.txt @@ -0,0 +1,3 @@ +Bugfix + * Move some SSL-specific code out of libmbedcrypto where it had been placed + accidentally. diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 60b1cf4dd5..bd832cbb3a 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -84,7 +84,6 @@ set(src_crypto sha1.c sha256.c sha512.c - ssl_debug_helpers_generated.c threading.c timing.c version.c @@ -109,6 +108,7 @@ set(src_tls ssl_ciphersuites.c ssl_client.c ssl_cookie.c + ssl_debug_helpers_generated.c ssl_msg.c ssl_ticket.c ssl_tls.c diff --git a/library/Makefile b/library/Makefile index 6c3b758208..03474d2759 100644 --- a/library/Makefile +++ b/library/Makefile @@ -149,7 +149,6 @@ OBJS_CRYPTO= \ sha1.o \ sha256.o \ sha512.o \ - ssl_debug_helpers_generated.o \ threading.o \ timing.o \ version.o \ @@ -178,6 +177,7 @@ OBJS_TLS= \ ssl_ciphersuites.o \ ssl_client.o \ ssl_cookie.o \ + ssl_debug_helpers_generated.o \ ssl_msg.o \ ssl_ticket.o \ ssl_tls.o \ From 89e31adbee9f837812fcfdd2490180a2039df20c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Nov 2022 14:18:45 +0100 Subject: [PATCH 377/413] Move mps modules to the correct library This is a private interface only, so it's an ABI change but not an API change. Signed-off-by: Gilles Peskine --- library/CMakeLists.txt | 4 ++-- library/Makefile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index bd832cbb3a..8106dab59a 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -49,8 +49,6 @@ set(src_crypto md.c md5.c memory_buffer_alloc.c - mps_reader.c - mps_trace.c nist_kw.c oid.c padlock.c @@ -103,6 +101,8 @@ set(src_x509 set(src_tls debug.c + mps_reader.c + mps_trace.c net_sockets.c ssl_cache.c ssl_ciphersuites.c diff --git a/library/Makefile b/library/Makefile index 03474d2759..5073517ce9 100644 --- a/library/Makefile +++ b/library/Makefile @@ -114,8 +114,6 @@ OBJS_CRYPTO= \ md.o \ md5.o \ memory_buffer_alloc.o \ - mps_reader.o \ - mps_trace.o \ nist_kw.o \ oid.o \ padlock.o \ @@ -172,6 +170,8 @@ OBJS_X509= \ OBJS_TLS= \ debug.o \ + mps_reader.o \ + mps_trace.o \ net_sockets.o \ ssl_cache.o \ ssl_ciphersuites.o \ From 6ef582f2b8a8c280e6f47ffb372c89f6b93cfb11 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 14:19:02 +0000 Subject: [PATCH 378/413] Bignum Mod Tests: improve readabilty and style Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 6a70e72877..8945968d7f 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -160,7 +160,7 @@ void mpi_mod_io_neg( char * input_N, data_t * buf, int ret ) TEST_EQUAL( ret, mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); /* Test write overflow only when the representation is large and read is successful */ - if (r.limbs > 1 && ret == 0) + if ( r.limbs > 1 && ret == 0 ) TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_write( &r, &m, buf->x, 1, endian ) ); exit: @@ -185,14 +185,14 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) /* Read inputs */ TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) ); n_bytes = n_limbs * sizeof( mbedtls_mpi_uint ); - a_bytes = input_A->len * sizeof( char ); + a_bytes = input_A->len; /* Allocate the memory for intermediate data structures */ ASSERT_ALLOC( R, n_bytes ); ASSERT_ALLOC( r_buff, a_bytes ); /* Test that input's size is not greater to modulo's */ - TEST_LE_U(a_bytes, n_bytes ); + TEST_LE_U( a_bytes, n_bytes ); /* Init Structures */ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, From 75b9f0fd2e463ce748dbd44efb1fd1fecbd26d89 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 14:28:50 +0000 Subject: [PATCH 379/413] mbedtls_mpi_mod_read/write: remove redundant checks The function isn't documented as accepting null pointer, and there's no reason why it should be. Just let it dereference the pointer. The null/zero checks are only marginally useful: they validate that m and r are properly populated objects, not freshly initialized ones. For that, it's enough to check that the pointers aren't null or that the sizes aren't zero, we don't need to check both. Also, use separate if statements for unrelated checks. Signed-off-by: Janos Follath --- library/bignum_mod.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 3cb3c436d9..f07307ce5a 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -203,11 +203,11 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; - if ( r == NULL || m == NULL ) - goto cleanup; - if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs || - r->limbs == 0 || m->limbs == 0 ) + /* Do our best to check if r and m have been set up */ + if ( r->limbs == 0 || m->limbs == 0 ) + goto cleanup; + if ( r->limbs > m->limbs ) goto cleanup; ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen, ext_rep ); @@ -232,11 +232,10 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; - if ( r == NULL || m == NULL ) + /* Do our best to check if r and m have been set up */ + if ( r->limbs == 0 || m->limbs == 0 ) goto cleanup; - - if ( r->p == NULL || m->p == NULL || r->limbs > m->limbs || - r->limbs == 0 || m->limbs == 0 ) + if ( r->limbs > m->limbs ) goto cleanup; if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) From d7bb35257b7279696a445a03d48579f58a53e5d3 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 14:59:27 +0000 Subject: [PATCH 380/413] mbedtls_mpi_mod_read/write: restrict pre-conditions Require equality for the number of limbs in the modulus and the residue. This makes these functions consistent with residue_setup(). Signed-off-by: Janos Follath --- library/bignum_mod.c | 4 ++-- tests/suites/test_suite_bignum_mod.function | 18 +++++++++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index f07307ce5a..7f7c71512e 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -207,7 +207,7 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, /* Do our best to check if r and m have been set up */ if ( r->limbs == 0 || m->limbs == 0 ) goto cleanup; - if ( r->limbs > m->limbs ) + if ( r->limbs != m->limbs ) goto cleanup; ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen, ext_rep ); @@ -235,7 +235,7 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, /* Do our best to check if r and m have been set up */ if ( r->limbs == 0 || m->limbs == 0 ) goto cleanup; - if ( r->limbs > m->limbs ) + if ( r->limbs != m->limbs ) goto cleanup; if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 8945968d7f..7042ed3d2b 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -148,13 +148,23 @@ void mpi_mod_io_neg( char * input_N, data_t * buf, int ret ) TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &rn, &m, buf->x, buf->len, endian ) ); - /* Fail for r_limbs > m->limbs */ - r.limbs = m.limbs + 1; + /* Fail for r_limbs < m->limbs */ + r.limbs--; + TEST_ASSERT( r.limbs < m.limbs ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) ); - r.limbs = r_limbs; + r.limbs++; + + /* Fail for r_limbs > m->limbs */ + m.limbs--; + TEST_ASSERT( r.limbs > m.limbs ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); + TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, + mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) ); + m.limbs++; /* Test the read */ TEST_EQUAL( ret, mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); @@ -163,7 +173,9 @@ void mpi_mod_io_neg( char * input_N, data_t * buf, int ret ) if ( r.limbs > 1 && ret == 0 ) TEST_EQUAL( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL, mbedtls_mpi_mod_write( &r, &m, buf->x, 1, endian ) ); + exit: + mbedtls_mpi_mod_residue_release( &r ); mbedtls_mpi_mod_modulus_free( &m ); mbedtls_free( N ); mbedtls_free( R ); From 8dfc8c41b7fb12a42d2828e88943850ec69e9480 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 15:39:02 +0000 Subject: [PATCH 381/413] mbedtls_mpi_mod_write: prevent data corruption The function wasn't converting back data to internal representation when writing it out. Signed-off-by: Janos Follath --- library/bignum_mod.c | 16 ++++++++++++++-- tests/suites/test_suite_bignum_mod.function | 10 ++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 7f7c71512e..4fe6e48547 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -231,6 +231,7 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, mbedtls_mpi_mod_ext_rep ext_rep ) { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + int conv_ret = 0; /* Do our best to check if r and m have been set up */ if ( r->limbs == 0 || m->limbs == 0 ) @@ -238,12 +239,23 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, if ( r->limbs != m->limbs ) goto cleanup; - if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) - ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); + if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + { + conv_ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); + if( conv_ret != 0 ) + goto cleanup; + } ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen, ext_rep ); + if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + conv_ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); + cleanup: + + if ( ret == 0 ) + ret = conv_ret; + return ( ret ); } /* END MERGE SLOT 7 */ diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 7042ed3d2b..df6bb45f6f 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -187,9 +187,11 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) { mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; + mbedtls_mpi_uint *R_COPY = NULL; unsigned char *r_buff = NULL; mbedtls_mpi_mod_modulus m; mbedtls_mpi_mod_residue r; + mbedtls_mpi_mod_residue r_copy; size_t n_limbs, n_bytes, a_bytes; mbedtls_mpi_mod_modulus_init( &m ); @@ -201,6 +203,7 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) /* Allocate the memory for intermediate data structures */ ASSERT_ALLOC( R, n_bytes ); + ASSERT_ALLOC( R_COPY, n_bytes ); ASSERT_ALLOC( r_buff, a_bytes ); /* Test that input's size is not greater to modulo's */ @@ -219,11 +222,18 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) TEST_EQUAL( 0, mbedtls_mpi_mod_write( &r, &m, r_buff, a_bytes, endian ) ); + /* Make sure that writing didn't change the value of r */ + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r_copy, &m, R_COPY, n_limbs ) ); + TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r_copy, &m, input_A->x, input_A->len, + endian ) ); + ASSERT_COMPARE( r.p, r.limbs, r_copy.p, r_copy.limbs ); + ASSERT_COMPARE( r_buff, a_bytes, input_A->x, a_bytes ); exit: mbedtls_mpi_mod_modulus_free( &m ); mbedtls_free( N ); mbedtls_free( R ); + mbedtls_free( R_COPY ); mbedtls_free( r_buff ); } /* END_CASE */ From 0020df9cf929119eb322784a8608039533f645b9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 17:23:16 +0000 Subject: [PATCH 382/413] mpi_mod_io: test with various buffer sizes Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.function | 70 ++++++++++++++++++--- 1 file changed, 60 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index df6bb45f6f..8fdd7b986f 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -188,7 +188,8 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *R = NULL; mbedtls_mpi_uint *R_COPY = NULL; - unsigned char *r_buff = NULL; + unsigned char *obuf = NULL; + unsigned char *ref_buf = NULL; mbedtls_mpi_mod_modulus m; mbedtls_mpi_mod_residue r; mbedtls_mpi_mod_residue r_copy; @@ -204,7 +205,6 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) /* Allocate the memory for intermediate data structures */ ASSERT_ALLOC( R, n_bytes ); ASSERT_ALLOC( R_COPY, n_bytes ); - ASSERT_ALLOC( r_buff, a_bytes ); /* Test that input's size is not greater to modulo's */ TEST_LE_U( a_bytes, n_bytes ); @@ -219,22 +219,72 @@ void mpi_mod_io( char * input_N, data_t * input_A, int endian ) TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r, &m, input_A->x, input_A->len, endian ) ); - TEST_EQUAL( 0, mbedtls_mpi_mod_write( &r, &m, r_buff, a_bytes, - endian ) ); - - /* Make sure that writing didn't change the value of r */ - TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r_copy, &m, R_COPY, n_limbs ) ); + /* Read a copy for checking that writing didn't change the value of r */ + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r_copy, &m, + R_COPY, n_limbs ) ); TEST_EQUAL( 0, mbedtls_mpi_mod_read( &r_copy, &m, input_A->x, input_A->len, endian ) ); - ASSERT_COMPARE( r.p, r.limbs, r_copy.p, r_copy.limbs ); - ASSERT_COMPARE( r_buff, a_bytes, input_A->x, a_bytes ); + /* Get number of bytes without leading zeroes */ + size_t a_bytes_trimmed = a_bytes; + while( a_bytes_trimmed > 0 ) + { + unsigned char* r_byte_array = (unsigned char*) r.p; + if( r_byte_array[--a_bytes_trimmed] != 0 ) + break; + } + a_bytes_trimmed++; + + /* Test write with three output buffer sizes: tight, same as input and + * longer than the input */ + size_t obuf_sizes[3]; + const size_t obuf_sizes_len = sizeof( obuf_sizes ) / sizeof( obuf_sizes[0] ); + obuf_sizes[0] = a_bytes_trimmed; + obuf_sizes[1] = a_bytes; + obuf_sizes[2] = a_bytes + 8; + + for( size_t i = 0; i < obuf_sizes_len; i++ ) + { + ASSERT_ALLOC( obuf, obuf_sizes[i] ); + TEST_EQUAL( 0, mbedtls_mpi_mod_write( &r, &m, obuf, obuf_sizes[i], endian ) ); + + /* Make sure that writing didn't corrupt the value of r */ + ASSERT_COMPARE( r.p, r.limbs, r_copy.p, r_copy.limbs ); + + /* Set up reference output for checking the result */ + ASSERT_ALLOC( ref_buf, obuf_sizes[i] ); + switch( endian ) + { + case MBEDTLS_MPI_MOD_EXT_REP_LE: + memcpy( ref_buf, input_A->x, a_bytes_trimmed ); + break; + case MBEDTLS_MPI_MOD_EXT_REP_BE: + { + size_t a_offset = input_A->len - a_bytes_trimmed; + size_t ref_offset = obuf_sizes[i] - a_bytes_trimmed; + memcpy( ref_buf + ref_offset, input_A->x + a_offset, + a_bytes_trimmed ); + } + break; + default: + TEST_ASSERT( 0 ); + } + + /* Check the result */ + ASSERT_COMPARE( obuf, obuf_sizes[i], ref_buf, obuf_sizes[i] ); + + mbedtls_free( ref_buf ); + ref_buf = NULL; + mbedtls_free( obuf ); + obuf = NULL; + } + exit: mbedtls_mpi_mod_modulus_free( &m ); mbedtls_free( N ); mbedtls_free( R ); mbedtls_free( R_COPY ); - mbedtls_free( r_buff ); + mbedtls_free( obuf ); } /* END_CASE */ /* END MERGE SLOT 7 */ From 6eb92c04106faeab4ee280ed4c17b90eeb36436f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 17:34:37 +0000 Subject: [PATCH 383/413] Bignum Mod: improve documentation and style Signed-off-by: Janos Follath --- library/bignum_mod.c | 31 +++++++++++++++---------------- library/bignum_mod.h | 8 +++----- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 4fe6e48547..74af509ae1 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -50,7 +50,7 @@ int mbedtls_mpi_mod_residue_setup( mbedtls_mpi_mod_residue *r, void mbedtls_mpi_mod_residue_release( mbedtls_mpi_mod_residue *r ) { - if ( r == NULL ) + if( r == NULL ) return; r->limbs = 0; @@ -59,7 +59,7 @@ void mbedtls_mpi_mod_residue_release( mbedtls_mpi_mod_residue *r ) void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ) { - if ( m == NULL ) + if( m == NULL ) return; m->p = NULL; @@ -70,7 +70,7 @@ void mbedtls_mpi_mod_modulus_init( mbedtls_mpi_mod_modulus *m ) void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ) { - if ( m == NULL ) + if( m == NULL ) return; switch( m->int_rep ) @@ -110,17 +110,17 @@ static int set_mont_const_square( const mbedtls_mpi_uint **X, mbedtls_mpi_init( &N ); mbedtls_mpi_init( &RR ); - if ( A == NULL || limbs == 0 || limbs >= ( MBEDTLS_MPI_MAX_LIMBS / 2 ) - 2 ) + if( A == NULL || limbs == 0 || limbs >= ( MBEDTLS_MPI_MAX_LIMBS / 2 ) - 2 ) goto cleanup; - if ( mbedtls_mpi_grow( &N, limbs ) ) + if( mbedtls_mpi_grow( &N, limbs ) ) goto cleanup; memcpy( N.p, A, sizeof(mbedtls_mpi_uint) * limbs ); ret = mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N); - if ( ret == 0 ) + if( ret == 0 ) { *X = RR.p; RR.p = NULL; @@ -205,20 +205,19 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, /* Do our best to check if r and m have been set up */ - if ( r->limbs == 0 || m->limbs == 0 ) + if( r->limbs == 0 || m->limbs == 0 ) goto cleanup; - if ( r->limbs != m->limbs ) + if( r->limbs != m->limbs ) goto cleanup; ret = mbedtls_mpi_mod_raw_read( r->p, m, buf, buflen, ext_rep ); - if( ret != 0 ) goto cleanup; r->limbs = m->limbs; - if (m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) - ret = mbedtls_mpi_mod_raw_to_mont_rep(r->p, m); + if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); cleanup: return ( ret ); @@ -234,12 +233,12 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, int conv_ret = 0; /* Do our best to check if r and m have been set up */ - if ( r->limbs == 0 || m->limbs == 0 ) + if( r->limbs == 0 || m->limbs == 0 ) goto cleanup; - if ( r->limbs != m->limbs ) + if( r->limbs != m->limbs ) goto cleanup; - if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) { conv_ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); if( conv_ret != 0 ) @@ -248,12 +247,12 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen, ext_rep ); - if ( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) + if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) conv_ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); cleanup: - if ( ret == 0 ) + if( ret == 0 ) ret = conv_ret; return ( ret ); diff --git a/library/bignum_mod.h b/library/bignum_mod.h index 67c48498e1..ae486b9b6a 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -82,9 +82,7 @@ typedef struct { * and interpreted according to the value of the `m->int_rep` field. * * The modulus \p m will be the modulus associated with \p r. The residue \p r - * should only be used in operations where the modulus is \p m or a modulus - * equivalent to \p m (in the sense that all their fields or memory pointed to by - * their fields hold the same value). + * should only be used in operations where the modulus is \p m. * * \param[out] r The address of the residue to setup. * \param[in] m The address of the modulus related to \p r. @@ -96,7 +94,7 @@ typedef struct { * pointed to by `m->p`) and already in the representation * indicated by `m->int_rep`. * \param p_limbs The number of limbs of \p p. Must be the same as the number - * of limbs in the modulus \p m.) + * of limbs in the modulus \p m. * * \return \c 0 if successful. * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the @@ -219,7 +217,7 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, * based on the value of `m->int_rep` field. * * \warning If the buffer is smaller than `m->bits`, the number of - * leading zeroes is leaked through side channels. If \p r is + * leading zeroes is leaked through timing. If \p r is * secret, the caller must ensure that \p buflen is at least * (`m->bits`+7)/8. * From e7190a2960d2071b96246808f7f76996bdb61592 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Sat, 26 Nov 2022 18:46:54 +0000 Subject: [PATCH 384/413] mpi_mod_io_neg: fix use of uninitialized value Uninitialized values are invalid for the tested functions and we shouldn't be testing that. Signed-off-by: Janos Follath --- tests/suites/test_suite_bignum_mod.function | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index 8fdd7b986f..a941cb6422 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -120,8 +120,7 @@ void mpi_mod_io_neg( char * input_N, data_t * buf, int ret ) mbedtls_mpi_uint *R = NULL; mbedtls_mpi_mod_modulus m; - mbedtls_mpi_mod_residue r; - mbedtls_mpi_mod_residue rn = { NULL, 0 }; + mbedtls_mpi_mod_residue r = { NULL, 0 }; mbedtls_mpi_mod_ext_rep endian = MBEDTLS_MPI_MOD_EXT_REP_LE; mbedtls_mpi_mod_modulus_init( &m ); @@ -131,22 +130,24 @@ void mpi_mod_io_neg( char * input_N, data_t * buf, int ret ) size_t r_limbs = n_limbs; ASSERT_ALLOC( R, r_limbs ); - /* modulo->p == NULL || residue->p == NULL ( m has not been set-up ) */ + /* modulus->p == NULL || residue->p == NULL ( m has not been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) ); + /* Set up modulus and test with residue->p == NULL */ TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) ); - TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); - /* modulo->p == NULL || residue->p == NULL ( m has been set-up ) */ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_read( &rn, &m, buf->x, buf->len, endian ) ); + mbedtls_mpi_mod_read( &r, &m, buf->x, buf->len, endian ) ); TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA, - mbedtls_mpi_mod_write( &rn, &m, buf->x, buf->len, endian ) ); + mbedtls_mpi_mod_write( &r, &m, buf->x, buf->len, endian ) ); + + /* Do the rest of the tests with a residue set up with the input data */ + TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &r, &m, R , r_limbs ) ); /* Fail for r_limbs < m->limbs */ r.limbs--; From 290f01b3f54a16045be201699becda8f500eebd5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 27 Nov 2022 21:28:31 +0100 Subject: [PATCH 385/413] Fix dangling freed pointer on error in pkcs7_get_signers_info_set This fixes a use-after-free in PKCS#7 parsing when the signer data is malformed. Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53798). Signed-off-by: Gilles Peskine --- library/pkcs7.c | 5 +++-- ...t-missing_free-fuzz_pkcs7-6213931373035520.der | Bin 0 -> 108 bytes tests/suites/test_suite_pkcs7.data | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der diff --git a/library/pkcs7.c b/library/pkcs7.c index ca0170a6dc..783aaa2887 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -430,15 +430,16 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, goto out; cleanup: - signer = signers_set->next; pkcs7_free_signer_info( signers_set ); - while( signer ) + signer = signers_set->next; + while( signer != NULL ) { prev = signer; signer = signer->next; pkcs7_free_signer_info( prev ); mbedtls_free( prev ); } + signers_set->next = NULL; out: return( ret ); diff --git a/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der b/tests/data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der new file mode 100644 index 0000000000000000000000000000000000000000..ce4fb3bd49fdaf0ccd10069af549eb55ec9554fe GIT binary patch literal 108 zcmXrWVq#=8FQ)N1o+`_9YA&S>avAPZDrz-_=`$Y#L8#=y+L V!~mq36ch}Y*cezC2uLd+0|0Qt3R(aF literal 0 HcmV?d00001 diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 4f81b6f283..5ecfb91119 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -62,6 +62,9 @@ PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 depends_on:MBEDTLS_SHA256_C pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_get_signers_info_set error handling (6213931373035520) +pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA From 2336555444a7fe4e0efc20f8017af914d7b5869c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 27 Nov 2022 21:30:58 +0100 Subject: [PATCH 386/413] Improve test failure reporting Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkcs7.function | 48 +++++++++++++------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index e3961407d5..f938f42373 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -26,10 +26,10 @@ void pkcs7_parse( char *pkcs7_file, int res_expect ) mbedtls_pkcs7_init( &pkcs7 ); res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == res_expect ); + TEST_EQUAL( res, res_expect ); exit: mbedtls_free( pkcs7_buf ); @@ -60,16 +60,16 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has mbedtls_x509_crt_init( &x509 ); res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + TEST_EQUAL( res, MBEDTLS_PKCS7_SIGNED_DATA ); res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); file = fopen( filetobesigned, "rb" ); TEST_ASSERT( file != NULL ); @@ -79,18 +79,18 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has TEST_ASSERT( data != NULL ); buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen ); + TEST_EQUAL( buflen, datalen ); fclose( file ); if( do_hash_alg ) { res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg ); - TEST_ASSERT( res == 0 ); - TEST_ASSERT( md_alg == (mbedtls_md_type_t) do_hash_alg ); + TEST_EQUAL( res, 0 ); + TEST_EQUAL( md_alg, (mbedtls_md_type_t) do_hash_alg ); md_info = mbedtls_md_info_from_type( md_alg ); res = mbedtls_md( md_info, data, datalen, hash ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); } @@ -98,7 +98,7 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has { res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); } - TEST_ASSERT( res == res_expect ); + TEST_EQUAL( res, res_expect ); exit: mbedtls_x509_crt_free( &x509 ); @@ -134,21 +134,21 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch mbedtls_x509_crt_init( &x509_2 ); res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + TEST_EQUAL( res, MBEDTLS_PKCS7_SIGNED_DATA ); - TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); + TEST_EQUAL( pkcs7.signed_data.no_of_signers, 2 ); res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); file = fopen( filetobesigned, "rb" ); TEST_ASSERT( file != NULL ); @@ -156,32 +156,32 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch datalen = st.st_size; ASSERT_ALLOC( data, datalen ); buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen ); + TEST_EQUAL( buflen, datalen ); fclose( file ); if( do_hash_alg ) { res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg ); - TEST_ASSERT( res == 0 ); - TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + TEST_EQUAL( res, 0 ); + TEST_EQUAL( md_alg, MBEDTLS_MD_SHA256 ); md_info = mbedtls_md_info_from_type( md_alg ); res = mbedtls_md( md_info, data, datalen, hash ); - TEST_ASSERT( res == 0 ); + TEST_EQUAL( res, 0 ); res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash) ); - TEST_ASSERT( res == res_expect ); + TEST_EQUAL( res, res_expect ); } else { res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); - TEST_ASSERT( res == res_expect ); + TEST_EQUAL( res, res_expect ); } res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); - TEST_ASSERT( res == res_expect ); + TEST_EQUAL( res, res_expect ); exit: mbedtls_x509_crt_free( &x509_1 ); From 391005cb3b2b195636570108dba30cf71894a7d6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 27 Nov 2022 21:32:37 +0100 Subject: [PATCH 387/413] Fix structures initialized too late in tests Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkcs7.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index f938f42373..3d7dec6864 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -54,11 +54,11 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; - USE_PSA_INIT(); - mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); + USE_PSA_INIT(); + res = mbedtls_x509_crt_parse_file( &x509, crt ); TEST_EQUAL( res, 0 ); @@ -127,12 +127,12 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch mbedtls_x509_crt x509_1; mbedtls_x509_crt x509_2; - USE_PSA_INIT(); - mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509_1 ); mbedtls_x509_crt_init( &x509_2 ); + USE_PSA_INIT(); + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); TEST_EQUAL( res, 0 ); From 47a732635bfeb5c6a5b4260ccc2b841a00c71512 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 27 Nov 2022 21:46:56 +0100 Subject: [PATCH 388/413] Simplify control flow in PKCS7 functions Remove useless goto in several functions. Signed-off-by: Gilles Peskine --- library/pkcs7.c | 106 ++++++++++++++++++------------------------------ 1 file changed, 39 insertions(+), 67 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 783aaa2887..c1446def77 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -103,15 +103,13 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) { *p = start; - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ) ); } ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); if( ret != 0 ) { *p = start; - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ) ); } pkcs7->tag = MBEDTLS_ASN1_OID; @@ -119,7 +117,6 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, pkcs7->p = *p; *p += len; -out: return( ret ); } @@ -153,8 +150,7 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, | MBEDTLS_ASN1_SET ); if( ret != 0 ) { - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ) ); } end = *p + len; @@ -162,16 +158,14 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, ret = mbedtls_asn1_get_alg_null( p, end, alg ); if( ret != 0 ) { - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ) ); } /** For now, it assumes there is only one digest algorithm specified **/ if ( *p != end ) - ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + return( MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); -out: - return( ret ); + return( 0 ); } /** @@ -195,10 +189,9 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) { if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) - ret = 0; + return( 0 ); else - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ) ); } start = *p; end_set = *p + len1; @@ -207,8 +200,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) { - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CERT, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CERT, ret ) ); } end_cert = *p + len2; @@ -221,15 +213,13 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, */ if ( end_cert != end_set ) { - ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; - goto out; + return( MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); } *p = start; if( ( ret = mbedtls_x509_crt_parse_der( certs, *p, len1 ) ) < 0 ) { - ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; - goto out; + return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); } *p = *p + len1; @@ -238,10 +228,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, * Since in this version we strictly support single certificate, and reaching * here implies we have parsed successfully, we return 1. */ - ret = 1; - -out: - return( ret ); + return( 1 ); } /** @@ -255,7 +242,7 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING ); if( ret != 0 ) - goto out; + return( ret ); signature->tag = MBEDTLS_ASN1_OCTET_STRING; signature->len = len; @@ -263,8 +250,7 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, *p = *p + len; -out: - return( ret ); + return( 0 ); } /** @@ -382,34 +368,32 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int count = 0; size_t len = 0; - mbedtls_pkcs7_signer_info *signer, *prev; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) { - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret ) ); } /* Detect zero signers */ if( len == 0 ) { - ret = 0; - goto out; + return( 0 ); } end_set = *p + len; ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - goto out; + return( ret ); count++; - prev = signers_set; + mbedtls_pkcs7_signer_info *prev = signers_set; while( *p != end_set ) { - signer = mbedtls_calloc( 1, sizeof( mbedtls_pkcs7_signer_info ) ); + mbedtls_pkcs7_signer_info *signer = + mbedtls_calloc( 1, sizeof( mbedtls_pkcs7_signer_info ) ); if( !signer ) { ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; @@ -426,12 +410,11 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, count++; } - ret = count; - goto out; + return( count ); cleanup: pkcs7_free_signer_info( signers_set ); - signer = signers_set->next; + mbedtls_pkcs7_signer_info *signer = signers_set->next; while( signer != NULL ) { prev = signer; @@ -440,8 +423,6 @@ cleanup: mbedtls_free( prev ); } signers_set->next = NULL; - -out: return( ret ); } @@ -471,8 +452,7 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) { - ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); - goto out; + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ) ); } end_set = p + len; @@ -480,37 +460,35 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, /* Get version of signed data */ ret = pkcs7_get_version( &p, end_set, &signed_data->version ); if( ret != 0 ) - goto out; + return( ret ); /* Get digest algorithm */ ret = pkcs7_get_digest_algorithm_set( &p, end_set, &signed_data->digest_alg_identifiers ); if( ret != 0 ) - goto out; + return( ret ); ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg ); if( ret != 0 ) { - ret = MBEDTLS_ERR_PKCS7_INVALID_ALG; - goto out; + return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); } /* Do not expect any content */ ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid ); if( ret != 0 ) - goto out; + return( ret ); if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) ) { - ret = MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; - goto out; + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ); } /* Look for certificates, there may or may not be any */ mbedtls_x509_crt_init( &signed_data->certs ); ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); if( ret < 0 ) - goto out; + return( ret ); signed_data->no_of_certs = ret; @@ -525,18 +503,15 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, /* Get signers info */ ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers ); if( ret < 0 ) - goto out; + return( ret ); signed_data->no_of_signers = ret; /* Don't permit trailing data */ if ( p != end ) - ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; - else - ret = 0; + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT ); -out: - return( ret ); + return( 0 ); } int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, @@ -548,10 +523,9 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int isoidset = 0; - if( !pkcs7 ) + if( pkcs7 == NULL ) { - ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; - goto out; + return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); } /* make an internal copy of the buffer for parsing */ @@ -631,15 +605,13 @@ static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, if( pkcs7->signed_data.no_of_signers == 0 ) { - ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; - goto out; + return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); } if( mbedtls_x509_time_is_past( &cert->valid_to ) || mbedtls_x509_time_is_future( &cert->valid_from )) { - ret = MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID; - goto out; + return( MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID ); } /* @@ -673,9 +645,9 @@ static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); if( hash == NULL ) { - ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; - goto out; + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); } + /* BEGIN must free hash before jumping out */ if( is_data_hash ) { if( datalen != mbedtls_md_get_size( md_info )) @@ -698,12 +670,12 @@ static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, mbedtls_md_get_size( md_info ), signer->sig.p, signer->sig.len ); mbedtls_free( hash ); + /* END must free hash before jumping out */ if( ret == 0 ) break; } -out: return( ret ); } int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, From e7f8c616d0b9388fd20ffd6c9730ea8188f27716 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 27 Nov 2022 21:51:19 +0100 Subject: [PATCH 389/413] Fix dangling freed pointer in pkcs7_free_signer_info This may have been a use-after-free, but I haven't worked out whether it was a problem or not. Even if it turns out to have been ok, keeping invalid pointers around is fragile. Signed-off-by: Gilles Peskine --- library/pkcs7.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/pkcs7.c b/library/pkcs7.c index c1446def77..fc6dd33f3d 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -353,6 +353,7 @@ static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) name_cur = name_cur->next; mbedtls_free( name_prv ); } + signer->issuer.next = NULL; } /** From 4f01121f6e598c51e42a69f3fd9a54846013117a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 27 Nov 2022 22:02:10 +0100 Subject: [PATCH 390/413] Fix memory leak on error in pkcs7_get_signers_info_set mbedtls_x509_name allocates memory, which must be freed if there is a subsequent error. Credit to OSS-Fuzz (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53811). Signed-off-by: Gilles Peskine --- library/pkcs7.c | 2 +- ..._info_set-leak-fuzz_pkcs7-4541044530479104.der | Bin 0 -> 108 bytes tests/suites/test_suite_pkcs7.data | 3 +++ 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der diff --git a/library/pkcs7.c b/library/pkcs7.c index fc6dd33f3d..e4238b6a38 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -387,7 +387,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - return( ret ); + goto cleanup; count++; mbedtls_pkcs7_signer_info *prev = signers_set; diff --git a/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der b/tests/data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der new file mode 100644 index 0000000000000000000000000000000000000000..51aef0d0929043a6c080846758c96bf08a945216 GIT binary patch literal 108 zcmXrWVq#=8FQ)N1o+`_9YA&S+?7APZDrz-_=`$Y#L8#=yhC l!~mq36ch}Y*cezCVA3LnLJ(;XDFadhBo)BmKZH_H004ib3yc5& literal 0 HcmV?d00001 diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 5ecfb91119..c329a771ee 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -65,6 +65,9 @@ pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PK pkcs7_get_signers_info_set error handling (6213931373035520) pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +pkcs7_get_signers_info_set error handling (4541044530479104) +pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA From a6ab9d8b12b836faf1cd58fc283b5879a6d5b333 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 28 Nov 2022 03:55:27 -0500 Subject: [PATCH 391/413] Add a changelog entry explaining usage of PSA in TLS 1.2 EC J-PAKE Signed-off-by: Andrzej Kurek --- ChangeLog.d/ecjpake-in-tls.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/ecjpake-in-tls.txt diff --git a/ChangeLog.d/ecjpake-in-tls.txt b/ChangeLog.d/ecjpake-in-tls.txt new file mode 100644 index 0000000000..b84caab861 --- /dev/null +++ b/ChangeLog.d/ecjpake-in-tls.txt @@ -0,0 +1,5 @@ +Features + * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API. + Additional PSA key slots will be allocated in the process of such key + exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and + MBEDTLS_USE_PSA_CRYPTO. From 84a6edac10ef263c030c957716cd7b69430388e3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 11:17:35 +0800 Subject: [PATCH 392/413] change signature of get_cipher_key_info - it is a static function. The name is not follow nameing ruler - move the position. Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 66 ++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ec84a996cc..1b76996bce 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1052,6 +1052,35 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( 0 ); } +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_get_cipher_key_info( + const mbedtls_ssl_ciphersuite_t *ciphersuite_info, + size_t *key_len, size_t *iv_len ) +{ + psa_key_type_t key_type; + psa_algorithm_t alg; + size_t taglen; + size_t key_bits; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) + taglen = 8; + else + taglen = 16; + + status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, + &alg, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + return psa_ssl_status_to_mbedtls( status ); + + *key_len = PSA_BITS_TO_BYTES( key_bits ); + + /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */ + *iv_len = 12; + + return 0; +} + int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1098,35 +1127,6 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) return( 0 ); } -MBEDTLS_CHECK_RETURN_CRITICAL -static int mbedtls_ssl_tls13_get_cipher_key_info( - const mbedtls_ssl_ciphersuite_t *ciphersuite_info, - size_t *key_len, size_t *iv_len ) -{ - psa_key_type_t key_type; - psa_algorithm_t alg; - size_t taglen; - size_t key_bits; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) - taglen = 8; - else - taglen = 16; - - status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, - &alg, &key_type, &key_bits ); - if( status != PSA_SUCCESS ) - return psa_ssl_status_to_mbedtls( status ); - - *key_len = PSA_BITS_TO_BYTES( key_bits ); - - /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */ - *iv_len = 12; - - return 0; -} - /* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, @@ -1150,11 +1150,11 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info, + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); return ret; } @@ -1370,11 +1370,11 @@ int mbedtls_ssl_tls13_generate_application_keys( /* Extract basic information about hash and ciphersuite */ - ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, + ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); goto cleanup; } From 3d9b590f0281e90d23ce6e8017d1826a7f6fb26b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 14:07:25 +0800 Subject: [PATCH 393/413] guards transform_earlydata Signed-off-by: Jerry Yu --- library/ssl_misc.h | 14 +++++++------- library/ssl_tls.c | 6 +++++- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 1902d715d2..32e2b16d7e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -890,13 +890,6 @@ struct mbedtls_ssl_handshake_params uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages. - * Those pointers own the transforms they reference. */ - mbedtls_ssl_transform *transform_handshake; - mbedtls_ssl_transform *transform_earlydata; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - /* * Checksum contexts */ @@ -981,6 +974,8 @@ struct mbedtls_ssl_handshake_params unsigned char *certificate_request_context; #endif + /** TLS 1.3 transform for encrypted handshake messages. */ + mbedtls_ssl_transform *transform_handshake; union { unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE]; @@ -989,6 +984,11 @@ struct mbedtls_ssl_handshake_params } tls13_master_secrets; mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_early_secrets tls13_early_secrets; + /** TLS 1.3 transform for 0-RTT application and handshake messages. */ + mbedtls_ssl_transform *transform_earlydata; +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3d3491bc6c..83f2b3c3ee 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1447,9 +1447,11 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, if( ssl->handshake != NULL ) { +#if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata ); mbedtls_free( ssl->handshake->transform_earlydata ); ssl->handshake->transform_earlydata = NULL; +#endif mbedtls_ssl_transform_free( ssl->handshake->transform_handshake ); mbedtls_free( ssl->handshake->transform_handshake ); @@ -4067,9 +4069,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_transform_free( handshake->transform_handshake ); + mbedtls_free( handshake->transform_handshake ); +#if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_transform_free( handshake->transform_earlydata ); mbedtls_free( handshake->transform_earlydata ); - mbedtls_free( handshake->transform_handshake ); +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ From 91b560f38daa0e3d3ff740885c0a9c6ebb6104dc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 14:10:34 +0800 Subject: [PATCH 394/413] Add compute early transform Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 150 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 17 +++++ 2 files changed, 167 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 1b76996bce..f1791810e2 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1081,6 +1081,156 @@ static int ssl_tls13_get_cipher_key_info( return 0; } +#if defined(MBEDTLS_SSL_EARLY_DATA) +/* ssl_tls13_generate_early_keys() generates keys necessary for protecting + * the early app data messages described in section 7 RFC 8446. */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + mbedtls_md_type_t md_type; + + psa_algorithm_t hash_alg; + size_t hash_len; + + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + size_t transcript_len; + + size_t key_len, iv_len; + + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; + mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_keys" ) ); + + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); + return ret; + } + + md_type = ciphersuite_info->mac; + + hash_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac ); + hash_len = PSA_HASH_LENGTH( hash_alg ); + + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, + sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_get_handshake_transcript", + ret ); + return( ret ); + } + + ret = mbedtls_ssl_tls13_derive_early_secrets( hash_alg, + handshake->tls13_master_secrets.early, + transcript, transcript_len, tls13_early_secrets ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_BUF( + 4, "Client early traffic secret", + tls13_early_secrets->client_early_traffic_secret, + hash_len ); + + /* + * Export client handshake traffic secret + */ + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + tls13_early_secrets->client_early_traffic_secret, + hash_len, + handshake->randbytes, + handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + } + + ret = mbedtls_ssl_tls13_make_traffic_keys( hash_alg, + tls13_early_secrets->client_early_traffic_secret, + tls13_early_secrets->client_early_traffic_secret, + hash_len, key_len, iv_len, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); + goto exit; + } + + MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_key", + traffic_keys->client_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_iv", + traffic_keys->client_write_iv, + traffic_keys->iv_len); + + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_keys" ) ); + +exit: + + return( ret ); +} + +int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_earlydata = NULL; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + /* Next evolution in key schedule: Establish early_data secret and + * key material. */ + ret = ssl_tls13_generate_early_keys( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_keys", + ret ); + goto cleanup; + } + + transform_earlydata = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_earlydata == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto cleanup; + } + + ret = mbedtls_ssl_tls13_populate_transform( + transform_earlydata, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); + goto cleanup; + } + handshake->transform_earlydata = transform_earlydata; + +cleanup: + mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); + if( ret != 0 ) + mbedtls_free( transform_earlydata ); + + return( ret ); +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 966b5c5e4b..81414d84f8 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -667,6 +667,23 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, size_t *actual_len, int which ); +#if defined(MBEDTLS_SSL_EARLY_DATA) +/** + * \brief Compute TLS 1.3 early transform + * + * \param ssl The SSL context to operate on. The early secret must have been + * computed. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + * + * \warning `early_secrets` is not computation. Caller MUST call + * mbedtls_ssl_tls13_key_schedule_stage_early() before this function. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /** * \brief Compute TLS 1.3 handshake transform * From b094e124f2bdf5c05aee52cb61c9e61880900eb7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 21 Nov 2022 13:03:47 +0800 Subject: [PATCH 395/413] fix various issues - Alignments - comment words in doxygen paragraph Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 49 +++++++++++++++++++--------------------- library/ssl_tls13_keys.h | 8 +++---- 2 files changed, 27 insertions(+), 30 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index f1791810e2..8f2a74e87d 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1082,8 +1082,8 @@ static int ssl_tls13_get_cipher_key_info( } #if defined(MBEDTLS_SSL_EARLY_DATA) -/* ssl_tls13_generate_early_keys() generates keys necessary for protecting - * the early app data messages described in section 7 RFC 8446. */ +/* ssl_tls13_generate_early_keys() generates keys necessary for protecting the + early application and handshake messages described in section 7 RFC 8446. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) @@ -1130,9 +1130,9 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, return( ret ); } - ret = mbedtls_ssl_tls13_derive_early_secrets( hash_alg, - handshake->tls13_master_secrets.early, - transcript, transcript_len, tls13_early_secrets ); + ret = mbedtls_ssl_tls13_derive_early_secrets( + hash_alg, handshake->tls13_master_secrets.early, + transcript, transcript_len, tls13_early_secrets ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( @@ -1142,27 +1142,28 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "Client early traffic secret", - tls13_early_secrets->client_early_traffic_secret, - hash_len ); + tls13_early_secrets->client_early_traffic_secret, hash_len ); /* * Export client handshake traffic secret */ if( ssl->f_export_keys != NULL ) { - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, - tls13_early_secrets->client_early_traffic_secret, - hash_len, - handshake->randbytes, - handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + ssl->f_export_keys( + ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + tls13_early_secrets->client_early_traffic_secret, + hash_len, + handshake->randbytes, + handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); } - ret = mbedtls_ssl_tls13_make_traffic_keys( hash_alg, - tls13_early_secrets->client_early_traffic_secret, - tls13_early_secrets->client_early_traffic_secret, - hash_len, key_len, iv_len, traffic_keys ); + ret = mbedtls_ssl_tls13_make_traffic_keys( + hash_alg, + tls13_early_secrets->client_early_traffic_secret, + tls13_early_secrets->client_early_traffic_secret, + hash_len, key_len, iv_len, traffic_keys ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); @@ -1283,16 +1284,13 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - psa_algorithm_t hash_alg; size_t hash_len; - unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - - size_t key_len, iv_len; + size_t key_len; + size_t iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; @@ -1300,8 +1298,7 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, - &key_len, &iv_len ); + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); @@ -1521,7 +1518,7 @@ int mbedtls_ssl_tls13_generate_application_keys( /* Extract basic information about hash and ciphersuite */ ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, - &key_len, &iv_len ); + &key_len, &iv_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 81414d84f8..5d9b570ac1 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -671,14 +671,14 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, /** * \brief Compute TLS 1.3 early transform * - * \param ssl The SSL context to operate on. The early secret must have been - * computed. + * \param ssl The SSL context to operate on. * * \returns \c 0 on success. * \returns A negative error code on failure. * - * \warning `early_secrets` is not computation. Caller MUST call - * mbedtls_ssl_tls13_key_schedule_stage_early() before this function. + * \warning `early_secrets` is not computed before this function. Call + * mbedtls_ssl_tls13_key_schedule_stage_early() to generate early + * secrets. */ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); From 3ce61ffca66ece6e48efb15ff674ca3329c80cc5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 21 Nov 2022 22:45:58 +0800 Subject: [PATCH 396/413] fix comments and function name issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- library/ssl_tls13_keys.c | 28 +++++++++++++++++----------- library/ssl_tls13_keys.h | 10 +++++++--- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 32e2b16d7e..53d50f23c1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -986,7 +986,7 @@ struct mbedtls_ssl_handshake_params mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; #if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_tls13_early_secrets tls13_early_secrets; - /** TLS 1.3 transform for 0-RTT application and handshake messages. */ + /** TLS 1.3 transform for early data and handshake messages. */ mbedtls_ssl_transform *transform_earlydata; #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 8f2a74e87d..da4e5da35e 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1082,11 +1082,18 @@ static int ssl_tls13_get_cipher_key_info( } #if defined(MBEDTLS_SSL_EARLY_DATA) -/* ssl_tls13_generate_early_keys() generates keys necessary for protecting the - early application and handshake messages described in section 7 RFC 8446. */ +/* + * ssl_tls13_generate_early_key() generates the key necessary for protecting + * the early application data and the EndOfEarlyData handshake message + * as described in section 7 of RFC 8446. + * + * NOTE: That only one key is generated, the key for the traffic from the + * client to the server. The TLS 1.3 specification does not define a secret + * and thus a key for server early traffic. + */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ) +static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1104,7 +1111,7 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_keys" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_key" ) ); ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) @@ -1170,16 +1177,15 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, goto exit; } - MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_key", + MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key", traffic_keys->client_write_key, traffic_keys->key_len); - MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_iv", + MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_iv", traffic_keys->client_write_iv, traffic_keys->iv_len); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_keys" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); exit: @@ -1195,10 +1201,10 @@ int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) /* Next evolution in key schedule: Establish early_data secret and * key material. */ - ret = ssl_tls13_generate_early_keys( ssl, &traffic_keys ); + ret = ssl_tls13_generate_early_key( ssl, &traffic_keys ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_keys", + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_key", ret ); goto cleanup; } diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 5d9b570ac1..fc64737cd3 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -676,9 +676,13 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, * \returns \c 0 on success. * \returns A negative error code on failure. * - * \warning `early_secrets` is not computed before this function. Call - * mbedtls_ssl_tls13_key_schedule_stage_early() to generate early - * secrets. + * \warning The function does not compute the early master secret. Call + * mbedtls_ssl_tls13_key_schedule_stage_early() before to + * call this function to generate the early master secret. + * \note For a client/server endpoint, the function computes only the + * encryption/decryption part of the transform as the decryption/ + * encryption part is not defined by the specification (no early + * traffic from the server to the client). */ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); From a8771839e835bad9d9a9a69f6a804310e1954a78 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 21 Nov 2022 23:16:54 +0800 Subject: [PATCH 397/413] Refactor make_traffic_keys Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 66 ++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index da4e5da35e..c01da956a5 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -215,6 +215,30 @@ cleanup: return( psa_ssl_status_to_mbedtls ( status ) ); } +static int ssl_tls13_make_traffic_key( + psa_algorithm_t hash_alg, + const unsigned char *secret, size_t secret_len, + unsigned char *key, size_t key_len, + unsigned char *iv, size_t iv_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + secret, secret_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), + NULL, 0, + key, key_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + secret, secret_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), + NULL, 0, + iv, iv_len ); + return( ret ); +} + /* * The traffic keying material is generated from the following inputs: * @@ -240,35 +264,17 @@ int mbedtls_ssl_tls13_make_traffic_keys( { int ret = 0; - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - client_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), - NULL, 0, - keys->client_write_key, key_len ); + ret = ssl_tls13_make_traffic_key( + hash_alg, client_secret, secret_len, + keys->client_write_key, key_len, + keys->client_write_iv, iv_len ); if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - server_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), - NULL, 0, - keys->server_write_key, key_len ); - if( ret != 0 ) - return( ret ); - - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - client_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), - NULL, 0, - keys->client_write_iv, iv_len ); - if( ret != 0 ) - return( ret ); - - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - server_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), - NULL, 0, - keys->server_write_iv, iv_len ); + ret = ssl_tls13_make_traffic_key( + hash_alg, server_secret, secret_len, + keys->server_write_key, key_len, + keys->server_write_iv, iv_len ); if( ret != 0 ) return( ret ); @@ -1166,16 +1172,18 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); } - ret = mbedtls_ssl_tls13_make_traffic_keys( + ret = ssl_tls13_make_traffic_key( hash_alg, tls13_early_secrets->client_early_traffic_secret, - tls13_early_secrets->client_early_traffic_secret, - hash_len, key_len, iv_len, traffic_keys ); + hash_len, traffic_keys->client_write_key, key_len, + traffic_keys->client_write_iv, iv_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); goto exit; } + traffic_keys->key_len = key_len; + traffic_keys->iv_len = iv_len; MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key", traffic_keys->client_write_key, From e31688b7fa00c6f286c6f02e35b7cc92ec7459c4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 22 Nov 2022 21:55:56 +0800 Subject: [PATCH 398/413] fix comments issue Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index c01da956a5..57c1843e41 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1090,12 +1090,12 @@ static int ssl_tls13_get_cipher_key_info( #if defined(MBEDTLS_SSL_EARLY_DATA) /* * ssl_tls13_generate_early_key() generates the key necessary for protecting - * the early application data and the EndOfEarlyData handshake message - * as described in section 7 of RFC 8446. + * the early application data and handshake messages as described in section 7 + * of RFC 8446. * - * NOTE: That only one key is generated, the key for the traffic from the - * client to the server. The TLS 1.3 specification does not define a secret - * and thus a key for server early traffic. + * NOTE: Only one key is generated, the key for the traffic from the client to + * the server. The TLS 1.3 specification does not define a secret and thus + * a key for server early traffic. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, From a5db6c0ce3ab6199f0a38db0138389dd63de1b76 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 23 Nov 2022 18:08:04 +0800 Subject: [PATCH 399/413] fix coding style issues. Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 57c1843e41..43f6ab6816 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -215,6 +215,7 @@ cleanup: return( psa_ssl_status_to_mbedtls ( status ) ); } +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_make_traffic_key( psa_algorithm_t hash_alg, const unsigned char *secret, size_t secret_len, @@ -1123,7 +1124,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); - return ret; + return( ret ); } md_type = ciphersuite_info->mac; @@ -1179,8 +1180,8 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, traffic_keys->client_write_iv, iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); - goto exit; + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret ); + return( 0 ); } traffic_keys->key_len = key_len; traffic_keys->iv_len = iv_len; @@ -1195,9 +1196,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); -exit: - - return( ret ); + return( 0 ); } int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) From 3d78e08ac0d05c49fb02ce6a2a1d73b9b2a1f21a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 23 Nov 2022 18:26:20 +0800 Subject: [PATCH 400/413] erase early secrets and transcripts Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 43f6ab6816..3d20ab7303 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1124,7 +1124,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); - return( ret ); + goto cleanup; } md_type = ciphersuite_info->mac; @@ -1141,7 +1141,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); - return( ret ); + goto cleanup; } ret = mbedtls_ssl_tls13_derive_early_secrets( @@ -1151,7 +1151,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); - return( ret ); + goto cleanup; } MBEDTLS_SSL_DEBUG_BUF( @@ -1181,7 +1181,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret ); - return( 0 ); + goto cleanup; } traffic_keys->key_len = key_len; traffic_keys->iv_len = iv_len; @@ -1196,7 +1196,12 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); - return( 0 ); +cleanup: + /* Erase secret and transcript */ + mbedtls_platform_zeroize( + tls13_early_secrets, sizeof( mbedtls_ssl_tls13_early_secrets ) ); + mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); + return( ret ); } int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) From 3861062f6bf5f27dc4e58f5e6de1a1d31572299d Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 28 Nov 2022 10:18:05 +0000 Subject: [PATCH 401/413] Tell cmake to get SKIP_TEST_SUITES from ENV If the variable SKIP_TEST_SUITES is not defined with -D, but is defined in an environment variable, tell cmake to get it from there. Signed-off-by: David Horstmann --- tests/CMakeLists.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 0ef6fdbc4c..ae3d054592 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -107,6 +107,10 @@ endif() # the risk of a race. add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files}) add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files}) +# If SKIP_TEST_SUITES is not defined with -D, get it from the environment. +if((NOT DEFINED SKIP_TEST_SUITES) AND (DEFINED ENV{SKIP_TEST_SUITES})) + set(SKIP_TEST_SUITES $ENV{SKIP_TEST_SUITES}) +endif() # Test suites caught by SKIP_TEST_SUITES are built but not executed. # "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar" # but not "test_suite_foobar". From 84bee4c49230ecd50ab6105faf696ff015f03624 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 28 Nov 2022 10:27:14 +0000 Subject: [PATCH 402/413] mbedtls_mpi_mod_write: improve readability Signed-off-by: Janos Follath --- library/bignum_mod.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 74af509ae1..0f2d7e23af 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -230,7 +230,6 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, mbedtls_mpi_mod_ext_rep ext_rep ) { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; - int conv_ret = 0; /* Do our best to check if r and m have been set up */ if( r->limbs == 0 || m->limbs == 0 ) @@ -240,21 +239,26 @@ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) { - conv_ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); - if( conv_ret != 0 ) + ret = mbedtls_mpi_mod_raw_from_mont_rep( r->p, m ); + if( ret != 0 ) goto cleanup; } ret = mbedtls_mpi_mod_raw_write( r->p, m, buf, buflen, ext_rep ); if( m->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY ) - conv_ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); + { + /* If this fails, the value of r is corrupted and we want to return + * this error (as opposed to the error code from the write above) to + * let the caller know. If it succeeds, we want to return the error + * code from write above. */ + int conv_ret = mbedtls_mpi_mod_raw_to_mont_rep( r->p, m ); + if( ret == 0 ) + ret = conv_ret; + } cleanup: - if( ret == 0 ) - ret = conv_ret; - return ( ret ); } /* END MERGE SLOT 7 */ From a34d0308cc8dcd86cb974677ab920072a685793a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 28 Nov 2022 10:11:48 +0100 Subject: [PATCH 403/413] test: psa_pake: fix dependency Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_pake.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.data b/tests/suites/test_suite_psa_crypto_pake.data index 4dd1598c2d..f447ef05bf 100644 --- a/tests/suites/test_suite_psa_crypto_pake.data +++ b/tests/suites/test_suite_psa_crypto_pake.data @@ -99,7 +99,7 @@ depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE PSA PAKE: check rounds w/o forced errors, TLS12_PRF -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PRF ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"abcdef":0:0:ERR_NONE PSA PAKE: check rounds, key is destroyed after being passed to set_password_key From 1ac41dec09aebc2640f899a3e5d5d741337db416 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Mon, 28 Nov 2022 14:46:30 +0000 Subject: [PATCH 404/413] Add test function for opaque driver (simply returns PSA_ERROR_NOT_SUPPORTED), and address other review comments. Signed-off-by: Aditya Deshpande --- library/psa_crypto.c | 24 ++++++++-------- .../psa_crypto_driver_wrappers.c.jinja | 28 +++++++++++-------- tests/include/test/drivers/key_agreement.h | 20 ++++++------- tests/src/drivers/test_driver_key_agreement.c | 27 ++++++++++++++++-- ...test_suite_psa_crypto_driver_wrappers.data | 2 +- ..._suite_psa_crypto_driver_wrappers.function | 1 - 6 files changed, 65 insertions(+), 37 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index b41307e94c..fe0eaa6f4e 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5738,11 +5738,11 @@ psa_status_t psa_key_agreement_raw_builtin( const psa_key_attributes_t *attribut #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) case PSA_ALG_ECDH: return( mbedtls_psa_key_agreement_ecdh( attributes, key_buffer, - key_buffer_size, alg, - peer_key, peer_key_length, - shared_secret, - shared_secret_size, - shared_secret_length ) ); + key_buffer_size, alg, + peer_key, peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ) ); #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ default: (void) attributes; @@ -5771,18 +5771,20 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, size_t shared_secret_size, size_t *shared_secret_length ) { - if( !PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) ) + if( !PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) ) return( PSA_ERROR_NOT_SUPPORTED ); psa_key_attributes_t attributes = { .core = private_key->attr }; - return( psa_driver_wrapper_key_agreement( &attributes, private_key->key.data, - private_key->key.bytes, - alg, peer_key, peer_key_length, - shared_secret, shared_secret_size, - shared_secret_length ) ); + return( psa_driver_wrapper_key_agreement( &attributes, + private_key->key.data, + private_key->key.bytes, alg, + peer_key, peer_key_length, + shared_secret, + shared_secret_size, + shared_secret_length ) ); } /* Note that if this function fails, you must call psa_key_derivation_abort() diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 75ac6aa4d0..3ad92aaefb 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -2497,22 +2497,17 @@ psa_status_t psa_driver_wrapper_key_agreement( case PSA_KEY_LOCATION_LOCAL_STORAGE: /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ - #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) - #if defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) status = mbedtls_test_transparent_key_agreement( attributes, - key_buffer, - key_buffer_size, - alg, - peer_key, - peer_key_length, - shared_secret, - shared_secret_size, - shared_secret_length ); + key_buffer, key_buffer_size, alg, peer_key, + peer_key_length, shared_secret, shared_secret_size, + shared_secret_length ); if( status != PSA_ERROR_NOT_SUPPORTED ) return( status ); - #endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ /* Software Fallback */ status = psa_key_agreement_raw_builtin( attributes, @@ -2525,6 +2520,15 @@ psa_status_t psa_driver_wrapper_key_agreement( shared_secret_size, shared_secret_length ); return( status ); +#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +#if defined(PSA_CRYPTO_DRIVER_TEST) + case PSA_CRYPTO_TEST_DRIVER_LOCATION: + return( mbedtls_test_opaque_key_agreement( attributes, + key_buffer, key_buffer_size, alg, peer_key, + peer_key_length, shared_secret, shared_secret_size, + shared_secret_length ) ); +#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ default: (void) attributes; diff --git a/tests/include/test/drivers/key_agreement.h b/tests/include/test/drivers/key_agreement.h index ec6515982e..8f28cefda8 100644 --- a/tests/include/test/drivers/key_agreement.h +++ b/tests/include/test/drivers/key_agreement.h @@ -59,16 +59,16 @@ psa_status_t mbedtls_test_transparent_key_agreement( size_t shared_secret_size, size_t *shared_secret_length ); -// psa_status_t mbedtls_test_opaque_key_agreement( -// const psa_key_attributes_t *attributes, -// const uint8_t *key_buffer, -// size_t key_buffer_size, -// psa_algorithm_t alg, -// const uint8_t *peer_key, -// size_t peer_key_length, -// uint8_t *shared_secret, -// size_t shared_secret_size, -// size_t *shared_secret_length ); +psa_status_t mbedtls_test_opaque_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ); #endif /*PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_AGREEMENT_H */ diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index 51301f8f04..3552f48f75 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -69,8 +69,8 @@ psa_status_t mbedtls_test_transparent_key_agreement( if( PSA_ALG_IS_ECDH(alg) ) { -#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ - (LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDH) +#if (defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDH)) return( libtestdriver1_mbedtls_psa_key_agreement_ecdh( (const libtestdriver1_psa_key_attributes_t *) attributes, key_buffer, key_buffer_size, @@ -103,4 +103,27 @@ psa_status_t mbedtls_test_transparent_key_agreement( } +psa_status_t mbedtls_test_opaque_key_agreement( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *peer_key, + size_t peer_key_length, + uint8_t *shared_secret, + size_t shared_secret_size, + size_t *shared_secret_length ) +{ + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) peer_key; + (void) peer_key_length; + (void) shared_secret; + (void) shared_secret_size; + (void) shared_secret_length; + return( PSA_ERROR_NOT_SUPPORTED ); +} + #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index 74b74da92f..6069a696c2 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -308,7 +308,7 @@ depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:P key_agreement:PSA_ALG_ECDH:PSA_SUCCESS:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de":"":PSA_SUCCESS raw key agreement through driver: fallback -depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDLTS_PSA_BUILTIN_ALG_ECDH +depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_ECDH key_agreement:PSA_ALG_ECDH:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":"04d12dfb5289c8d4f81208b70270398c342296970a0bccb74c736fc7554494bf6356fbf3ca366cc23e8157854c13c58d6aac23f046ada30f8353e74f33039872ab":"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de":"":PSA_SUCCESS raw key agreement through driver: error diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 7fa3c947ef..5f38614e8b 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -626,7 +626,6 @@ exit: PSA_DONE( ); mbedtls_test_driver_key_agreement_hooks = mbedtls_test_driver_key_agreement_hooks_init(); - } /* END_CASE */ From 1f8afa22a4312f94de639fe3f38bec0da062e316 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 28 Nov 2022 14:32:33 +0000 Subject: [PATCH 405/413] Bignum Mod: improve documentation and style Signed-off-by: Janos Follath --- library/bignum_mod.c | 1 - library/bignum_mod.h | 19 ++++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 0f2d7e23af..7a5539d8da 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -203,7 +203,6 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, { int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; - /* Do our best to check if r and m have been set up */ if( r->limbs == 0 || m->limbs == 0 ) goto cleanup; diff --git a/library/bignum_mod.h b/library/bignum_mod.h index ae486b9b6a..d92f21ee0a 100644 --- a/library/bignum_mod.h +++ b/library/bignum_mod.h @@ -189,10 +189,10 @@ void mbedtls_mpi_mod_modulus_free( mbedtls_mpi_mod_modulus *m ); * equivalent to \p m (in the sense that all their fields or memory pointed by * their fields hold the same value). * - * \param r The address of the residue. It must have exactly the same + * \param[out] r The address of the residue. It must have exactly the same * number of limbs as the modulus \p m. - * \param m The address of the modulus. - * \param buf The input buffer to import from. + * \param[in] m The address of the modulus. + * \param[in] buf The input buffer to import from. * \param buflen The length in bytes of \p buf. * \param ext_rep The endianness of the number in the input buffer. * @@ -221,10 +221,12 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, * secret, the caller must ensure that \p buflen is at least * (`m->bits`+7)/8. * - * \param r The address of the residue. It must have as many limbs as - * the modulus \p m. - * \param m The address of the modulus associated with \r. - * \param buf The output buffer to export to. + * \param[in] r The address of the residue. It must have the same number of + * limbs as the modulus \p m. (\p r is an input parameter, but + * its value will be modified during execution and restored + * before the function returns.) + * \param[in] m The address of the modulus associated with \r. + * \param[out] buf The output buffer to export to. * \param buflen The length in bytes of \p buf. * \param ext_rep The endianness in which the number should be written into * the output buffer. @@ -234,6 +236,9 @@ int mbedtls_mpi_mod_read( mbedtls_mpi_mod_residue *r, * large enough to hold the value of \p r (without leading * zeroes). * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid. + * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough + * memory for conversion. Can occur only for moduli with + * MBEDTLS_MPI_MOD_REP_MONTGOMERY. */ int mbedtls_mpi_mod_write( const mbedtls_mpi_mod_residue *r, const mbedtls_mpi_mod_modulus *m, From a13f5eb7b840cc0d0472eebf5e7c224c8bbf8ec2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 28 Nov 2022 21:30:04 +0100 Subject: [PATCH 406/413] Add missing dependency for the fuzzer-constructed test data Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pkcs7.data | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index c329a771ee..f3cbb628fa 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -63,9 +63,11 @@ depends_on:MBEDTLS_SHA256_C pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO pkcs7_get_signers_info_set error handling (6213931373035520) +depends_on:MBEDTLS_RIPEMD160_C pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG pkcs7_get_signers_info_set error handling (4541044530479104) +depends_on:MBEDTLS_RIPEMD160_C pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG PKCS7 Only Signed Data Parse Pass #15 From aec08b3f42ac3d21f2134c4e0ce243e05cde3db0 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 29 Nov 2022 15:19:27 +0800 Subject: [PATCH 407/413] fix various format issues Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 3d20ab7303..cef61449b3 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -224,7 +224,8 @@ static int ssl_tls13_make_traffic_key( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + ret = mbedtls_ssl_tls13_hkdf_expand_label( + hash_alg, secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), NULL, 0, @@ -232,7 +233,8 @@ static int ssl_tls13_make_traffic_key( if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + ret = mbedtls_ssl_tls13_hkdf_expand_label( + hash_alg, secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), NULL, 0, @@ -1103,16 +1105,13 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - psa_algorithm_t hash_alg; size_t hash_len; - unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - - size_t key_len, iv_len; + size_t key_len; + size_t iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; From 37d41c79b8c0420df9fd941f995609d0b3dca0bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 29 Nov 2022 09:39:16 +0100 Subject: [PATCH 408/413] Add ChangeLog entry for DTLS Connection ID MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/dtls-connection-id.txt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 ChangeLog.d/dtls-connection-id.txt diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt new file mode 100644 index 0000000000..eb9e216c4d --- /dev/null +++ b/ChangeLog.d/dtls-connection-id.txt @@ -0,0 +1,16 @@ +Features + * Add support for DTLS Connection ID as defined by RFC 9146, controlled by + MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with + mbedtls_ssl_set_cid(). + +Changes + * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05 + of the draft, and was marked experimental and disabled by default. It is + now no longer experimental, and implements the final version from RFC 9146, + which is not interoperable with the draft-05 version. If you need to + communicate with peers that use earlier versions of Mbed TLS, you + need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT to 1, but then you + won't be able to communicate with peers that use the standard (non-draft) + version. If you need to interoperate with both classes of peers with the + same build of Mbed TLS, please let us know about your situation on the + mailing list or GitHub. From b6bc7524f9bd13be11ecdd301bffcd4fee95cd4c Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Tue, 29 Nov 2022 16:53:29 +0000 Subject: [PATCH 409/413] Minor formatting fixes to address code review comments Signed-off-by: Aditya Deshpande --- library/psa_crypto_ecp.c | 14 +++++++------- tests/src/drivers/test_driver_key_agreement.c | 3 +-- .../test_suite_psa_crypto_driver_wrappers.function | 1 - 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index b840426ab5..537a74840e 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -477,16 +477,17 @@ psa_status_t mbedtls_psa_key_agreement_ecdh( uint8_t *shared_secret, size_t shared_secret_size, size_t *shared_secret_length ) { + psa_status_t status; if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( attributes->core.type ) || ! PSA_ALG_IS_ECDH(alg) ) return( PSA_ERROR_INVALID_ARGUMENT ); mbedtls_ecp_keypair *ecp = NULL; - psa_status_t status = mbedtls_psa_ecp_load_representation( - attributes->core.type, - attributes->core.bits, - key_buffer, - key_buffer_size, - &ecp ); + status = mbedtls_psa_ecp_load_representation( + attributes->core.type, + attributes->core.bits, + key_buffer, + key_buffer_size, + &ecp ); if( status != PSA_SUCCESS ) return( status ); mbedtls_ecp_keypair *their_key = NULL; @@ -523,7 +524,6 @@ psa_status_t mbedtls_psa_key_agreement_ecdh( goto exit; if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length ) status = PSA_ERROR_CORRUPTION_DETECTED; - exit: if( status != PSA_SUCCESS ) mbedtls_platform_zeroize( shared_secret, shared_secret_size ); diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index 3552f48f75..7c37b03272 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -29,7 +29,6 @@ #include "test/drivers/test_driver.h" #include -#include #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) #include "libtestdriver1/include/psa/crypto.h" @@ -50,7 +49,7 @@ psa_status_t mbedtls_test_transparent_key_agreement( size_t shared_secret_size, size_t *shared_secret_length ) { - ++mbedtls_test_driver_key_agreement_hooks.hits; + mbedtls_test_driver_key_agreement_hooks.hits++; if( mbedtls_test_driver_key_agreement_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_key_agreement_hooks.forced_status ); diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 5f38614e8b..b895796441 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -1,6 +1,5 @@ /* BEGIN_HEADER */ #include "test/drivers/test_driver.h" -#include #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) /* Sanity checks on the output of RSA encryption. From fc2ac75453d6f64d71a9f2972d856d2664d35bba Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 30 Nov 2022 11:13:00 +0000 Subject: [PATCH 410/413] Fix the name of basic-build-test.sh within the file Signed-off-by: Tom Cosgrove --- tests/scripts/basic-build-test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 31beb1c213..a96254fd55 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -1,6 +1,6 @@ #!/bin/sh -# basic-build-tests.sh +# basic-build-test.sh # # Copyright The Mbed TLS Contributors # SPDX-License-Identifier: Apache-2.0 @@ -36,7 +36,7 @@ # # This script has been written to be generic and should work on any shell. # -# Usage: basic-build-tests.sh +# Usage: basic-build-test.sh # # Abort on errors (and uninitiliased variables) From c84b7319410a6d0df6cd1dd259f14ffba31c8806 Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Wed, 30 Nov 2022 14:43:31 +0000 Subject: [PATCH 411/413] Enable test generation from bignum_mod.py Signed-off-by: Werner Lewis --- tests/CMakeLists.txt | 1 + tests/Makefile | 1 + tests/scripts/generate_bignum_tests.py | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index ae3d054592..71dd70b9aa 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -71,6 +71,7 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_core.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod_raw.py + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py ) diff --git a/tests/Makefile b/tests/Makefile index 0b31cdd076..2d2d70a8f5 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -95,6 +95,7 @@ generated_bignum_test_data: scripts/generate_bignum_tests.py generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_core.py generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod_raw.py +generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod.py generated_bignum_test_data: ../scripts/mbedtls_dev/test_case.py generated_bignum_test_data: ../scripts/mbedtls_dev/test_data_generation.py generated_bignum_test_data: diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py index c3058e98a9..0b84711861 100755 --- a/tests/scripts/generate_bignum_tests.py +++ b/tests/scripts/generate_bignum_tests.py @@ -66,7 +66,7 @@ from mbedtls_dev import bignum_common # Import modules containing additional test classes # Test function classes in these modules will be registered by # the framework -from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import +from mbedtls_dev import bignum_core, bignum_mod_raw, bignum_mod # pylint: disable=unused-import class BignumTarget(test_data_generation.BaseTarget): #pylint: disable=too-few-public-methods From 5484e96117cdb050289f4e1507537ee6c196b045 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Wed, 30 Nov 2022 15:54:44 +0000 Subject: [PATCH 412/413] Add changelog entry Signed-off-by: Aditya Deshpande --- ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt diff --git a/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt b/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt new file mode 100644 index 0000000000..b9c78a6459 --- /dev/null +++ b/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt @@ -0,0 +1,5 @@ +Features + * Add a driver dispatch layer for raw key agreement, enabling alternative + implementations of raw key agreement through the key_agreement driver + entry point. This entry point is specified in the proposed PSA driver + interface, but had not yet been implemented. From cff7578822d61943fce9ba7cae14d32f343f605c Mon Sep 17 00:00:00 2001 From: Werner Lewis Date: Wed, 30 Nov 2022 16:34:07 +0000 Subject: [PATCH 413/413] Add imports to bignum_mod Signed-off-by: Werner Lewis --- scripts/mbedtls_dev/bignum_mod.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/mbedtls_dev/bignum_mod.py b/scripts/mbedtls_dev/bignum_mod.py index a604cc0c59..81ece0727e 100644 --- a/scripts/mbedtls_dev/bignum_mod.py +++ b/scripts/mbedtls_dev/bignum_mod.py @@ -14,7 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +from typing import Dict, List # pylint: disable=unused-import + from . import test_data_generation +from . import bignum_common # pylint: disable=unused-import class BignumModTarget(test_data_generation.BaseTarget): #pylint: disable=abstract-method, too-few-public-methods